Ok, i can remember exactly but if you do a cat on this file: cat /usr/local/pf/var/alert
do you see something ? Regards Fabrice Le 2015-02-19 09:47, Rosario Ippolito a écrit : > Hello Fabrice, > thanks for the quick response! I had already tried to see that file, > sorry, but I can not open it. May I delete it and create a new one? > (Maybe the file is corrupted) > > > > > 2015-02-19 15:35 GMT+01:00 Fabrice DURAND <fdur...@inverse.ca > <mailto:fdur...@inverse.ca>>: > > Hello Rosario, > > snort is suppose to send the alert in this file /usr/local/pf > /var/alert > , does it contain something ? > > Regards > Fabrice > > Le 2015-02-19 07:47, Rosario Ippolito a écrit : > > Hello everybody PacketFence's users, > > I have to ask some questions about Snort (Version 2.9.1.2) in > > PacketFence 4.6, deployed in out-of-band (Vlan Enforcement) mode. I > > have followed the Guide step by step, so: > > > > 1- I have enabled detection and select Snort as detection engine. > > > > 2- I have configured the eth1 interface in my PacketFence server in > > monitor type. This interface is connected to a cisco switch where > > PacketFence is also connected, and all traffic pass through this > switch. > > > > [interface eth1] > > type=monitor > > > > 3- I have loaded these rules in /usr/local/pf/conf/snort > > > > classification.config.example > > emerging-exploit.rules > > emerging-scan.rules > > emerging-worm.rules > > reference.config > > emerging-attack_response.rules > > emerging-malware.rules > > emerging-shellcode.rules > > local.rules > > reference.config.example > > classification.config > > emerging-botcc.rules > > emerging-p2p.rules > > emerging-trojan.rules > > local.rules.example > > > > 4- I have this snort.conf file > > > > # Snort configuration > > # This file is manipulated on PacketFence's startup before being > given > > to snort > > var HOME_NET [%%trapping-range%%] > > var EXTERNAL_NET !$HOME_NET > > var DHCP_SERVERS [%%dhcp_servers%%] > > var DNS_SERVERS [%%dns_servers%%] > > var HTTP_PORTS 80 > > var SSH_PORTS 22 > > var ORACLE_PORTS 1521 > > var SHELLCODE_PORTS any > > var HTTP_SERVERS $HOME_NET > > var SQL_SERVERS $HOME_NET > > var SMTP_SERVERS $HOME_NET > > var TELNET_SERVERS $HOME_NET > > > > var VALIDDHCP [$DHCP_SERVERS] > > var RULE_PATH %%install_dir%%/conf/snort > > output alert_fast: %%install_dir%%/var/alert > > # updated several preprocessor for snort 2.8.5 (values taken from > > /etc/snort/snort.conf) > > preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ > > track_udp no > > preprocessor stream5_tcp: policy first, use_static_footprint_sizes > > preprocessor http_inspect: global iis_unicode_map > > /etc/snort/unicode.map 1252 > > preprocessor http_inspect_server: server default \ > > profile all ports { 80 8080 8180 } oversize_dir_length 500 > > #preprocessor conversation: timeout 120, max_conversations 65335 > > #preprocessor portscan2: scanners_max 10000, targets_max 10000, > > target_limit 400, port_limit 400, timeout 60, log /dev/null > > #preprocessor portscan2-ignorehosts: $EXTERNAL_NET > > preprocessor perfmonitor: time 600 flow max file > > %%install_dir%%/logs/snortstat pktcnt 90000 > > output alert_syslog: LOG_AUTH LOG_ALERT > > > > config flowbits_size: 256 > > config disable_decode_alerts > > config disable_tcpopt_experimental_alerts > > config disable_tcpopt_obsolete_alerts > > config disable_tcpopt_ttcp_alerts > > config disable_ttcp_alerts > > config disable_tcpopt_alerts > > config disable_ipopt_alerts > > > > include $RULE_PATH/classification.config > > include $RULE_PATH/reference.config > > %%snort_rules%% > > > > 5- Snort starts with PacketFence and it works, so I try to > "snort" the > > traffic, with the "snort -i eth1" command, and, really, I see some > > traffic from the vlans that I have configured in my network. The > > problem is that even though I have configured the violation.conf > file > > to respond to alert snort.... snort does not give me any alert. > I have > > no log in pfdetect.log, is this normal? > > > > > > For test snort, I have added in local.rules the statement: > > > > "alert tcp any any <> any 80 (msg: "Test rule"; sid: 1000001;)" > > > > and I have just added in violations.conf file this other statement: > > > > [1000001] > > desc=Test web > > priority=10 > > template=banned_devices > > enabled=Y > > actions=trap,log > > trigger=Detect::1000001 > > > > > > But there is no raised alert from PacketFence..Should I enable all > > alert in the violations.conf file? > > > > > > Sorry for all these questions..I hope somebody can help me. > Thanks you > > very much in advance!! > > > > > > Best regards, > > Rosario Ippolito > > > > > > > > > > ------------------------------------------------------------------------------ > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > > from Actuate! Instantly Supercharge Your Business Reports and > Dashboards > > with Interactivity, Sharing, Native Excel Exports, App > Integration & more > > Get technology previously reserved for billion-dollar > corporations, FREE > > > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > > > > > _______________________________________________ > > PacketFence-users mailing list > > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > -- > Fabrice Durand > fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca > <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > PacketFence (http://packetfence.org) > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and > Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration > & more > Get technology previously reserved for billion-dollar > corporations, FREE > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
