Hi Andrew,
Thank you very much for your help. I found some error from message.log and
now is able to bring snort up with PF.
Thanks again.
Cheers!
Jacky
On Mon, Dec 2, 2013 at 2:04 PM, Andrew Lukasiak <[email protected]>wrote:
> Hi Jacky,
>
> I experience similar problems with my snort setup.
> According to my syslog the snort is running, but pfcmd and the UI show it
> as "stopped".
> I also receive daily email reports from snort and they look ok.
> I was unable to start snort from UI or restart/start it from pfcmd.
> It produces DAQ fatal errors or complains about pid files beeing in use.
> I must do full server reboot for snort to load.
> I also noticed that it doesn't like more then one DHCP server in the
> "General" section.
>
> My syslog looks OK now:
>
> Dec 1 18:20:01 nac snort[2129]: [ Number of null byte prefixed patterns
> trimmed: 3742 ]
> Dec 1 18:20:01 nac snort[2129]: pcap DAQ configured to passive.
> Dec 1 18:20:01 nac snort[2129]: The DAQ version does not support reload.
> Dec 1 18:20:01 nac snort[2129]: Acquiring network traffic from "eth1".
> Dec 1 18:20:01 nac snort[2129]: Initializing daemon mode
> Dec 1 18:20:01 nac snort[2166]: Daemon initialized, signaled parent pid:
> 2129
> Dec 1 18:20:01 nac snort[2166]: Reload thread starting...
> Dec 1 18:20:01 nac snort[2166]: Reload thread started, thread
> 0x7f127d717700 (2166)
> Dec 1 18:20:01 nac snort[2166]: Decoding Ethernet
> Dec 1 18:20:01 nac snort[2166]: Checking PID path...
> Dec 1 18:20:01 nac snort[2166]: PID path stat checked out ok, PID path
> set to /usr/local/pf/var/run
> Dec 1 18:20:01 nac snort[2166]: Writing PID "2166" to file
> "/usr/local/pf/var/run/snort_eth1.pid"
> Dec 1 18:20:01 nac snort[2166]: Set gid to 999
> Dec 1 18:20:01 nac snort[2166]: Set uid to 999
> Dec 1 18:20:01 nac kernel: [ 96.188100] device eth1 entered promiscuous
> mode
> Dec 1 18:20:01 nac snort[2166]:
> Dec 1 18:20:01 nac snort[2166]: --== Initialization Complete ==--
> Dec 1 18:20:01 nac snort[2166]: Commencing packet processing (pid=2166)
>
> The steps I took to get it to start are:
>
> I installed snort from ubuntu repository and entered eth1 as interface in
> /etc/snort.debian.conf
> I removed snort from the startup: update-rc.d -f snort remove.
> I installed a new network card eth1 and connected it to a mirrored port on
> the switch.
> I added the following to /etc/network/interfaces
>
> auto eth1
> iface eth1 inet manual
> up ifconfig $IFACE up
>
> and tested it with command: #tcpdump -ni eth1.
>
> I added the eth1 interface as "monitor" to pf.conf and enabled "Detection"
> in "Trapping".
> I also downloaded snort rules using the script provided and then by
> manually running oinkmaster (also installed from the ubuntu repo).
>
> I am new to Packetfence, so I likely missed a step or two...
>
> Andrew
>
>
>
>
>
>
>
>
>
>
>
>
>
> On 13-12-02 12:22 PM, forbmsyn wrote:
>
> Thanks Andrew. I put the parameter "monitor" in one of the interface and
> that help removing the below error msg:
>
> "FATAL - monitor interface not defined, please disable trapping.detection
> or set an interface type=...,monitor in pf.conf"
>
>
> However I was still not able to start snort within PF, with the
> following commands:
> [root@vmpf bin]# ./pfcmd service snort start
> or
> [root@vmpf bin]# ./pfcmd service snort restart
>
> It gave me the output like this:
> httpd.admin|already running
> Checking configuration sanity...
> service|command
> config files|start
> snort|start
>
>
> And packetfence.log did not show any error msg. Looks like everything is
> working fine, but when I showed the status of packetfence I could not see
> the job
>
> [root@vmpf bin]# service packetfence status
> service|shouldBeStarted|pid
> pfdns|1|3827
> dhcpd|1|3804
> pfdetect|1|4939
> snort|1|0
> suricata|0|0
> radiusd|1|3814
> httpd.webservices|1|3825
> httpd.admin|1|3788
> httpd.portal|1|3845
> snmptrapd|1|3847
> pfsetvlan|1|3892
> pfdhcplistener|1|3887 3885 3886 3889
> pfmon|1|3888
>
>
> But I can start snort manually
>
> [root@vmpf bin]# service snortd restart
> Stopping snort: [ OK ]
> Starting snort: Spawning daemon child...
> My daemon child 5162 lives...
> Daemon parent exiting
> [ OK ]
> [root@vmpf bin]# ps -ef | grep snort
> snort 5162 1 0 12:19 ? 00:00:00 /usr/sbin/snort -A fast -b
> -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
> root 5166 4538 0 12:20 pts/0 00:00:00 grep snort
> [root@vmpf bin]#
>
>
>
> What should I do to start it from PF?
>
> Regards,
> Jacky
>
>
>
> On Sat, Nov 30, 2013 at 3:59 PM, Andrew Lukasiak <[email protected]
> > wrote:
>
>> I am not sure If I it is the right answer, but this is what I put in my
>> pf.conf:
>>
>> [interface eth0.10]
>> ip=172.16.10.1
>> type=dhcp-listener, monitor
>> gateway=172.16.10.254
>> mask=255.255.255.0
>>
>> VLAN 10 is my regular VLAN. My management interface is eth0.
>>
>> I would like to monitor both my regular and guest vlan, but I am not sure
>> if it is possible...
>>
>> Andrew
>>
>>
>>
>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
