That is amazing! I'm off to attempt it, wish me luck. Thank you for your assistance.
Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Loick Pelet [[email protected]] Sent: Tuesday, January 14, 2014 4:50 PM To: [email protected] Subject: Re: [PacketFence-users] External SNORT Integration with PF Actually you can just place the files in your system by hands. (there is no binary, just perl scripts). but i think packaged deb will work from your mothership. It reads the log-file output of Snort directly. regards, Loick -- [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x130) :: www.inverse.ca<http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and PacketFence (www.packetfence.org<http://www.packetfence.org>) gtalk or skype : lpelet.inverse On Jan 14, 2014, at 5:18 PM, Sallee, Stephen (Jake) <[email protected]<mailto:[email protected]>> wrote: Loick: First, thank you for being so active on this list. I try not to weigh down my emails with too much information but I think I may have not volunteered enough information this time. The reason my SNORT server is external is because I am using a distro called Security Onion. Security Onion has just about every tool you could ever need/want for IDS pre-installed and pre-configured, very nice! I am using Security Onion in a distributed sensor and server architecture, The sensors run SNORT and report back to the mothership with the violations they see. Because of that I do not think the pre-packaged DEB will work for me. (|||❛︵❛.) What I do have access to is a log file with all the realtime SNORT alerts. If I comb through the source of the package you suggested would it be doable to re-create its functionality using this log file? Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Loick Pelet [[email protected]<mailto:[email protected]>] Sent: Tuesday, January 14, 2014 3:54 PM To: [email protected]<mailto:[email protected]> Subject: Re: [PacketFence-users] External SNORT Integration with PF Hi Jake, First of all, if you plan to have big load choose Suricata instead of Snort. Suricata is multi-treads, it uses the same rules than Snort and it is integrated in PacketFence as well as Snort. 1) I let the community to provide you that. 2) You have to install packetfence_remote_snort_sensor from Inverse repo (http://www.packetfence.org/downloads/PacketFence/RHEL6/x86_64/RPMS/packetfence-remote-snort-sensor-4.1.0-1.el6.noarch.rpm) It will parse the logs of your IDS and and to PacketFence calls https to your webservices deamon. (port 9090) regards, Loick -- [email protected]<mailto:[email protected]><mailto:[email protected]> :: +1.514.447.4918 (x130) :: www.inverse.ca<http://www.inverse.ca><http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu><http://www.sogo.nu>) and PacketFence (www.packetfence.org<http://www.packetfence.org><http://www.packetfence.org>) gtalk or skype : lpelet.inverse On Jan 14, 2014, at 4:40 PM, Sallee, Stephen (Jake) <[email protected]<mailto:[email protected]><mailto:[email protected]>> wrote: Hello All! It is time! I am ready to commence integrating SNORT into my PF deployment. *cue trumpets* I have 2 questions to start with: 1) does anyone have a list of snort violations you use to trigger a violation. I can compile my own but if anyone has already done this I would like to not re-invent the wheel. 2) How does PF integrate with SNORT? Does it just watch a log file looking for its list of signature IDs and firing off violations based on that? You see my SNORT server is external to my PF server and I need to know how to get the alerts PF is looking for over to my PF server. I can write a script / daemon to copy the alerts to the PF server but I have no idea what to do with them when they get there. As always, any help is greatly appreciated. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
