Ok Jakes, make a test http://inverse.ca/downloads/PacketFence/debian-fix-security_onion_integration/pool/precise/p/packetfence/packetfence-remote-snort-sensor_4.1.0-201401171015_all.deb
Fabrice Le 2014-01-17 09:29, Sallee, Stephen (Jake) a écrit : > Fabrice, that would be amazing! > > I am using a distribution called Security Onion 64bit which is based on > Ubuntu 12.04 LTS. The maintainer has dome some fairly heavy modifications > which is possibly why I am running into the dep problems. > > Please let me know if I can be of any assistance. > > If you need a system to test / break, I'm your guy! > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > ________________________________________ > From: Fabrice DURAND [[email protected]] > Sent: Friday, January 17, 2014 7:14 AM > To: [email protected] > Subject: Re: [PacketFence-users] External SNORT Integration with PF > > Hi Jakes, > i will try to make the deb for you, what distrib/arch are you using ? > > Fabrice > > Le 2014-01-15 12:04, Sallee, Stephen (Jake) a écrit : >> Fabrice: >> >>> What is possible to do is to build a new deb package... >> I am not familiar with building custom DEB packages. But I can learn. >> >> For SecurityOnion it may be a good idea to remove the SNORT/Suricata dep as >> well. In a server/sensor architecture the server that holds the SNORT >> events does not actually have the SNORT software installed on it. It is >> really only serving as a SNORT log aggregation point. >> >> If I start removing dependencies at some point I'm going to break the PF >> package by not including the necessary Perl libs. Will removing the >> requirement for libsoap-lite-perl and thus its associated deps, break the PF >> package? >> >> Jake Sallee >> Godfather of Bandwidth >> System Engineer >> University of Mary Hardin-Baylor >> >> 900 College St. >> Belton, Texas >> 76513 >> >> Fone: 254-295-4658 >> Phax: 254-295-4221 >> >> ________________________________________ >> From: Fabrice DURAND [[email protected]] >> Sent: Wednesday, January 15, 2014 10:47 AM >> To: [email protected] >> Subject: Re: [PacketFence-users] External SNORT Integration with PF >> >> Ok, and the libmailtools-perl is look like a dependency of another >> dependency. >> What is possible to do is to build a new deb package without >> libsoap-lite-perl dep but you have to install it manually. >> >> Fabrice >> >> Le 2014-01-15 11:31, Sallee, Stephen (Jake) a écrit : >>> Hi Fabrice! >>> >>> The major problem was the package "libsoap-lite-perl", which is a >>> dependency of one of the dependencies for the PF package. >>> >>> Also the package "libmailtools-perl" conflicts with the SecurityOnion >>> specific package "securityonion-libmailtools-perl". The SO package is a >>> newer version so I was considering forcing the install using the SO >>> package, but the libsoap-lite-perl will bork the SO tools in a bad way. >>> >>> Here is a pastebin of the apt-get output: >>> >>> http://pastebin.com/kGn4WTkm >>> >>> That's the reason I was thinking about an alternate method of integrating >>> SO and PF. >>> >>> If you have any insights or suggestions I am open to them. >>> >>> Jake Sallee >>> Godfather of Bandwidth >>> System Engineer >>> University of Mary Hardin-Baylor >>> >>> 900 College St. >>> Belton, Texas >>> 76513 >>> >>> Fone: 254-295-4658 >>> Phax: 254-295-4221 >>> >>> ________________________________________ >>> From: Fabrice DURAND [[email protected]] >>> Sent: Wednesday, January 15, 2014 10:10 AM >>> To: [email protected] >>> Subject: Re: [PacketFence-users] External SNORT Integration with PF >>> >>> Hello Jake, >>> >>> there are not so much of dependencies with remote-snort-sensor. >>> >>> snort | suricata, libfile-tail-perl, libconfig-inifiles-perl (>= 2.4.0), >>> libio-socket-ssl-perl, libxml-parser-perl, libcrypt-ssleay-perl, >>> libsoap-lite-perl, libthread-conveyor-monitored-perl, >>> libthread-conveyor-perl >>> >>> If you try to install these packages, are you able to make it run ? >>> >>> Fabrice >>> >>> >>> Le 2014-01-15 10:55, Sallee, Stephen (Jake) a écrit : >>>> Sad day... >>>> >>>> The dependencies for the PF remote sensor package cause SecurityOnion to >>>> throw a huge fit. >>>> >>>> I tried copying the scripts manually but the necessary perl libraries are >>>> not present and attempting to install them was going to break some tools >>>> in the SecurityOnion. Or at least that is the impression I got from the >>>> apt-get output that said it was going to remove about 100 packages all >>>> related to SecurityOnion. >>>> >>>> I'm not 100% sure yet, but I don't think I will be able to use the >>>> pre-built PF package, and installing the necessary libs seems to be a >>>> dangerous prospect. >>>> >>>> So! The next step should be...? >>>> >>>> How would PF handle the alerts if it was running SNORT/Suricata locally? >>>> >>>> If my feelings are correct and PF watches the snort logfile I can get the >>>> log entries to the PF box. From there it seems to be a matter of setting >>>> up the correct regex to parse out the info PF is looking for. All of that >>>> I can do. What I do not know is how to give that info to PF in a way that >>>> causes it to trigger a violation. >>>> >>>> Would it be acceptable to just fire off a script that triggers the "pfcmd >>>> violation" command with the correct info? >>>> >>>> This seems to be the simplest solution, however it is probably not too >>>> efficient and there must be a more elegant way. I am open to suggestions. >>>> and any input is appreciated. >>>> >>>> Jake Sallee >>>> Godfather of Bandwidth >>>> System Engineer >>>> University of Mary Hardin-Baylor >>>> >>>> 900 College St. >>>> Belton, Texas >>>> 76513 >>>> >>>> Fone: 254-295-4658 >>>> Phax: 254-295-4221 >>>> ________________________________ >>>> From: Loick Pelet [[email protected]] >>>> Sent: Tuesday, January 14, 2014 10:51 PM >>>> To: [email protected] >>>> Subject: Re: [PacketFence-users] External SNORT Integration with PF >>>> >>>> My pleasure, Jake. >>>> >>>> Loick >>>> -- >>>> Loick PELET [email protected] :: +1.514.447.4918 *130 :: www.inverse.ca >>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence >>>> (www.packetfence.org) >>>> >>>> Le Mardi 14 Janvier 2014 18:04 EST, "Sallee, Stephen (Jake)" >>>> <[email protected]> a écrit: >>>> >>>> That is amazing! I'm off to attempt it, wish me luck. Thank you for your >>>> assistance. >>>> >>>> Jake Sallee >>>> Godfather of Bandwidth >>>> System Engineer >>>> University of Mary Hardin-Baylor >>>> >>>> 900 College St. >>>> Belton, Texas >>>> 76513 >>>> >>>> Fone: 254-295-4658 >>>> Phax: 254-295-4221 >>>> ________________________________ >>>> From: Loick Pelet [[email protected]] >>>> Sent: Tuesday, January 14, 2014 4:50 PM >>>> To: [email protected] >>>> Subject: Re: [PacketFence-users] External SNORT Integration with PF >>>> >>>> Actually you can just place the files in your system by hands. >>>> (there is no binary, just perl scripts). but i think packaged deb will >>>> work from your mothership. >>>> >>>> It reads the log-file output of Snort directly. >>>> >>>> regards, >>>> Loick >>>> -- >>>> [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca >>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence >>>> (www.packetfence.org) >>>> gtalk or skype : lpelet.inverse >>>> >>>> On Jan 14, 2014, at 5:18 PM, Sallee, Stephen (Jake) > wrote: >>>> >>>> Loick: >>>> >>>> First, thank you for being so active on this list. >>>> >>>> I try not to weigh down my emails with too much information but I think I >>>> may have not volunteered enough information this time. >>>> >>>> The reason my SNORT server is external is because I am using a distro >>>> called Security Onion. >>>> >>>> Security Onion has just about every tool you could ever need/want for IDS >>>> pre-installed and pre-configured, very nice! >>>> >>>> I am using Security Onion in a distributed sensor and server architecture, >>>> The sensors run SNORT and report back to the mothership with the >>>> violations they see. >>>> >>>> Because of that I do not think the pre-packaged DEB will work for me. >>>> (|||❛︵❛.) >>>> >>>> What I do have access to is a log file with all the realtime SNORT alerts. >>>> If I comb through the source of the package you suggested would it be >>>> doable to re-create its functionality using this log file? >>>> >>>> >>>> Jake Sallee >>>> Godfather of Bandwidth >>>> System Engineer >>>> University of Mary Hardin-Baylor >>>> >>>> 900 College St. >>>> Belton, Texas >>>> 76513 >>>> >>>> Fone: 254-295-4658 >>>> Phax: 254-295-4221 >>>> ________________________________ >>>> From: Loick Pelet [[email protected]] >>>> Sent: Tuesday, January 14, 2014 3:54 PM >>>> To: [email protected] >>>> Subject: Re: [PacketFence-users] External SNORT Integration with PF >>>> >>>> Hi Jake, >>>> >>>> First of all, if you plan to have big load choose Suricata instead of >>>> Snort. Suricata is multi-treads, it uses the same rules than Snort >>>> and it is integrated in PacketFence as well as Snort. >>>> >>>> 1) I let the community to provide you that. >>>> >>>> 2) You have to install packetfence_remote_snort_sensor from Inverse repo >>>> (http://www.packetfence.org/downloads/PacketFence/RHEL6/x86_64/RPMS/packetfence-remote-snort-sensor-4.1.0-1.el6.noarch.rpm) >>>> It will parse the logs of your IDS and and to PacketFence calls https to >>>> your webservices deamon. (port 9090) >>>> >>>> regards, >>>> Loick >>>> -- >>>> [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca >>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence >>>> (www.packetfence.org) >>>> gtalk or skype : lpelet.inverse >>>> >>>> On Jan 14, 2014, at 4:40 PM, Sallee, Stephen (Jake) > wrote: >>>> >>>> Hello All! >>>> >>>> It is time! I am ready to commence integrating SNORT into my PF deployment. >>>> >>>> *cue trumpets* >>>> >>>> I have 2 questions to start with: >>>> >>>> 1) does anyone have a list of snort violations you use to trigger a >>>> violation. I can compile my own but if anyone has already done this I >>>> would like to not re-invent the wheel. >>>> >>>> 2) How does PF integrate with SNORT? Does it just watch a log file looking >>>> for its list of signature IDs and firing off violations based on that? >>>> >>>> You see my SNORT server is external to my PF server and I need to know how >>>> to get the alerts PF is looking for over to my PF server. >>>> >>>> I can write a script / daemon to copy the alerts to the PF server but I >>>> have no idea what to do with them when they get there. >>>> >>>> As always, any help is greatly appreciated. >>>> >>>> Jake Sallee >>>> Godfather of Bandwidth >>>> System Engineer >>>> University of Mary Hardin-Baylor >>>> >>>> 900 College St. >>>> Belton, Texas >>>> 76513 >>>> >>>> Fone: 254-295-4658 >>>> Phax: 254-295-4221 >>>> >>>> ------------------------------------------------------------------------------ >>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services. >>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For >>>> Critical Workloads, Development Environments & Everything In Between. >>>> Get a Quote or Start a Free Trial Today. >>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> ------------------------------------------------------------------------------ >>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services. >>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For >>>> Critical Workloads, Development Environments & Everything In Between. >>>> Get a Quote or Start a Free Trial Today. >>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> ------------------------------------------------------------------------------ >>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services. >>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For >>>> Critical Workloads, Development Environments & Everything In Between. >>>> Get a Quote or Start a Free Trial Today. >>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> CenturyLink Cloud: The Leader in Enterprise Cloud Services. >>>> Learn Why More Businesses Are Choosing CenturyLink Cloud For >>>> Critical Workloads, Development Environments & Everything In Between. >>>> Get a Quote or Start a Free Trial Today. >>>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> -- >>> Fabrice Durand >>> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>> (http://packetfence.org) >>> >>> >>> ------------------------------------------------------------------------------ >>> CenturyLink Cloud: The Leader in Enterprise Cloud Services. >>> Learn Why More Businesses Are Choosing CenturyLink Cloud For >>> Critical Workloads, Development Environments & Everything In Between. >>> Get a Quote or Start a Free Trial Today. >>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> ------------------------------------------------------------------------------ >>> CenturyLink Cloud: The Leader in Enterprise Cloud Services. >>> Learn Why More Businesses Are Choosing CenturyLink Cloud For >>> Critical Workloads, Development Environments & Everything In Between. >>> Get a Quote or Start a Free Trial Today. >>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> -- >> Fabrice Durand >> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> ------------------------------------------------------------------------------ >> CenturyLink Cloud: The Leader in Enterprise Cloud Services. >> Learn Why More Businesses Are Choosing CenturyLink Cloud For >> Critical Workloads, Development Environments & Everything In Between. >> Get a Quote or Start a Free Trial Today. >> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> ------------------------------------------------------------------------------ >> CenturyLink Cloud: The Leader in Enterprise Cloud Services. >> Learn Why More Businesses Are Choosing CenturyLink Cloud For >> Critical Workloads, Development Environments & Everything In Between. >> Get a Quote or Start a Free Trial Today. >> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- > Fabrice Durand > [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
