No, I can't see anything..
2015-02-19 15:52 GMT+01:00 Fabrice DURAND <fdur...@inverse.ca>:
> Ok, i can remember exactly but if you do a cat on this file:
>
> cat /usr/local/pf/var/alert
>
> do you see something ?
>
> Regards
> Fabrice
>
> Le 2015-02-19 09:47, Rosario Ippolito a écrit :
> > Hello Fabrice,
> > thanks for the quick response! I had already tried to see that file,
> > sorry, but I can not open it. May I delete it and create a new one?
> > (Maybe the file is corrupted)
> >
> >
> >
> >
> > 2015-02-19 15:35 GMT+01:00 Fabrice DURAND <fdur...@inverse.ca
> > <mailto:fdur...@inverse.ca>>:
> >
> > Hello Rosario,
> >
> > snort is suppose to send the alert in this file /usr/local/pf
> > /var/alert
> > , does it contain something ?
> >
> > Regards
> > Fabrice
> >
> > Le 2015-02-19 07:47, Rosario Ippolito a écrit :
> > > Hello everybody PacketFence's users,
> > > I have to ask some questions about Snort (Version 2.9.1.2) in
> > > PacketFence 4.6, deployed in out-of-band (Vlan Enforcement) mode. I
> > > have followed the Guide step by step, so:
> > >
> > > 1- I have enabled detection and select Snort as detection engine.
> > >
> > > 2- I have configured the eth1 interface in my PacketFence server in
> > > monitor type. This interface is connected to a cisco switch where
> > > PacketFence is also connected, and all traffic pass through this
> > switch.
> > >
> > > [interface eth1]
> > > type=monitor
> > >
> > > 3- I have loaded these rules in /usr/local/pf/conf/snort
> > >
> > > classification.config.example
> > > emerging-exploit.rules
> > > emerging-scan.rules
> > > emerging-worm.rules
> > > reference.config
> > > emerging-attack_response.rules
> > > emerging-malware.rules
> > > emerging-shellcode.rules
> > > local.rules
> > > reference.config.example
> > > classification.config
> > > emerging-botcc.rules
> > > emerging-p2p.rules
> > > emerging-trojan.rules
> > > local.rules.example
> > >
> > > 4- I have this snort.conf file
> > >
> > > # Snort configuration
> > > # This file is manipulated on PacketFence's startup before being
> > given
> > > to snort
> > > var HOME_NET [%%trapping-range%%]
> > > var EXTERNAL_NET !$HOME_NET
> > > var DHCP_SERVERS [%%dhcp_servers%%]
> > > var DNS_SERVERS [%%dns_servers%%]
> > > var HTTP_PORTS 80
> > > var SSH_PORTS 22
> > > var ORACLE_PORTS 1521
> > > var SHELLCODE_PORTS any
> > > var HTTP_SERVERS $HOME_NET
> > > var SQL_SERVERS $HOME_NET
> > > var SMTP_SERVERS $HOME_NET
> > > var TELNET_SERVERS $HOME_NET
> > >
> > > var VALIDDHCP [$DHCP_SERVERS]
> > > var RULE_PATH %%install_dir%%/conf/snort
> > > output alert_fast: %%install_dir%%/var/alert
> > > # updated several preprocessor for snort 2.8.5 (values taken from
> > > /etc/snort/snort.conf)
> > > preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> > > track_udp no
> > > preprocessor stream5_tcp: policy first, use_static_footprint_sizes
> > > preprocessor http_inspect: global iis_unicode_map
> > > /etc/snort/unicode.map 1252
> > > preprocessor http_inspect_server: server default \
> > > profile all ports { 80 8080 8180 } oversize_dir_length 500
> > > #preprocessor conversation: timeout 120, max_conversations 65335
> > > #preprocessor portscan2: scanners_max 10000, targets_max 10000,
> > > target_limit 400, port_limit 400, timeout 60, log /dev/null
> > > #preprocessor portscan2-ignorehosts: $EXTERNAL_NET
> > > preprocessor perfmonitor: time 600 flow max file
> > > %%install_dir%%/logs/snortstat pktcnt 90000
> > > output alert_syslog: LOG_AUTH LOG_ALERT
> > >
> > > config flowbits_size: 256
> > > config disable_decode_alerts
> > > config disable_tcpopt_experimental_alerts
> > > config disable_tcpopt_obsolete_alerts
> > > config disable_tcpopt_ttcp_alerts
> > > config disable_ttcp_alerts
> > > config disable_tcpopt_alerts
> > > config disable_ipopt_alerts
> > >
> > > include $RULE_PATH/classification.config
> > > include $RULE_PATH/reference.config
> > > %%snort_rules%%
> > >
> > > 5- Snort starts with PacketFence and it works, so I try to
> > "snort" the
> > > traffic, with the "snort -i eth1" command, and, really, I see some
> > > traffic from the vlans that I have configured in my network. The
> > > problem is that even though I have configured the violation.conf
> > file
> > > to respond to alert snort.... snort does not give me any alert.
> > I have
> > > no log in pfdetect.log, is this normal?
> > >
> > >
> > > For test snort, I have added in local.rules the statement:
> > >
> > > "alert tcp any any <> any 80 (msg: "Test rule"; sid: 1000001;)"
> > >
> > > and I have just added in violations.conf file this other statement:
> > >
> > > [1000001]
> > > desc=Test web
> > > priority=10
> > > template=banned_devices
> > > enabled=Y
> > > actions=trap,log
> > > trigger=Detect::1000001
> > >
> > >
> > > But there is no raised alert from PacketFence..Should I enable all
> > > alert in the violations.conf file?
> > >
> > >
> > > Sorry for all these questions..I hope somebody can help me.
> > Thanks you
> > > very much in advance!!
> > >
> > >
> > > Best regards,
> > > Rosario Ippolito
> > >
> > >
> > >
> > >
> >
>
> ------------------------------------------------------------------------------
> > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > > from Actuate! Instantly Supercharge Your Business Reports and
> > Dashboards
> > > with Interactivity, Sharing, Native Excel Exports, App
> > Integration & more
> > > Get technology previously reserved for billion-dollar
> > corporations, FREE
> > >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> > >
> > >
> > > _______________________________________________
> > > PacketFence-users mailing list
> > > PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>
> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> > --
> > Fabrice Durand
> > fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918
> > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca
> > <http://www.inverse.ca>
> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> > PacketFence (http://packetfence.org)
> >
> >
> >
>
> ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and
> > Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration
> > & more
> > Get technology previously reserved for billion-dollar
> > corporations, FREE
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> > _______________________________________________
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> >
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice Durand
> fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
