Thanks Alex for the reply and the useful suggestion. I'm not in front of
the box right now but I will be later this afternoon. I'll go ahead and try
the suggestion of plugging the LAN cable directly into my laptop when I get
in front of it and update you. Below is the output of
/etc/init.d/packetfence status
*root@packetfence:~# /etc/init.d/packetfence status*
*service|shouldBeStarted|pid*
*named|1|2898*
*dhcpd|1|2903*
*snort|1|6972*
*suricata|0|0*
*radiusd|1|0*
*httpd|1|19815 17809 16172 14590 10791 9399 8243 7437 7435 7430 5897 5751
2911*
*snmptrapd|1|2913*
*pfdetect|1|2943*
*pfredirect|0|0*
*pfsetvlan|1|2948*
*pfdhcplistener|1|2944 2945*
*pfmon|1|2946*
*
*
*
*
*
*
*
*
Francois,
My Packetfence server has 2 NICs. NIC 1 sits on my existing 172.16.x.x/16
network(management). NIC 2 is acting as the gateway address to my wireless
guest network 10.250.x.x/21. I'm not using a SPAN port at the moment since
I was under the impression that snort will see my traffic as long as I'm
using inline enforcement and my wireless guests have their gateway address
pointing to my internal, monitored Packetfence NIC.(NIC 2). I have tried to
SPAN the switch port that NIC 2 is plugged into with no luck(I did this
just in case) and then removed the SPAN after I realized that it wasn't
working. I hope this info helps.
Joe
On Tue, May 7, 2013 at 11:10 AM, Francois Gaudreault <
[email protected]> wrote:
> I didn't read the entire thread, but how do you send the traffic to the
> SNORT box? Are you using a SPAN port?
>
> Just listening on the VLAN is not sufficient if your device is not the
> gateway.
>
>
> On 2013-05-07 11:01 AM, Joe Arcidiacono wrote:
>
> Alex,
>
>
>
> After issuing the /etc/init.d/snort status, i receive the following.....
> *root@packetfence:~# /etc/init.d/snort status*
> *Status of snort daemon(s): eth1 OK.*
> *root@packetfence:~#*
>
> So it seems that snort is running. Also, below is the output to
> /var/log/messages and /usr/local/pf/logs/violation.log.
>
>
> /var/log/messages:
>
> May 6 10:51:12 packetfence kernel: [ 22.975762] Bridge firewalling
> registered
> May 6 10:51:12 packetfence kernel: [ 23.080140] Bluetooth: SCO (Voice
> Link) ver 0.6
> May 6 10:51:12 packetfence kernel: [ 23.080145] Bluetooth: SCO socket
> layer initialized
> May 6 10:51:13 packetfence kernel: [ 23.680618] lp0: using parport0
> (interrupt-driven).
> May 6 10:51:13 packetfence kernel: [ 23.862666] ppdev: user-space
> parallel port driver
> May 6 10:51:22 packetfence kernel: [ 33.089249] ip_set version 4 loaded
> May 6 10:51:39 packetfence kernel: [ 49.825421] ip_tables: (C)
> 2000-2006 Netfilter Core Team
> May 6 10:51:40 packetfence kernel: [ 50.700955] nf_conntrack version
> 0.5.0 (16384 buckets, 65536 max)
> May 6 10:51:40 packetfence kernel: [ 50.702079] CONFIG_NF_CT_ACCT is
> deprecated and will be removed soon. Please use
> May 6 10:51:40 packetfence kernel: [ 50.702084] nf_conntrack.acct=1
> kernel parameter, acct=1 nf_conntrack module option or
> May 6 10:51:40 packetfence kernel: [ 50.702087] sysctl
> net.netfilter.nf_conntrack_acct=1 to enable it.
> May 6 10:52:04 packetfence kernel: [ 74.627188] device eth1 entered
> promiscuous mode
> May 6 10:52:04 packetfence kernel: [ 74.691502] device eth0 entered
> promiscuous mode
> May 6 11:13:03 packetfence kernel: [ 1334.081959] device eth0 left
> promiscuous mode
> May 6 11:13:06 packetfence kernel: [ 1336.547990] device eth1 left
> promiscuous mode
> May 6 11:13:22 packetfence kernel: [ 1352.517630] device eth1 entered
> promiscuous mode
> May 6 11:13:22 packetfence kernel: [ 1352.548374] device eth0 entered
> promiscuous mode
> May 7 07:53:30 packetfence rsyslogd: [origin software="rsyslogd"
> swVersion="4.6.4" x-pid="1082" x-info="http://www.rsyslog.com";] rsyslogd
> was HUPed, type '$
> May 7 08:53:08 packetfence kernel: [79339.256147] e1000e: eth1 NIC Link
> is Down
> May 7 08:53:12 packetfence kernel: [79342.956962] e1000e: eth1 NIC Link
> is Up 1000 Mbps Full Duplex, Flow Control: None
>
>
>
> violations.log:
>
> 2013-05-07 09:41:16: Disable NATing Routers and APs (1100008) detected
> on node xx:xx:xx:xx:xx:xx (172.16.1.116)
>
>
> I just received my first violation this am about the NAT Routers so it
> looks like some violations are working properly but still nothing when I
> try to run bittorrents. Also, as you can see, it doesn't look like anything
> about snort is showing up inside /var/log/messages
>
>
>
>
> Joe
>
>
> On Tue, May 7, 2013 at 9:41 AM, Alex Kisakye <[email protected]>wrote:
>
>> Hello,
>> Have you looked at /var/log/messages and
>> /usr/local/pf/logs/violation.log?
>> Snort will normally log information there if it sees something.
>> You could start your torrent app and see is anything appears in
>> /var/log/messages or /usr/local/pf/logs/violation.log
>> I know you mentioned that snort is running but can you run
>> /etc/init.d/snortd status ...just to be sure.
>>
>> Alex
>>
>> On 5/7/2013 1:18 AM, Joe Arcidiacono wrote:
>>
>> Hi Alex,
>>
>>
>>
>> Thanks for taking the time to look at my config. Below is the pf.conf
>> output. If you need to view any other files just let me know and I'll post
>> them. Thanks again.
>>
>>
>>
>>
>>
>>
>> [interface eth1]
>> enforcement=inline
>> ip=10.250.0.10
>> type=internal,monitor
>> mask=255.255.248.0
>>
>> [interface eth0]
>> ip=172.16.4.58
>> type=management
>> mask=255.255.0.0
>> enforcement=
>>
>> [database]
>> pass=my_password
>>
>> [general]
>> dhcpservers=127.0.0.1,172.16.4.9
>> domain=mydomain.local
>> dnsservers=172.16.4.1
>> timezone=America/Eastern
>>
>> [alerting]
>> [email protected]
>> [email protected]
>> smtpserver=x.x.x.x
>>
>> [guests_self_registration]
>> modes=sms
>> access_duration=1D
>> allow_localdomain=disabled
>>
>> [expire]
>> node=1D
>> iplog=3D
>> traplog=3D
>> locationlog=5D
>>
>> [registration]
>> range=10.250.0.0/21
>> expire_mode=window
>> maxnodes=1
>> nbregpages=1
>>
>> [trapping]
>> range=10.250.0.0/21
>> redirecturl=
>> detection=enabled
>>
>> [inline]
>> interfaceSNAT=
>>
>>
>>
>> On Mon, May 6, 2013 at 3:15 PM, Alex Kisakye <[email protected]>wrote:
>>
>>> Hello,
>>> A copy of your pf.conf should help us see what you missed.
>>>
>>> Alex
>>> ----- Original Message -----
>>> From: Joe Arcidiacono <[email protected]>
>>> To: [email protected]
>>> Sent: Mon, 06 May 2013 16:23:11 +0300 (EAT)
>>> Subject: Re: [PacketFence-users] Packetfence 3.6.1 Snort help
>>>
>>> Hi Fabrice,
>>>
>>>
>>>
>>> Thank you for getting back to me. To answer your question, yes, I have
>>> set
>>> detection=enabled as well as detection_engine=snort. Snort and pfdetect
>>> are
>>> running. As a matter of fact, all services are running with the exception
>>> of radius(which is fine since I'm not using it at the moment anyway). If
>>> I
>>> start downloading a Ubuntu torrent file on my guest network, my P2P
>>> traffic
>>> is not being trapped by packetfence. I've tried everything I can think of
>>> with no success. Any help or suggestions would be greatly appreciated.
>>> Thank you again
>>>
>>>
>>>
>>> Joe
>>>
>>>
>>> On Mon, May 6, 2013 at 8:37 AM, Fabrice DURAND <[email protected]>
>>> wrote:
>>>
>>> > Hi,
>>> > did you set:
>>> > [trapping]
>>> > detection=enabled
>>> > detection_engine=snort
>>> >
>>> > If yes, did snort starting when you try to launch packetfence ?
>>> > Is pfdetect running ?
>>> >
>>> > Regards
>>> > Fabrice
>>> >
>>> > Le 2013-05-03 19:59, Joe Arcidiacono a écrit :
>>> >
>>> > Hey All,
>>> >
>>> >
>>> >
>>> > I'm implementing inline enforcement(NAT) with Packetfence version
>>> > 3.6.1 and
>>> > am having alot of trouble trying to get snort to trap violations on my
>>> > internal network. This network is going to be used for guest wireless
>>> > access only. Captive Portal and self registration work perfectly,
>>> > however,
>>> > I noticed that no trap violations are being generated. I'm using a Meru
>>> > MC3200 controller for wireless connectivity. I have a physical server
>>> > running Debian Squeeze
>>> > that has 2 NICs. NIC 1 is my management NIC with IP 172.16.x.x/16.
>>> > NIC 2 is
>>> > assigned 10.250.x.x/21 for the guest wireless network. All guests
>>> > who receive an IP address has NIC 2's interface as the gateway address.
>>> > I have set trapping=enabled as well as assign the "monitor" option to
>>> > my
>>> > 10.250 NIC and enabled P2P violations. When I issue the command
>>> > "snort -i eth1 -v"(eth0 is my 172.16.x.x management card) I can see
>>> > all of the traffic flowing through but for some
>>> > reason, snort will not pick up on any violations. I ran the
>>> > update_rules.pl script to make sure the rules were updated to no
>>> > avail.
>>> > I believe I am missing an important step or 2.
>>> > Does the snort.conf file have to be edited somehow? If so, do I edit
>>> > the
>>> > /usr/local/pf/conf/snort.conf file or the /etc/snort/snort.conf file?
>>> > Also,
>>> > what would need to be edited to get the traps working? I have read the
>>> > Admin guide for 3.6.1 at least 30 times but with no luck. Any advice
>>> > would
>>> > be much appreciated. I thank you ahead of time for any suggestions.
>>> >
>>> >
>>> >
>>> >
>>> > Joe
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
>>> > Get 100% visibility into your production application - at no cost.
>>> > Code-level diagnostics for performance bottlenecks with <2% overhead
>>> > Download for free and get started troubleshooting in minutes.
>>> http://p.sf.net/sfu/appdyn_d2d_ap1
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > PacketFence-users mailing
>>> [email protected]://
>>> lists.sourceforge.net/lists/listinfo/packetfence-users
>>> >
>>> >
>>> >
>>> > --
>>> > Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>> www.inverse.ca
>>> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>> PacketFence (http://packetfence.org)
>>> >
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
>>> > Get 100% visibility into your production application - at no cost.
>>> > Code-level diagnostics for performance bottlenecks with <2% overhead
>>> > Download for free and get started troubleshooting in minutes.
>>> > http://p.sf.net/sfu/appdyn_d2d_ap1
>>> > _______________________________________________
>>> > PacketFence-users mailing list
>>> > [email protected]
>>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>> >
>>> >
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Learn Graph Databases - Download FREE O'Reilly Book
>>> "Graph Databases" is the definitive new guide to graph databases and
>>> their applications. This 200-page book is written by three acclaimed
>>> leaders in the field. The early access version is available now.
>>> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and
>> their applications. This 200-page book is written by three acclaimed
>> leaders in the field. The early access version is available now.
>> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and
>> their applications. This 200-page book is written by three acclaimed
>> leaders in the field. The early access version is available now.
>> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Francois Gaudreault
> Architecte de Solution Cloud | Cloud Solutions
> [email protected]
> - - -
> CloudOps
> 420 rue Guy
> Montréal QC H3J 1S6www.cloudops.com
> @CloudOps_
>
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
