Hello Rosario, snort is suppose to send the alert in this file /usr/local/pf /var/alert , does it contain something ?
Regards
Fabrice
Le 2015-02-19 07:47, Rosario Ippolito a écrit :
> Hello everybody PacketFence's users,
> I have to ask some questions about Snort (Version 2.9.1.2) in
> PacketFence 4.6, deployed in out-of-band (Vlan Enforcement) mode. I
> have followed the Guide step by step, so:
>
> 1- I have enabled detection and select Snort as detection engine.
>
> 2- I have configured the eth1 interface in my PacketFence server in
> monitor type. This interface is connected to a cisco switch where
> PacketFence is also connected, and all traffic pass through this switch.
>
> [interface eth1]
> type=monitor
>
> 3- I have loaded these rules in /usr/local/pf/conf/snort
>
> classification.config.example
> emerging-exploit.rules
> emerging-scan.rules
> emerging-worm.rules
> reference.config
> emerging-attack_response.rules
> emerging-malware.rules
> emerging-shellcode.rules
> local.rules
> reference.config.example
> classification.config
> emerging-botcc.rules
> emerging-p2p.rules
> emerging-trojan.rules
> local.rules.example
>
> 4- I have this snort.conf file
>
> # Snort configuration
> # This file is manipulated on PacketFence's startup before being given
> to snort
> var HOME_NET [%%trapping-range%%]
> var EXTERNAL_NET !$HOME_NET
> var DHCP_SERVERS [%%dhcp_servers%%]
> var DNS_SERVERS [%%dns_servers%%]
> var HTTP_PORTS 80
> var SSH_PORTS 22
> var ORACLE_PORTS 1521
> var SHELLCODE_PORTS any
> var HTTP_SERVERS $HOME_NET
> var SQL_SERVERS $HOME_NET
> var SMTP_SERVERS $HOME_NET
> var TELNET_SERVERS $HOME_NET
>
> var VALIDDHCP [$DHCP_SERVERS]
> var RULE_PATH %%install_dir%%/conf/snort
> output alert_fast: %%install_dir%%/var/alert
> # updated several preprocessor for snort 2.8.5 (values taken from
> /etc/snort/snort.conf)
> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> track_udp no
> preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> preprocessor http_inspect: global iis_unicode_map
> /etc/snort/unicode.map 1252
> preprocessor http_inspect_server: server default \
> profile all ports { 80 8080 8180 } oversize_dir_length 500
> #preprocessor conversation: timeout 120, max_conversations 65335
> #preprocessor portscan2: scanners_max 10000, targets_max 10000,
> target_limit 400, port_limit 400, timeout 60, log /dev/null
> #preprocessor portscan2-ignorehosts: $EXTERNAL_NET
> preprocessor perfmonitor: time 600 flow max file
> %%install_dir%%/logs/snortstat pktcnt 90000
> output alert_syslog: LOG_AUTH LOG_ALERT
>
> config flowbits_size: 256
> config disable_decode_alerts
> config disable_tcpopt_experimental_alerts
> config disable_tcpopt_obsolete_alerts
> config disable_tcpopt_ttcp_alerts
> config disable_ttcp_alerts
> config disable_tcpopt_alerts
> config disable_ipopt_alerts
>
> include $RULE_PATH/classification.config
> include $RULE_PATH/reference.config
> %%snort_rules%%
>
> 5- Snort starts with PacketFence and it works, so I try to "snort" the
> traffic, with the "snort -i eth1" command, and, really, I see some
> traffic from the vlans that I have configured in my network. The
> problem is that even though I have configured the violation.conf file
> to respond to alert snort.... snort does not give me any alert. I have
> no log in pfdetect.log, is this normal?
>
>
> For test snort, I have added in local.rules the statement:
>
> "alert tcp any any <> any 80 (msg: "Test rule"; sid: 1000001;)"
>
> and I have just added in violations.conf file this other statement:
>
> [1000001]
> desc=Test web
> priority=10
> template=banned_devices
> enabled=Y
> actions=trap,log
> trigger=Detect::1000001
>
>
> But there is no raised alert from PacketFence..Should I enable all
> alert in the violations.conf file?
>
>
> Sorry for all these questions..I hope somebody can help me. Thanks you
> very much in advance!!
>
>
> Best regards,
> Rosario Ippolito
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
