Just went through the packetfence.log and found that "grace expired" right
after User successfully login, and right after the Nessus violation was
triggered. Maybe that's the reason why grace windows did not work. But why
it expired right away, not after 20 minutes?
Mar 19 11:31:19 register.cgi(0) INFO: Authentication successful for testpf4
in source qlad_2 (AD) (pf::authentication::authenticate)
Mar 19 11:31:19 register.cgi(0) INFO: Found a match (CN=test
pf4,CN=Users,DC=qlogitek,DC=com)
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Mar 19 11:31:19 register.cgi(0) INFO: Matched rule (qlad_2_rule) in source
qlad_2, returning actions. (pf::Authentication::Source::match)
Mar 19 11:31:19 register.cgi(0) INFO: Found a match (CN=test
pf4,CN=Users,DC=qtest,DC=com)
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Mar 19 11:31:19 register.cgi(0) INFO: Matched rule (qlad_2_rule) in source
qlad_2, returning actions. (pf::Authentication::Source::match)
Mar 19 11:31:19 register.cgi(0) INFO: Found a match (CN=test
pf4,CN=Users,DC=qtest,DC=com)
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Mar 19 11:31:19 register.cgi(0) INFO: Matched rule (qlad_2_rule) in source
qlad_2, returning actions. (pf::Authentication::Source::match)
Mar 19 11:31:19 register.cgi(0) INFO: performing node registration MAC:
dc:0e:a1:8a:d4:8f pid: testpf4 (pf::web::_sanitize_and_register)
Mar 19 11:31:19 register.cgi(0) WARN: grace expired on violation 1200001
for node dc:0e:a1:8a:d4:8f (pf::violation::violation_add)
Mar 19 11:31:19 register.cgi(0) INFO: grace expired on violation 1200001
for node dc:0e:a1:8a:d4:8f (pf::violation::violation_add)
Mar 19 11:31:19 register.cgi(0) INFO: violation 1200001 added for
dc:0e:a1:8a:d4:8f (pf::violation::violation_add)
Mar 19 11:31:19 register.cgi(0) INFO: executing action 'winpopup' on class
1200001 (pf::action::action_execute)
Mar 19 11:31:19 register.cgi(0) INFO: executing action 'trap' on class
1200001 (pf::action::action_execute)
Mar 19 11:31:19 register.cgi(0) INFO: re-evaluating access for node
dc:0e:a1:8a:d4:8f (manage_vopen called) (pf::enforcement::reevaluate_access)
Mar 19 11:31:19 register.cgi(0) INFO: dc:0e:a1:8a:d4:8f is currentlog
connected at 172.16.123.22 ifIndex 10101 in VLAN 2
(pf::enforcement::_should_we_reassign_vlan)
Mar 19 11:31:19 register.cgi(0) INFO: highest priority violation for
dc:0e:a1:8a:d4:8f is 1200001. Target VLAN for violation: isolation (3)
(pf::vlan::getViolationVlan)
Mar 19 11:31:19 register.cgi(0) INFO: VLAN reassignment required for
dc:0e:a1:8a:d4:8f (current VLAN = 2 but should be in VLAN 3)
(pf::enforcement::_should_we_reassign_vlan)
Mar 19 11:31:19 register.cgi(0) INFO: switch port for dc:0e:a1:8a:d4:8f is
172.16.123.22 ifIndex 10101 connection type: Wired MAC Auth
(pf::enforcement::_vlan_reevaluation)
Mar 19 11:31:19 register.cgi(0) INFO: executing action 'log' on class
1200001 (pf::action::action_execute)
Mar 19 11:31:19 register.cgi(0) INFO: /usr/local/pf/logs/violation.log
2014-03-19 11:31:19: System Scan (1200001) detected on node
dc:0e:a1:8a:d4:8f (192.168.22.12) (pf::action::action_log)
Mar 19 11:34:24 pfcmd.pl(29054) INFO: calling '/usr/local/pf/bin/pfcmd
violation add vid=1100001,mac=dc:0e:a1:8a:d4:8f,release_date=2014-03-19
11:39:24' (trigger nessus::53514) (pf::violation::violation_trigger)
Mar 19 11:34:26 pfcmd.pl(30105) INFO: pfcmd calling violation_add for
dc:0e:a1:8a:d4:8f (main::command_param)
Mar 19 11:34:26 pfcmd.pl(30105) WARN: grace expired on violation 1100001
for node dc:0e:a1:8a:d4:8f (pf::violation::violation_add)
Mar 19 11:34:26 pfcmd.pl(30105) INFO: grace expired on violation 1100001
for node dc:0e:a1:8a:d4:8f (pf::violation::violation_add)
Mar 19 11:34:26 pfcmd.pl(30105) INFO: violation 1100001 added for
dc:0e:a1:8a:d4:8f (pf::violation::violation_add)
Mar 19 11:34:26 pfcmd.pl(30105) INFO: executing action 'winpopup' on class
1100001 (pf::action::action_execute)
Mar 19 11:34:26 pfcmd.pl(30105) INFO: executing action 'trap' on class
1100001 (pf::action::action_execute)
Mar 19 11:34:26 pfcmd.pl(30105) INFO: re-evaluating access for node
dc:0e:a1:8a:d4:8f (manage_vopen called) (pf::enforcement::reevaluate_access)
Mar 19 11:34:26 pfcmd.pl(30105) INFO: dc:0e:a1:8a:d4:8f is currentlog
connected at 172.16.123.22 ifIndex 10101 in VLAN 3
(pf::enforcement::_should_we_reassign_vlan)
Mar 19 11:34:26 pfcmd.pl(30105) INFO: highest priority violation for
dc:0e:a1:8a:d4:8f is 1200001. Target VLAN for violation: isolation (3)
(pf::vlan::getViolationVlan)
Mar 19 11:34:26 pfcmd.pl(30105) INFO: executing action 'log' on class
1100001 (pf::action::action_execute)
Mar 19 11:34:26 pfcmd.pl(30105) INFO: /usr/local/pf/logs/violation.log
2014-03-19 11:34:26: Nessus Scan (1100001) detected on node
dc:0e:a1:8a:d4:8f (192.168.23.10) (pf::action::action_log)
Mar 19 11:34:26 pfcmd.pl(30105) INFO: executing action 'email' on class
1100001 (pf::action::action_execute)
Mar 19 11:34:26 pfcmd.pl(30105) INFO: loading Net::MAC::Vendor cache from
/usr/local/pf/conf/oui.txt (pf::util::load_oui)
On Tue, Mar 18, 2014 at 6:26 PM, forbmsyn <[email protected]> wrote:
> I have been testing the violation of Nessus Scan for a couple of days but
> could not get it work as it is supposed to do. Could anyone please help me
> have a look.
>
> In my scenario, a new device was scanned by Nessus and a violation was
> triggered. The device was then put into isolation vlan. After 10 minutes
> the device was put into its destination vlan so that it get a chance to fix
> the problem. I was expecting the device to be switched back to isolation
> vlan after 20 minutes but it did not happen.
>
> Below is the setting of Nessus from Violations.conf. And Nessus is the
> only Violations source I enabled.
>
> [1100001]
> desc=Nessus Scan
> template=failed_scan
> max_enable=4
> button_text=Scan my computer again
>
> trigger=Nessus::10861,Nessus::10943,Nessus::11177,Nessus::11231,Nessus::11302,Nessus::11304,Nessus::11528,Nessus::11595,Nessus::11664,Nessus::11787,Nessus::11790,Nessus::11803,Nessus::11808,Nessus::11835,Nessus::11878,Nessus::11886,Nessus::11887,Nessus::11921,Nessus::12051,Nessus::12052,Nessus::12054,Nessus::12092,Nessus::12208,Nessus::12209,Nessus::13641,Nessus::13852,Nessus::14724,Nessus::15460,Nessus::15894,Nessus::15970,Nessus::16324,Nessus::16326,Nessus::16327,Nessus::16328,Nessus::16329,Nessus::18020,Nessus::18021,Nessus::18023,Nessus::18025,Nessus::18027,Nessus::18028,Nessus::18215,Nessus::18482,Nessus::18483,Nessus::18490,Nessus::18502,Nessus::18681,Nessus::18682,Nessus::19401,Nessus::19402,Nessus::19406,Nessus::19408,Nessus::20005,Nessus::20172,Nessus::20299,Nessus::20368,Nessus::20382,Nessus::20389,Nessus::20390,Nessus::20904,Nessus::20905,Nessus::21213,Nessus::21332,Nessus::21685,Nessus::21687,Nessus::22030,Nessus::22034,Nessus::22183,Nessus::22184,Nessus::22185,Nessus::22186,Nessus::22187,Nessus::22192,Nessus::22194,Nessus::22332,Nessus::22449,Nessus::22530,Nessus::23644,Nessus::23646,Nessus::23647,Nessus::23833,Nessus::23835,Nessus::23837,Nessus::23838,Nessus::23999,Nessus::24000,nessus::53387,nessus::53514
> actions=email,trap,log,winpopup
> enabled=Y
> window=10m
> grace=20m
>
>
> Where else I need to configure to get the device switched back to
> isolation vlan automatically?
>
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
