Sad day... The dependencies for the PF remote sensor package cause SecurityOnion to throw a huge fit.
I tried copying the scripts manually but the necessary perl libraries are not present and attempting to install them was going to break some tools in the SecurityOnion. Or at least that is the impression I got from the apt-get output that said it was going to remove about 100 packages all related to SecurityOnion. I'm not 100% sure yet, but I don't think I will be able to use the pre-built PF package, and installing the necessary libs seems to be a dangerous prospect. So! The next step should be...? How would PF handle the alerts if it was running SNORT/Suricata locally? If my feelings are correct and PF watches the snort logfile I can get the log entries to the PF box. From there it seems to be a matter of setting up the correct regex to parse out the info PF is looking for. All of that I can do. What I do not know is how to give that info to PF in a way that causes it to trigger a violation. Would it be acceptable to just fire off a script that triggers the "pfcmd violation" command with the correct info? This seems to be the simplest solution, however it is probably not too efficient and there must be a more elegant way. I am open to suggestions. and any input is appreciated. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Loick Pelet [[email protected]] Sent: Tuesday, January 14, 2014 10:51 PM To: [email protected] Subject: Re: [PacketFence-users] External SNORT Integration with PF My pleasure, Jake. Loick -- Loick PELET [email protected] :: +1.514.447.4918 *130 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) Le Mardi 14 Janvier 2014 18:04 EST, "Sallee, Stephen (Jake)" <[email protected]> a écrit: That is amazing! I'm off to attempt it, wish me luck. Thank you for your assistance. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Loick Pelet [[email protected]] Sent: Tuesday, January 14, 2014 4:50 PM To: [email protected] Subject: Re: [PacketFence-users] External SNORT Integration with PF Actually you can just place the files in your system by hands. (there is no binary, just perl scripts). but i think packaged deb will work from your mothership. It reads the log-file output of Snort directly. regards, Loick -- [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) gtalk or skype : lpelet.inverse On Jan 14, 2014, at 5:18 PM, Sallee, Stephen (Jake) > wrote: Loick: First, thank you for being so active on this list. I try not to weigh down my emails with too much information but I think I may have not volunteered enough information this time. The reason my SNORT server is external is because I am using a distro called Security Onion. Security Onion has just about every tool you could ever need/want for IDS pre-installed and pre-configured, very nice! I am using Security Onion in a distributed sensor and server architecture, The sensors run SNORT and report back to the mothership with the violations they see. Because of that I do not think the pre-packaged DEB will work for me. (|||❛︵❛.) What I do have access to is a log file with all the realtime SNORT alerts. If I comb through the source of the package you suggested would it be doable to re-create its functionality using this log file? Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Loick Pelet [[email protected]] Sent: Tuesday, January 14, 2014 3:54 PM To: [email protected] Subject: Re: [PacketFence-users] External SNORT Integration with PF Hi Jake, First of all, if you plan to have big load choose Suricata instead of Snort. Suricata is multi-treads, it uses the same rules than Snort and it is integrated in PacketFence as well as Snort. 1) I let the community to provide you that. 2) You have to install packetfence_remote_snort_sensor from Inverse repo (http://www.packetfence.org/downloads/PacketFence/RHEL6/x86_64/RPMS/packetfence-remote-snort-sensor-4.1.0-1.el6.noarch.rpm) It will parse the logs of your IDS and and to PacketFence calls https to your webservices deamon. (port 9090) regards, Loick -- [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) gtalk or skype : lpelet.inverse On Jan 14, 2014, at 4:40 PM, Sallee, Stephen (Jake) > wrote: Hello All! It is time! I am ready to commence integrating SNORT into my PF deployment. *cue trumpets* I have 2 questions to start with: 1) does anyone have a list of snort violations you use to trigger a violation. I can compile my own but if anyone has already done this I would like to not re-invent the wheel. 2) How does PF integrate with SNORT? Does it just watch a log file looking for its list of signature IDs and firing off violations based on that? You see my SNORT server is external to my PF server and I need to know how to get the alerts PF is looking for over to my PF server. I can write a script / daemon to copy the alerts to the PF server but I have no idea what to do with them when they get there. As always, any help is greatly appreciated. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
