Hi Jacky,
I experience similar problems with my snort setup.
According to my syslog the snort is running, but pfcmd and the UI show
it as "stopped".
I also receive daily email reports from snort and they look ok.
I was unable to start snort from UI or restart/start it from pfcmd.
It produces DAQ fatal errors or complains about pid files beeing in use.
I must do full server reboot for snort to load.
I also noticed that it doesn't like more then one DHCP server in the
"General" section.
My syslog looks OK now:
Dec 1 18:20:01 nac snort[2129]: [ Number of null byte prefixed patterns
trimmed: 3742 ]
Dec 1 18:20:01 nac snort[2129]: pcap DAQ configured to passive.
Dec 1 18:20:01 nac snort[2129]: The DAQ version does not support reload.
Dec 1 18:20:01 nac snort[2129]: Acquiring network traffic from "eth1".
Dec 1 18:20:01 nac snort[2129]: Initializing daemon mode
Dec 1 18:20:01 nac snort[2166]: Daemon initialized, signaled parent
pid: 2129
Dec 1 18:20:01 nac snort[2166]: Reload thread starting...
Dec 1 18:20:01 nac snort[2166]: Reload thread started, thread
0x7f127d717700 (2166)
Dec 1 18:20:01 nac snort[2166]: Decoding Ethernet
Dec 1 18:20:01 nac snort[2166]: Checking PID path...
Dec 1 18:20:01 nac snort[2166]: PID path stat checked out ok, PID path
set to /usr/local/pf/var/run
Dec 1 18:20:01 nac snort[2166]: Writing PID "2166" to file
"/usr/local/pf/var/run/snort_eth1.pid"
Dec 1 18:20:01 nac snort[2166]: Set gid to 999
Dec 1 18:20:01 nac snort[2166]: Set uid to 999
Dec 1 18:20:01 nac kernel: [ 96.188100] device eth1 entered
promiscuous mode
Dec 1 18:20:01 nac snort[2166]:
Dec 1 18:20:01 nac snort[2166]: --== Initialization Complete ==--
Dec 1 18:20:01 nac snort[2166]: Commencing packet processing (pid=2166)
The steps I took to get it to start are:
I installed snort from ubuntu repository and entered eth1 as interface
in /etc/snort.debian.conf
I removed snort from the startup: update-rc.d -f snort remove.
I installed a new network card eth1 and connected it to a mirrored port
on the switch.
I added the following to /etc/network/interfaces
auto eth1
iface eth1 inet manual
up ifconfig $IFACE up
and tested it with command: #tcpdump -ni eth1.
I added the eth1 interface as "monitor" to pf.conf and enabled
"Detection" in "Trapping".
I also downloaded snort rules using the script provided and then by
manually running oinkmaster (also installed from the ubuntu repo).
I am new to Packetfence, so I likely missed a step or two...
Andrew
On 13-12-02 12:22 PM, forbmsyn wrote:
Thanks Andrew. I put the parameter "monitor" in one of the interface
and that help removing the below error msg:
"FATAL - monitor interface not defined, please disable
trapping.detection or set an interface type=...,monitor in pf.conf"
However I was still not able to start snort within PF, with the
following commands:
[root@vmpf bin]# ./pfcmd service snort start
or
[root@vmpf bin]# ./pfcmd service snort restart
It gave me the output like this:
httpd.admin|already running
Checking configuration sanity...
service|command
config files|start
snort|start
And packetfence.log did not show any error msg. Looks like everything
is working fine, but when I showed the status of packetfence I could
not see the job
[root@vmpf bin]# service packetfence status
service|shouldBeStarted|pid
pfdns|1|3827
dhcpd|1|3804
pfdetect|1|4939
snort|1|0
suricata|0|0
radiusd|1|3814
httpd.webservices|1|3825
httpd.admin|1|3788
httpd.portal|1|3845
snmptrapd|1|3847
pfsetvlan|1|3892
pfdhcplistener|1|3887 3885 3886 3889
pfmon|1|3888
But I can start snort manually
[root@vmpf bin]# service snortd restart
Stopping snort: [ OK ]
Starting snort: Spawning daemon child...
My daemon child 5162 lives...
Daemon parent exiting
[ OK ]
[root@vmpf bin]# ps -ef | grep snort
snort 5162 1 0 12:19 ? 00:00:00 /usr/sbin/snort -A fast -b
-d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
root 5166 4538 0 12:20 pts/0 00:00:00 grep snort
[root@vmpf bin]#
What should I do to start it from PF?
Regards,
Jacky
On Sat, Nov 30, 2013 at 3:59 PM, Andrew Lukasiak
<[email protected] <mailto:[email protected]>> wrote:
I am not sure If I it is the right answer, but this is what I put
in my pf.conf:
[interface eth0.10]
ip=172.16.10.1
type=dhcp-listener, monitor
gateway=172.16.10.254
mask=255.255.255.0
VLAN 10 is my regular VLAN. My management interface is eth0.
I would like to monitor both my regular and guest vlan, but I am
not sure if it is possible...
Andrew
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
