I have the exact same problem too.
After trying to configure PacketFence with Nessus 6 and finally know both are
incompatible, I tried to make PacketFence 4.6 works with Snort 2.9.1.2
I made the exact same pattern as you described, but nothing trigger. I have the
same rule in local.rules (/usr/local/pf/conf/snort)
Would be interested in more details on how to make this work.
Thank you.
_____________________________
Pierre-Luc Delisle
Département d’assurance qualité
Quality assurance department
Hewlett-Packard Networking
pierre-luc.deli...@hp.com<mailto:pierre-luc.deli...@hp.com> •
Téléphone: (514) 920-2511 •
Hewlett-Packard Company
2344 Alfred-Nobel, 2e étage
Montréal, QC, H4S 0A4
Canada
[HP]<http://www.hp.com/>
From: Rosario Ippolito [mailto:sarrus.ippol...@gmail.com]
Sent: Thursday, February 19, 2015 7:47 AM
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Snort and violations.conf
Hello everybody PacketFence's users,
I have to ask some questions about Snort (Version 2.9.1.2) in PacketFence 4.6,
deployed in out-of-band (Vlan Enforcement) mode. I have followed the Guide step
by step, so:
1- I have enabled detection and select Snort as detection engine.
2- I have configured the eth1 interface in my PacketFence server in monitor
type. This interface is connected to a cisco switch where PacketFence is also
connected, and all traffic pass through this switch.
[interface eth1]
type=monitor
3- I have loaded these rules in /usr/local/pf/conf/snort
classification.config.example
emerging-exploit.rules
emerging-scan.rules
emerging-worm.rules
reference.config
emerging-attack_response.rules
emerging-malware.rules
emerging-shellcode.rules
local.rules
reference.config.example
classification.config
emerging-botcc.rules
emerging-p2p.rules
emerging-trojan.rules
local.rules.example
4- I have this snort.conf file
# Snort configuration
# This file is manipulated on PacketFence's startup before being given to snort
var HOME_NET [%%trapping-range%%]
var EXTERNAL_NET !$HOME_NET
var DHCP_SERVERS [%%dhcp_servers%%]
var DNS_SERVERS [%%dns_servers%%]
var HTTP_PORTS 80
var SSH_PORTS 22
var ORACLE_PORTS 1521
var SHELLCODE_PORTS any
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var VALIDDHCP [$DHCP_SERVERS]
var RULE_PATH %%install_dir%%/conf/snort
output alert_fast: %%install_dir%%/var/alert
# updated several preprocessor for snort 2.8.5 (values taken from
/etc/snort/snort.conf)
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global iis_unicode_map /etc/snort/unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
#preprocessor conversation: timeout 120, max_conversations 65335
#preprocessor portscan2: scanners_max 10000, targets_max 10000, target_limit
400, port_limit 400, timeout 60, log /dev/null
#preprocessor portscan2-ignorehosts: $EXTERNAL_NET
preprocessor perfmonitor: time 600 flow max file %%install_dir%%/logs/snortstat
pktcnt 90000
output alert_syslog: LOG_AUTH LOG_ALERT
config flowbits_size: 256
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
%%snort_rules%%
5- Snort starts with PacketFence and it works, so I try to "snort" the traffic,
with the "snort -i eth1" command, and, really, I see some traffic from the
vlans that I have configured in my network. The problem is that even though I
have configured the violation.conf file to respond to alert snort.... snort
does not give me any alert. I have no log in pfdetect.log, is this normal?
For test snort, I have added in local.rules the statement:
"alert tcp any any <> any 80 (msg: "Test rule"; sid: 1000001;)"
and I have just added in violations.conf file this other statement:
[1000001]
desc=Test web
priority=10
template=banned_devices
enabled=Y
actions=trap,log
trigger=Detect::1000001
But there is no raised alert from PacketFence..Should I enable all alert in the
violations.conf file?
Sorry for all these questions..I hope somebody can help me. Thanks you very
much in advance!!
Best regards,
Rosario Ippolito
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
