Hello Jake, there are not so much of dependencies with remote-snort-sensor.
snort | suricata, libfile-tail-perl, libconfig-inifiles-perl (>= 2.4.0), libio-socket-ssl-perl, libxml-parser-perl, libcrypt-ssleay-perl, libsoap-lite-perl, libthread-conveyor-monitored-perl, libthread-conveyor-perl If you try to install these packages, are you able to make it run ? Fabrice Le 2014-01-15 10:55, Sallee, Stephen (Jake) a écrit : > Sad day... > > The dependencies for the PF remote sensor package cause SecurityOnion to > throw a huge fit. > > I tried copying the scripts manually but the necessary perl libraries are not > present and attempting to install them was going to break some tools in the > SecurityOnion. Or at least that is the impression I got from the apt-get > output that said it was going to remove about 100 packages all related to > SecurityOnion. > > I'm not 100% sure yet, but I don't think I will be able to use the pre-built > PF package, and installing the necessary libs seems to be a dangerous > prospect. > > So! The next step should be...? > > How would PF handle the alerts if it was running SNORT/Suricata locally? > > If my feelings are correct and PF watches the snort logfile I can get the log > entries to the PF box. From there it seems to be a matter of setting up the > correct regex to parse out the info PF is looking for. All of that I can do. > What I do not know is how to give that info to PF in a way that causes it to > trigger a violation. > > Would it be acceptable to just fire off a script that triggers the "pfcmd > violation" command with the correct info? > > This seems to be the simplest solution, however it is probably not too > efficient and there must be a more elegant way. I am open to suggestions. > and any input is appreciated. > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > ________________________________ > From: Loick Pelet [[email protected]] > Sent: Tuesday, January 14, 2014 10:51 PM > To: [email protected] > Subject: Re: [PacketFence-users] External SNORT Integration with PF > > My pleasure, Jake. > > Loick > -- > Loick PELET [email protected] :: +1.514.447.4918 *130 :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > Le Mardi 14 Janvier 2014 18:04 EST, "Sallee, Stephen (Jake)" > <[email protected]> a écrit: > > That is amazing! I'm off to attempt it, wish me luck. Thank you for your > assistance. > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > ________________________________ > From: Loick Pelet [[email protected]] > Sent: Tuesday, January 14, 2014 4:50 PM > To: [email protected] > Subject: Re: [PacketFence-users] External SNORT Integration with PF > > Actually you can just place the files in your system by hands. > (there is no binary, just perl scripts). but i think packaged deb will work > from your mothership. > > It reads the log-file output of Snort directly. > > regards, > Loick > -- > [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > gtalk or skype : lpelet.inverse > > On Jan 14, 2014, at 5:18 PM, Sallee, Stephen (Jake) > wrote: > > Loick: > > First, thank you for being so active on this list. > > I try not to weigh down my emails with too much information but I think I may > have not volunteered enough information this time. > > The reason my SNORT server is external is because I am using a distro called > Security Onion. > > Security Onion has just about every tool you could ever need/want for IDS > pre-installed and pre-configured, very nice! > > I am using Security Onion in a distributed sensor and server architecture, > The sensors run SNORT and report back to the mothership with the violations > they see. > > Because of that I do not think the pre-packaged DEB will work for me. > (|||❛︵❛.) > > What I do have access to is a log file with all the realtime SNORT alerts. If > I comb through the source of the package you suggested would it be doable to > re-create its functionality using this log file? > > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > ________________________________ > From: Loick Pelet [[email protected]] > Sent: Tuesday, January 14, 2014 3:54 PM > To: [email protected] > Subject: Re: [PacketFence-users] External SNORT Integration with PF > > Hi Jake, > > First of all, if you plan to have big load choose Suricata instead of Snort. > Suricata is multi-treads, it uses the same rules than Snort > and it is integrated in PacketFence as well as Snort. > > 1) I let the community to provide you that. > > 2) You have to install packetfence_remote_snort_sensor from Inverse repo > (http://www.packetfence.org/downloads/PacketFence/RHEL6/x86_64/RPMS/packetfence-remote-snort-sensor-4.1.0-1.el6.noarch.rpm) > It will parse the logs of your IDS and and to PacketFence calls https to your > webservices deamon. (port 9090) > > regards, > Loick > -- > [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > gtalk or skype : lpelet.inverse > > On Jan 14, 2014, at 4:40 PM, Sallee, Stephen (Jake) > wrote: > > Hello All! > > It is time! I am ready to commence integrating SNORT into my PF deployment. > > *cue trumpets* > > I have 2 questions to start with: > > 1) does anyone have a list of snort violations you use to trigger a > violation. I can compile my own but if anyone has already done this I would > like to not re-invent the wheel. > > 2) How does PF integrate with SNORT? Does it just watch a log file looking > for its list of signature IDs and firing off violations based on that? > > You see my SNORT server is external to my PF server and I need to know how to > get the alerts PF is looking for over to my PF server. > > I can write a script / daemon to copy the alerts to the PF server but I have > no idea what to do with them when they get there. > > As always, any help is greatly appreciated. > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
