Alex,
After plugging a crossover cable from my server's "guest" NIC into my
laptop and registering access through packetfence, I was still able to open
my bit torrent client and continue to download a torrent file without snort
detecting the traffic so we can assume that the problem is not in my
switch. If I issue the "ipset -L" command the following appears.......(not
sure if this will help you or not)
root@packetfence:~# ipset -L
Name: pfsession_Unreg_10.250.0.0
Type: macipmap
References: 1
Header: from: 10.250.0.0 to: 10.250.7.255
Members:
Name: pfsession_Reg_10.250.0.0
Type: macipmap
References: 1
Header: from: 10.250.0.0 to: 10.250.7.255
Members:
10.250.0.114,xx:xx:xx:xx:xx:xx
10.250.1.122,xx:xx:xx:xx:xx:xx
Name: pfsession_Isol_10.250.0.0
Type: macipmap
References: 1
Header: from: 10.250.0.0 to: 10.250.7.255
Members:
Any other suggestions?
Joe
On Tue, May 7, 2013 at 11:57 AM, Joe Arcidiacono <[email protected]>wrote:
> Thanks Alex for the reply and the useful suggestion. I'm not in front of
> the box right now but I will be later this afternoon. I'll go ahead and try
> the suggestion of plugging the LAN cable directly into my laptop when I get
> in front of it and update you. Below is the output of
> /etc/init.d/packetfence status
>
> *root@packetfence:~# /etc/init.d/packetfence status*
> *service|shouldBeStarted|pid*
> *named|1|2898*
> *dhcpd|1|2903*
> *snort|1|6972*
> *suricata|0|0*
> *radiusd|1|0*
> *httpd|1|19815 17809 16172 14590 10791 9399 8243 7437 7435 7430 5897 5751
> 2911*
> *snmptrapd|1|2913*
> *pfdetect|1|2943*
> *pfredirect|0|0*
> *pfsetvlan|1|2948*
> *pfdhcplistener|1|2944 2945*
> *pfmon|1|2946*
> *
> *
> *
> *
> *
> *
> *
> *
> Francois,
>
>
> My Packetfence server has 2 NICs. NIC 1 sits on my existing 172.16.x.x/16
> network(management). NIC 2 is acting as the gateway address to my wireless
> guest network 10.250.x.x/21. I'm not using a SPAN port at the moment since
> I was under the impression that snort will see my traffic as long as I'm
> using inline enforcement and my wireless guests have their gateway address
> pointing to my internal, monitored Packetfence NIC.(NIC 2). I have tried to
> SPAN the switch port that NIC 2 is plugged into with no luck(I did this
> just in case) and then removed the SPAN after I realized that it wasn't
> working. I hope this info helps.
>
>
>
>
>
> Joe
>
>
> On Tue, May 7, 2013 at 11:10 AM, Francois Gaudreault <
> [email protected]> wrote:
>
>> I didn't read the entire thread, but how do you send the traffic to the
>> SNORT box? Are you using a SPAN port?
>>
>> Just listening on the VLAN is not sufficient if your device is not the
>> gateway.
>>
>>
>> On 2013-05-07 11:01 AM, Joe Arcidiacono wrote:
>>
>> Alex,
>>
>>
>>
>> After issuing the /etc/init.d/snort status, i receive the following.....
>> *root@packetfence:~# /etc/init.d/snort status*
>> *Status of snort daemon(s): eth1 OK.*
>> *root@packetfence:~#*
>>
>> So it seems that snort is running. Also, below is the output to
>> /var/log/messages and /usr/local/pf/logs/violation.log.
>>
>>
>> /var/log/messages:
>>
>> May 6 10:51:12 packetfence kernel: [ 22.975762] Bridge firewalling
>> registered
>> May 6 10:51:12 packetfence kernel: [ 23.080140] Bluetooth: SCO (Voice
>> Link) ver 0.6
>> May 6 10:51:12 packetfence kernel: [ 23.080145] Bluetooth: SCO socket
>> layer initialized
>> May 6 10:51:13 packetfence kernel: [ 23.680618] lp0: using parport0
>> (interrupt-driven).
>> May 6 10:51:13 packetfence kernel: [ 23.862666] ppdev: user-space
>> parallel port driver
>> May 6 10:51:22 packetfence kernel: [ 33.089249] ip_set version 4 loaded
>> May 6 10:51:39 packetfence kernel: [ 49.825421] ip_tables: (C)
>> 2000-2006 Netfilter Core Team
>> May 6 10:51:40 packetfence kernel: [ 50.700955] nf_conntrack version
>> 0.5.0 (16384 buckets, 65536 max)
>> May 6 10:51:40 packetfence kernel: [ 50.702079] CONFIG_NF_CT_ACCT is
>> deprecated and will be removed soon. Please use
>> May 6 10:51:40 packetfence kernel: [ 50.702084] nf_conntrack.acct=1
>> kernel parameter, acct=1 nf_conntrack module option or
>> May 6 10:51:40 packetfence kernel: [ 50.702087] sysctl
>> net.netfilter.nf_conntrack_acct=1 to enable it.
>> May 6 10:52:04 packetfence kernel: [ 74.627188] device eth1 entered
>> promiscuous mode
>> May 6 10:52:04 packetfence kernel: [ 74.691502] device eth0 entered
>> promiscuous mode
>> May 6 11:13:03 packetfence kernel: [ 1334.081959] device eth0 left
>> promiscuous mode
>> May 6 11:13:06 packetfence kernel: [ 1336.547990] device eth1 left
>> promiscuous mode
>> May 6 11:13:22 packetfence kernel: [ 1352.517630] device eth1 entered
>> promiscuous mode
>> May 6 11:13:22 packetfence kernel: [ 1352.548374] device eth0 entered
>> promiscuous mode
>> May 7 07:53:30 packetfence rsyslogd: [origin software="rsyslogd"
>> swVersion="4.6.4" x-pid="1082" x-info="http://www.rsyslog.com";] rsyslogd
>> was HUPed, type '$
>> May 7 08:53:08 packetfence kernel: [79339.256147] e1000e: eth1 NIC Link
>> is Down
>> May 7 08:53:12 packetfence kernel: [79342.956962] e1000e: eth1 NIC Link
>> is Up 1000 Mbps Full Duplex, Flow Control: None
>>
>>
>>
>> violations.log:
>>
>> 2013-05-07 09:41:16: Disable NATing Routers and APs (1100008) detected
>> on node xx:xx:xx:xx:xx:xx (172.16.1.116)
>>
>>
>> I just received my first violation this am about the NAT Routers so it
>> looks like some violations are working properly but still nothing when I
>> try to run bittorrents. Also, as you can see, it doesn't look like anything
>> about snort is showing up inside /var/log/messages
>>
>>
>>
>>
>> Joe
>>
>>
>> On Tue, May 7, 2013 at 9:41 AM, Alex Kisakye <[email protected]>wrote:
>>
>>> Hello,
>>> Have you looked at /var/log/messages and
>>> /usr/local/pf/logs/violation.log?
>>> Snort will normally log information there if it sees something.
>>> You could start your torrent app and see is anything appears in
>>> /var/log/messages or /usr/local/pf/logs/violation.log
>>> I know you mentioned that snort is running but can you run
>>> /etc/init.d/snortd status ...just to be sure.
>>>
>>> Alex
>>>
>>> On 5/7/2013 1:18 AM, Joe Arcidiacono wrote:
>>>
>>> Hi Alex,
>>>
>>>
>>>
>>> Thanks for taking the time to look at my config. Below is the pf.conf
>>> output. If you need to view any other files just let me know and I'll post
>>> them. Thanks again.
>>>
>>>
>>>
>>>
>>>
>>>
>>> [interface eth1]
>>> enforcement=inline
>>> ip=10.250.0.10
>>> type=internal,monitor
>>> mask=255.255.248.0
>>>
>>> [interface eth0]
>>> ip=172.16.4.58
>>> type=management
>>> mask=255.255.0.0
>>> enforcement=
>>>
>>> [database]
>>> pass=my_password
>>>
>>> [general]
>>> dhcpservers=127.0.0.1,172.16.4.9
>>> domain=mydomain.local
>>> dnsservers=172.16.4.1
>>> timezone=America/Eastern
>>>
>>> [alerting]
>>> [email protected]
>>> [email protected]
>>> smtpserver=x.x.x.x
>>>
>>> [guests_self_registration]
>>> modes=sms
>>> access_duration=1D
>>> allow_localdomain=disabled
>>>
>>> [expire]
>>> node=1D
>>> iplog=3D
>>> traplog=3D
>>> locationlog=5D
>>>
>>> [registration]
>>> range=10.250.0.0/21
>>> expire_mode=window
>>> maxnodes=1
>>> nbregpages=1
>>>
>>> [trapping]
>>> range=10.250.0.0/21
>>> redirecturl=
>>> detection=enabled
>>>
>>> [inline]
>>> interfaceSNAT=
>>>
>>>
>>>
>>> On Mon, May 6, 2013 at 3:15 PM, Alex Kisakye <[email protected]>wrote:
>>>
>>>> Hello,
>>>> A copy of your pf.conf should help us see what you missed.
>>>>
>>>> Alex
>>>> ----- Original Message -----
>>>> From: Joe Arcidiacono <[email protected]>
>>>> To: [email protected]
>>>> Sent: Mon, 06 May 2013 16:23:11 +0300 (EAT)
>>>> Subject: Re: [PacketFence-users] Packetfence 3.6.1 Snort help
>>>>
>>>> Hi Fabrice,
>>>>
>>>>
>>>>
>>>> Thank you for getting back to me. To answer your question, yes, I have
>>>> set
>>>> detection=enabled as well as detection_engine=snort. Snort and pfdetect
>>>> are
>>>> running. As a matter of fact, all services are running with the
>>>> exception
>>>> of radius(which is fine since I'm not using it at the moment anyway).
>>>> If I
>>>> start downloading a Ubuntu torrent file on my guest network, my P2P
>>>> traffic
>>>> is not being trapped by packetfence. I've tried everything I can think
>>>> of
>>>> with no success. Any help or suggestions would be greatly appreciated.
>>>> Thank you again
>>>>
>>>>
>>>>
>>>> Joe
>>>>
>>>>
>>>> On Mon, May 6, 2013 at 8:37 AM, Fabrice DURAND <[email protected]>
>>>> wrote:
>>>>
>>>> > Hi,
>>>> > did you set:
>>>> > [trapping]
>>>> > detection=enabled
>>>> > detection_engine=snort
>>>> >
>>>> > If yes, did snort starting when you try to launch packetfence ?
>>>> > Is pfdetect running ?
>>>> >
>>>> > Regards
>>>> > Fabrice
>>>> >
>>>> > Le 2013-05-03 19:59, Joe Arcidiacono a écrit :
>>>> >
>>>> > Hey All,
>>>> >
>>>> >
>>>> >
>>>> > I'm implementing inline enforcement(NAT) with Packetfence version
>>>> > 3.6.1 and
>>>> > am having alot of trouble trying to get snort to trap violations on my
>>>> > internal network. This network is going to be used for guest wireless
>>>> > access only. Captive Portal and self registration work perfectly,
>>>> > however,
>>>> > I noticed that no trap violations are being generated. I'm using a
>>>> Meru
>>>> > MC3200 controller for wireless connectivity. I have a physical server
>>>> > running Debian Squeeze
>>>> > that has 2 NICs. NIC 1 is my management NIC with IP 172.16.x.x/16.
>>>> > NIC 2 is
>>>> > assigned 10.250.x.x/21 for the guest wireless network. All guests
>>>> > who receive an IP address has NIC 2's interface as the gateway
>>>> address.
>>>> > I have set trapping=enabled as well as assign the "monitor" option to
>>>> > my
>>>> > 10.250 NIC and enabled P2P violations. When I issue the command
>>>> > "snort -i eth1 -v"(eth0 is my 172.16.x.x management card) I can see
>>>> > all of the traffic flowing through but for some
>>>> > reason, snort will not pick up on any violations. I ran the
>>>> > update_rules.pl script to make sure the rules were updated to no
>>>> > avail.
>>>> > I believe I am missing an important step or 2.
>>>> > Does the snort.conf file have to be edited somehow? If so, do I edit
>>>> > the
>>>> > /usr/local/pf/conf/snort.conf file or the /etc/snort/snort.conf file?
>>>> > Also,
>>>> > what would need to be edited to get the traps working? I have read the
>>>> > Admin guide for 3.6.1 at least 30 times but with no luck. Any advice
>>>> > would
>>>> > be much appreciated. I thank you ahead of time for any suggestions.
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > Joe
>>>> >
>>>> >
>>>> >
>>>> ------------------------------------------------------------------------------
>>>> > Introducing AppDynamics Lite, a free troubleshooting tool for
>>>> Java/.NET
>>>> > Get 100% visibility into your production application - at no cost.
>>>> > Code-level diagnostics for performance bottlenecks with <2% overhead
>>>> > Download for free and get started troubleshooting in minutes.
>>>> http://p.sf.net/sfu/appdyn_d2d_ap1
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > PacketFence-users mailing
>>>> [email protected]://
>>>> lists.sourceforge.net/lists/listinfo/packetfence-users
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>> www.inverse.ca
>>>> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>>> PacketFence (http://packetfence.org)
>>>> >
>>>> >
>>>> >
>>>> >
>>>> ------------------------------------------------------------------------------
>>>> > Introducing AppDynamics Lite, a free troubleshooting tool for
>>>> Java/.NET
>>>> > Get 100% visibility into your production application - at no cost.
>>>> > Code-level diagnostics for performance bottlenecks with <2% overhead
>>>> > Download for free and get started troubleshooting in minutes.
>>>> > http://p.sf.net/sfu/appdyn_d2d_ap1
>>>> > _______________________________________________
>>>> > PacketFence-users mailing list
>>>> > [email protected]
>>>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>> >
>>>> >
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Learn Graph Databases - Download FREE O'Reilly Book
>>>> "Graph Databases" is the definitive new guide to graph databases and
>>>> their applications. This 200-page book is written by three acclaimed
>>>> leaders in the field. The early access version is available now.
>>>> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Learn Graph Databases - Download FREE O'Reilly Book
>>> "Graph Databases" is the definitive new guide to graph databases and
>>> their applications. This 200-page book is written by three acclaimed
>>> leaders in the field. The early access version is available now.
>>> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>>>
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Learn Graph Databases - Download FREE O'Reilly Book
>>> "Graph Databases" is the definitive new guide to graph databases and
>>> their applications. This 200-page book is written by three acclaimed
>>> leaders in the field. The early access version is available now.
>>> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and
>> their applications. This 200-page book is written by three acclaimed
>> leaders in the field. The early access version is available now.
>> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>> Francois Gaudreault
>> Architecte de Solution Cloud | Cloud Solutions
>> [email protected]
>> - - -
>> CloudOps
>> 420 rue Guy
>> Montréal QC H3J 1S6www.cloudops.com
>> @CloudOps_
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and
>> their applications. This 200-page book is written by three acclaimed
>> leaders in the field. The early access version is available now.
>> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
