Thank Louis.
Yes, I have trapping enabled and removed snort from startup. I see the
oinkmaster config file and will have to research how to add rules.
I did try Centos 6 and still pf won¹t start snort. I did get dhcp errors
that I worked thru but I don¹t think that should affect snort. Use these to
install the 3rd party rep:
http://wiki.centos.org/AdditionalResources/Repositories/RPMForge#head-f0c3ec
ee3dbb407e4eed79a56ec0ae92d1398e01
http://www.rackspace.com/knowledge_center/article/installing-rhel-epel-repo-
on-centos-5x-or-6x
http://www.openfusion.net/linux/openfusion_rpm_repositor
I have suricata working and will have to mess around it.
I have no idea what I¹m missing to get snort managed by pf but I¹m
99.999999% positive it won¹t work using the instructions in the pf guide.
Something is missing. I can get snort to start using service but pf doesn¹t
show it as started so I guess I could manage it then send the alerts to a
named pipe then setup pfdetect to trigger a violation. I think I would
rather just give pfsense a try if that much work is required and create my
own portal using UniFi php mod. Too bad for a clean NAC.
From: Louis Munro <[email protected]>
Reply-To: <[email protected]>
Date: Mon, 9 Dec 2013 15:20:06 -0500
To: <[email protected]>
Subject: Re: [PacketFence-users] OS, PacketFence, and Snort
Hi Bryan,
Snort works well enough on Centos 6. I'm sure it works on other distros as
well since it is not exactly a new package.
This is what I replied to someone asking for guidance last week.
"Do you have detection enabled in "trapping"?
Have a look at /usr/local/pf/conf/pf.conf.defaults. A lot of variables and
their possible values are described in there.
Do not start snort at boot. Let PacketFence manage it.
Then of course you will have to have actual snort rules. Look under addons
for an oinkmaster config file as a starting point and place your rules under
conf/snort.
When it works, you will have snort sending alerts to a named pipe and
pfdetect reading from it and triggering violations.
Make sure you actually have some violations defined that match the snort ids
of the alerts you want to trigger upon."
When in doubt, start snort in the foreground and check the output.
Hope that helps,
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca <http://www.inverse.ca>
+1.514.447.4918 *125 :: +1 (866) 353-6153
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu> ) and
PacketFence (www.packetfence.org <http://www.packetfence.org> )
On 2013-12-09, at 9:22 , Bryan M <[email protected]> wrote:
> Hi,
>
> Will someone please let me know what OS (version) they are using with
> PacketFence (version) with Snort (version)working. I've tried Debian Wheezy
> (32 and 64 bit), Ubuntu Server 12.04.3 LTS (64 bit), Centos 6.5 (32 bit), and
> PacketFence ZEN (password does not work) without getting Snort to start by
> PacketFence. If you could include any important steps I would appreciate it.
> Like for Debian I had to install snmp-mibs-downloader.deb then install it.
> Not a big deal but not included in the install instructions.
>
> I was able to get Suricata to start on my Debian Wheezy installation but it
> didn't notify me when I used BitTorrent on the network, is this only a Snort
> rule?
>
> Thanks,
>
> Bryan
>
> PS
> Is anyone getting these? I have not heard a single response to all my emails
> I've been sending. Will someone please confirm these are being sent.
> ------------------------------------------------------------------------------
> Sponsored by Intel(R) XDK
> Develop, test and display web and hybrid apps with a single code base.
> Download it for free now!
> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk__
> _____________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
----------------------------------------------------------------------------
-- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps
with a single code base. Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________ PacketFence-users mailing
list [email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
