Hello everybody PacketFence's users,
I have to ask some questions about Snort (Version 2.9.1.2) in PacketFence
4.6, deployed in out-of-band (Vlan Enforcement) mode. I have followed the
Guide step by step, so:
1- I have enabled detection and select Snort as detection engine.
2- I have configured the eth1 interface in my PacketFence server in monitor
type. This interface is connected to a cisco switch where PacketFence is
also connected, and all traffic pass through this switch.
[interface eth1]
type=monitor
3- I have loaded these rules in /usr/local/pf/conf/snort
classification.config.example
emerging-exploit.rules
emerging-scan.rules
emerging-worm.rules
reference.config
emerging-attack_response.rules
emerging-malware.rules
emerging-shellcode.rules
local.rules
reference.config.example
classification.config
emerging-botcc.rules
emerging-p2p.rules
emerging-trojan.rules
local.rules.example
4- I have this snort.conf file
# Snort configuration
# This file is manipulated on PacketFence's startup before being given to
snort
var HOME_NET [%%trapping-range%%]
var EXTERNAL_NET !$HOME_NET
var DHCP_SERVERS [%%dhcp_servers%%]
var DNS_SERVERS [%%dns_servers%%]
var HTTP_PORTS 80
var SSH_PORTS 22
var ORACLE_PORTS 1521
var SHELLCODE_PORTS any
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var VALIDDHCP [$DHCP_SERVERS]
var RULE_PATH %%install_dir%%/conf/snort
output alert_fast: %%install_dir%%/var/alert
# updated several preprocessor for snort 2.8.5 (values taken from
/etc/snort/snort.conf)
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global iis_unicode_map /etc/snort/unicode.map
1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
#preprocessor conversation: timeout 120, max_conversations 65335
#preprocessor portscan2: scanners_max 10000, targets_max 10000,
target_limit 400, port_limit 400, timeout 60, log /dev/null
#preprocessor portscan2-ignorehosts: $EXTERNAL_NET
preprocessor perfmonitor: time 600 flow max file
%%install_dir%%/logs/snortstat pktcnt 90000
output alert_syslog: LOG_AUTH LOG_ALERT
config flowbits_size: 256
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
%%snort_rules%%
5- Snort starts with PacketFence and it works, so I try to "snort" the
traffic, with the "snort -i eth1" command, and, really, I see some traffic
from the vlans that I have configured in my network. The problem is that
even though I have configured the violation.conf file to respond to alert
snort.... snort does not give me any alert. I have no log in pfdetect.log,
is this normal?
For test snort, I have added in local.rules the statement:
"alert tcp any any <> any 80 (msg: "Test rule"; sid: 1000001;)"
and I have just added in violations.conf file this other statement:
[1000001]
desc=Test web
priority=10
template=banned_devices
enabled=Y
actions=trap,log
trigger=Detect::1000001
But there is no raised alert from PacketFence..Should I enable all alert in
the violations.conf file?
Sorry for all these questions..I hope somebody can help me. Thanks you very
much in advance!!
Best regards,
Rosario Ippolito
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
