Anyone can give me a clue on this?
On Wed, Mar 19, 2014 at 2:38 PM, forbmsyn <[email protected]> wrote:
> Just went through the packetfence.log and found that "grace expired" right
> after User successfully login, and right after the Nessus violation was
> triggered. Maybe that's the reason why grace windows did not work. But why
> it expired right away, not after 20 minutes?
>
>
> Mar 19 11:31:19 register.cgi(0) INFO: Authentication successful for
> testpf4 in source qlad_2 (AD) (pf::authentication::authenticate)
> Mar 19 11:31:19 register.cgi(0) INFO: Found a match (CN=test
> pf4,CN=Users,DC=qlogitek,DC=com)
> (pf::Authentication::Source::LDAPSource::match_in_subclass)
> Mar 19 11:31:19 register.cgi(0) INFO: Matched rule (qlad_2_rule) in source
> qlad_2, returning actions. (pf::Authentication::Source::match)
> Mar 19 11:31:19 register.cgi(0) INFO: Found a match (CN=test
> pf4,CN=Users,DC=qtest,DC=com)
> (pf::Authentication::Source::LDAPSource::match_in_subclass)
> Mar 19 11:31:19 register.cgi(0) INFO: Matched rule (qlad_2_rule) in source
> qlad_2, returning actions. (pf::Authentication::Source::match)
> Mar 19 11:31:19 register.cgi(0) INFO: Found a match (CN=test
> pf4,CN=Users,DC=qtest,DC=com)
> (pf::Authentication::Source::LDAPSource::match_in_subclass)
> Mar 19 11:31:19 register.cgi(0) INFO: Matched rule (qlad_2_rule) in source
> qlad_2, returning actions. (pf::Authentication::Source::match)
> Mar 19 11:31:19 register.cgi(0) INFO: performing node registration MAC:
> dc:0e:a1:8a:d4:8f pid: testpf4 (pf::web::_sanitize_and_register)
> Mar 19 11:31:19 register.cgi(0) WARN: grace expired on violation 1200001
> for node dc:0e:a1:8a:d4:8f (pf::violation::violation_add)
> Mar 19 11:31:19 register.cgi(0) INFO: grace expired on violation 1200001
> for node dc:0e:a1:8a:d4:8f (pf::violation::violation_add)
> Mar 19 11:31:19 register.cgi(0) INFO: violation 1200001 added for
> dc:0e:a1:8a:d4:8f (pf::violation::violation_add)
> Mar 19 11:31:19 register.cgi(0) INFO: executing action 'winpopup' on class
> 1200001 (pf::action::action_execute)
> Mar 19 11:31:19 register.cgi(0) INFO: executing action 'trap' on class
> 1200001 (pf::action::action_execute)
> Mar 19 11:31:19 register.cgi(0) INFO: re-evaluating access for node
> dc:0e:a1:8a:d4:8f (manage_vopen called) (pf::enforcement::reevaluate_access)
> Mar 19 11:31:19 register.cgi(0) INFO: dc:0e:a1:8a:d4:8f is currentlog
> connected at 172.16.123.22 ifIndex 10101 in VLAN 2
> (pf::enforcement::_should_we_reassign_vlan)
> Mar 19 11:31:19 register.cgi(0) INFO: highest priority violation for
> dc:0e:a1:8a:d4:8f is 1200001. Target VLAN for violation: isolation (3)
> (pf::vlan::getViolationVlan)
> Mar 19 11:31:19 register.cgi(0) INFO: VLAN reassignment required for
> dc:0e:a1:8a:d4:8f (current VLAN = 2 but should be in VLAN 3)
> (pf::enforcement::_should_we_reassign_vlan)
> Mar 19 11:31:19 register.cgi(0) INFO: switch port for dc:0e:a1:8a:d4:8f is
> 172.16.123.22 ifIndex 10101 connection type: Wired MAC Auth
> (pf::enforcement::_vlan_reevaluation)
> Mar 19 11:31:19 register.cgi(0) INFO: executing action 'log' on class
> 1200001 (pf::action::action_execute)
> Mar 19 11:31:19 register.cgi(0) INFO: /usr/local/pf/logs/violation.log
> 2014-03-19 11:31:19: System Scan (1200001) detected on node
> dc:0e:a1:8a:d4:8f (192.168.22.12) (pf::action::action_log)
>
>
>
>
> Mar 19 11:34:24 pfcmd.pl(29054) INFO: calling '/usr/local/pf/bin/pfcmd
> violation add vid=1100001,mac=dc:0e:a1:8a:d4:8f,release_date=2014-03-19
> 11:39:24' (trigger nessus::53514) (pf::violation::violation_trigger)
> Mar 19 11:34:26 pfcmd.pl(30105) INFO: pfcmd calling violation_add for
> dc:0e:a1:8a:d4:8f (main::command_param)
> Mar 19 11:34:26 pfcmd.pl(30105) WARN: grace expired on violation 1100001
> for node dc:0e:a1:8a:d4:8f (pf::violation::violation_add)
> Mar 19 11:34:26 pfcmd.pl(30105) INFO: grace expired on violation 1100001
> for node dc:0e:a1:8a:d4:8f (pf::violation::violation_add)
> Mar 19 11:34:26 pfcmd.pl(30105) INFO: violation 1100001 added for
> dc:0e:a1:8a:d4:8f (pf::violation::violation_add)
> Mar 19 11:34:26 pfcmd.pl(30105) INFO: executing action 'winpopup' on
> class 1100001 (pf::action::action_execute)
> Mar 19 11:34:26 pfcmd.pl(30105) INFO: executing action 'trap' on class
> 1100001 (pf::action::action_execute)
> Mar 19 11:34:26 pfcmd.pl(30105) INFO: re-evaluating access for node
> dc:0e:a1:8a:d4:8f (manage_vopen called) (pf::enforcement::reevaluate_access)
> Mar 19 11:34:26 pfcmd.pl(30105) INFO: dc:0e:a1:8a:d4:8f is currentlog
> connected at 172.16.123.22 ifIndex 10101 in VLAN 3
> (pf::enforcement::_should_we_reassign_vlan)
> Mar 19 11:34:26 pfcmd.pl(30105) INFO: highest priority violation for
> dc:0e:a1:8a:d4:8f is 1200001. Target VLAN for violation: isolation (3)
> (pf::vlan::getViolationVlan)
> Mar 19 11:34:26 pfcmd.pl(30105) INFO: executing action 'log' on class
> 1100001 (pf::action::action_execute)
> Mar 19 11:34:26 pfcmd.pl(30105) INFO: /usr/local/pf/logs/violation.log
> 2014-03-19 11:34:26: Nessus Scan (1100001) detected on node
> dc:0e:a1:8a:d4:8f (192.168.23.10) (pf::action::action_log)
> Mar 19 11:34:26 pfcmd.pl(30105) INFO: executing action 'email' on class
> 1100001 (pf::action::action_execute)
> Mar 19 11:34:26 pfcmd.pl(30105) INFO: loading Net::MAC::Vendor cache from
> /usr/local/pf/conf/oui.txt (pf::util::load_oui)
>
>
> On Tue, Mar 18, 2014 at 6:26 PM, forbmsyn <[email protected]> wrote:
>
>> I have been testing the violation of Nessus Scan for a couple of days but
>> could not get it work as it is supposed to do. Could anyone please help me
>> have a look.
>>
>> In my scenario, a new device was scanned by Nessus and a violation was
>> triggered. The device was then put into isolation vlan. After 10 minutes
>> the device was put into its destination vlan so that it get a chance to fix
>> the problem. I was expecting the device to be switched back to isolation
>> vlan after 20 minutes but it did not happen.
>>
>> Below is the setting of Nessus from Violations.conf. And Nessus is the
>> only Violations source I enabled.
>>
>> [1100001]
>> desc=Nessus Scan
>> template=failed_scan
>> max_enable=4
>> button_text=Scan my computer again
>>
>> trigger=Nessus::10861,Nessus::10943,Nessus::11177,Nessus::11231,Nessus::11302,Nessus::11304,Nessus::11528,Nessus::11595,Nessus::11664,Nessus::11787,Nessus::11790,Nessus::11803,Nessus::11808,Nessus::11835,Nessus::11878,Nessus::11886,Nessus::11887,Nessus::11921,Nessus::12051,Nessus::12052,Nessus::12054,Nessus::12092,Nessus::12208,Nessus::12209,Nessus::13641,Nessus::13852,Nessus::14724,Nessus::15460,Nessus::15894,Nessus::15970,Nessus::16324,Nessus::16326,Nessus::16327,Nessus::16328,Nessus::16329,Nessus::18020,Nessus::18021,Nessus::18023,Nessus::18025,Nessus::18027,Nessus::18028,Nessus::18215,Nessus::18482,Nessus::18483,Nessus::18490,Nessus::18502,Nessus::18681,Nessus::18682,Nessus::19401,Nessus::19402,Nessus::19406,Nessus::19408,Nessus::20005,Nessus::20172,Nessus::20299,Nessus::20368,Nessus::20382,Nessus::20389,Nessus::20390,Nessus::20904,Nessus::20905,Nessus::21213,Nessus::21332,Nessus::21685,Nessus::21687,Nessus::22030,Nessus::22034,Nessus::22183,Nessus::22184,Nessus::22185,Nessus::22186,Nessus::22187,Nessus::22192,Nessus::22194,Nessus::22332,Nessus::22449,Nessus::22530,Nessus::23644,Nessus::23646,Nessus::23647,Nessus::23833,Nessus::23835,Nessus::23837,Nessus::23838,Nessus::23999,Nessus::24000,nessus::53387,nessus::53514
>> actions=email,trap,log,winpopup
>> enabled=Y
>> window=10m
>> grace=20m
>>
>>
>> Where else I need to configure to get the device switched back to
>> isolation vlan automatically?
>>
>
>
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
