This is the output from lsof /usr/local/pf/var/alert
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
pfdetect 3458 root 4r FIFO 8,1 0t0 1841054
/usr/local/pf/var/alert
snort 3539 pf 7w FIFO 8,1 0t0 1841054
/usr/local/pf/var/alert
>From this output, it seems that the file is used
2015-02-19 16:59 GMT+01:00 Fabrice DURAND <fdur...@inverse.ca>:
> What about lsof /usr/local/pf/var/alert does snort process use it ?
>
> Regards
> Fabrice
>
> Le 2015-02-19 10:51, Rosario Ippolito a écrit :
> > I removed the file alert, I restarted PacketFence, and the file has
> > appeared again, and again I see nothingrunning the command
> > /usr/loca/pf/var/alert. Nothing to do?
> >
> > 2015-02-19 16:27 GMT+01:00 Rosario Ippolito <sarrus.ippol...@gmail.com
> > <mailto:sarrus.ippol...@gmail.com>>:
> >
> > Ok, thanks a lot Fabrice! I'll try and let you know.
> >
> > Kind Regards,
> > Rosario Ippoito
> >
> > 2015-02-19 16:22 GMT+01:00 Fabrice DURAND <fdur...@inverse.ca
> > <mailto:fdur...@inverse.ca>>:
> >
> > Ok so this must be fixed before trying to make pfdetect work
> > with snort.
> > It should work but can you try to remove the alert file and
> > restart
> > snort and check with cat what appear inside (you probably have
> > to wait
> > until a detection occur).
> > If the alert file is not there then touch alert (or mkfifo
> > alert) and
> > restart snort.
> >
> > Regards
> > Fabrice
> >
> > Le 2015-02-19 10:00, Rosario Ippolito a écrit :
> > > No, I can't see anything..
> > >
> > > 2015-02-19 15:52 GMT+01:00 Fabrice DURAND
> > <fdur...@inverse.ca <mailto:fdur...@inverse.ca>
> > > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>>>:
> > >
> > > Ok, i can remember exactly but if you do a cat on this
> file:
> > >
> > > cat /usr/local/pf/var/alert
> > >
> > > do you see something ?
> > >
> > > Regards
> > > Fabrice
> > >
> > > Le 2015-02-19 09:47, Rosario Ippolito a écrit :
> > > > Hello Fabrice,
> > > > thanks for the quick response! I had already tried to
> > see that file,
> > > > sorry, but I can not open it. May I delete it and
> > create a new one?
> > > > (Maybe the file is corrupted)
> > > >
> > > >
> > > >
> > > >
> > > > 2015-02-19 15:35 GMT+01:00 Fabrice DURAND
> > <fdur...@inverse.ca <mailto:fdur...@inverse.ca>
> > > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>>
> > > > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>
> > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>>>>:
> > > >
> > > > Hello Rosario,
> > > >
> > > > snort is suppose to send the alert in this file
> > /usr/local/pf
> > > > /var/alert
> > > > , does it contain something ?
> > > >
> > > > Regards
> > > > Fabrice
> > > >
> > > > Le 2015-02-19 07:47, Rosario Ippolito a écrit :
> > > > > Hello everybody PacketFence's users,
> > > > > I have to ask some questions about Snort
> > (Version 2.9.1.2) in
> > > > > PacketFence 4.6, deployed in out-of-band (Vlan
> > > Enforcement) mode. I
> > > > > have followed the Guide step by step, so:
> > > > >
> > > > > 1- I have enabled detection and select Snort as
> > detection
> > > engine.
> > > > >
> > > > > 2- I have configured the eth1 interface in my
> > PacketFence
> > > server in
> > > > > monitor type. This interface is connected to a
> cisco
> > > switch where
> > > > > PacketFence is also connected, and all traffic pass
> > > through this
> > > > switch.
> > > > >
> > > > > [interface eth1]
> > > > > type=monitor
> > > > >
> > > > > 3- I have loaded these rules in
> > /usr/local/pf/conf/snort
> > > > >
> > > > > classification.config.example
> > > > > emerging-exploit.rules
> > > > > emerging-scan.rules
> > > > > emerging-worm.rules
> > > > > reference.config
> > > > > emerging-attack_response.rules
> > > > > emerging-malware.rules
> > > > > emerging-shellcode.rules
> > > > > local.rules
> > > > > reference.config.example
> > > > > classification.config
> > > > > emerging-botcc.rules
> > > > > emerging-p2p.rules
> > > > > emerging-trojan.rules
> > > > > local.rules.example
> > > > >
> > > > > 4- I have this snort.conf file
> > > > >
> > > > > # Snort configuration
> > > > > # This file is manipulated on PacketFence's
> > startup before
> > > being
> > > > given
> > > > > to snort
> > > > > var HOME_NET [%%trapping-range%%]
> > > > > var EXTERNAL_NET !$HOME_NET
> > > > > var DHCP_SERVERS [%%dhcp_servers%%]
> > > > > var DNS_SERVERS [%%dns_servers%%]
> > > > > var HTTP_PORTS 80
> > > > > var SSH_PORTS 22
> > > > > var ORACLE_PORTS 1521
> > > > > var SHELLCODE_PORTS any
> > > > > var HTTP_SERVERS $HOME_NET
> > > > > var SQL_SERVERS $HOME_NET
> > > > > var SMTP_SERVERS $HOME_NET
> > > > > var TELNET_SERVERS $HOME_NET
> > > > >
> > > > > var VALIDDHCP [$DHCP_SERVERS]
> > > > > var RULE_PATH %%install_dir%%/conf/snort
> > > > > output alert_fast: %%install_dir%%/var/alert
> > > > > # updated several preprocessor for snort 2.8.5
> > (values
> > > taken from
> > > > > /etc/snort/snort.conf)
> > > > > preprocessor stream5_global: max_tcp 8192,
> > track_tcp yes, \
> > > > > track_udp no
> > > > > preprocessor stream5_tcp: policy first,
> > > use_static_footprint_sizes
> > > > > preprocessor http_inspect: global iis_unicode_map
> > > > > /etc/snort/unicode.map 1252
> > > > > preprocessor http_inspect_server: server default \
> > > > > profile all ports { 80 8080 8180 }
> > oversize_dir_length 500
> > > > > #preprocessor conversation: timeout 120,
> > max_conversations
> > > 65335
> > > > > #preprocessor portscan2: scanners_max 10000,
> > targets_max
> > > 10000,
> > > > > target_limit 400, port_limit 400, timeout 60,
> > log /dev/null
> > > > > #preprocessor portscan2-ignorehosts: $EXTERNAL_NET
> > > > > preprocessor perfmonitor: time 600 flow max file
> > > > > %%install_dir%%/logs/snortstat pktcnt 90000
> > > > > output alert_syslog: LOG_AUTH LOG_ALERT
> > > > >
> > > > > config flowbits_size: 256
> > > > > config disable_decode_alerts
> > > > > config disable_tcpopt_experimental_alerts
> > > > > config disable_tcpopt_obsolete_alerts
> > > > > config disable_tcpopt_ttcp_alerts
> > > > > config disable_ttcp_alerts
> > > > > config disable_tcpopt_alerts
> > > > > config disable_ipopt_alerts
> > > > >
> > > > > include $RULE_PATH/classification.config
> > > > > include $RULE_PATH/reference.config
> > > > > %%snort_rules%%
> > > > >
> > > > > 5- Snort starts with PacketFence and it works,
> > so I try to
> > > > "snort" the
> > > > > traffic, with the "snort -i eth1" command, and,
> > really, I
> > > see some
> > > > > traffic from the vlans that I have configured in my
> > > network. The
> > > > > problem is that even though I have configured the
> > > violation.conf
> > > > file
> > > > > to respond to alert snort.... snort does not
> > give me any
> > > alert.
> > > > I have
> > > > > no log in pfdetect.log, is this normal?
> > > > >
> > > > >
> > > > > For test snort, I have added in local.rules the
> > statement:
> > > > >
> > > > > "alert tcp any any <> any 80 (msg: "Test rule";
> sid:
> > > 1000001;)"
> > > > >
> > > > > and I have just added in violations.conf file
> > this other
> > > statement:
> > > > >
> > > > > [1000001]
> > > > > desc=Test web
> > > > > priority=10
> > > > > template=banned_devices
> > > > > enabled=Y
> > > > > actions=trap,log
> > > > > trigger=Detect::1000001
> > > > >
> > > > >
> > > > > But there is no raised alert from
> > PacketFence..Should I
> > > enable all
> > > > > alert in the violations.conf file?
> > > > >
> > > > >
> > > > > Sorry for all these questions..I hope somebody
> > can help me.
> > > > Thanks you
> > > > > very much in advance!!
> > > > >
> > > > >
> > > > > Best regards,
> > > > > Rosario Ippolito
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
>
> ------------------------------------------------------------------------------
> > > > > Download BIRT iHub F-Type - The Free
> > Enterprise-Grade BIRT
> > > Server
> > > > > from Actuate! Instantly Supercharge Your
> > Business Reports and
> > > > Dashboards
> > > > > with Interactivity, Sharing, Native Excel
> > Exports, App
> > > > Integration & more
> > > > > Get technology previously reserved for
> > billion-dollar
> > > > corporations, FREE
> > > > >
> > > >
> > >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > PacketFence-users mailing list
> > > > > PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>
> > > <mailto:PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>>
> > > > <mailto:PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>
> > > <mailto:PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>>>
> > > > >
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > > >
> > > >
> > > > --
> > > > Fabrice Durand
> > > > fdur...@inverse.ca <mailto:fdur...@inverse.ca>
> > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>>
> > > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>
> > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>>> ::
> > > +1.514.447.4918 <tel:%2B1.514.447.4918>
> <tel:%2B1.514.447.4918>
> > > > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca
> > <http://www.inverse.ca>
> > > <http://www.inverse.ca>
> > > > <http://www.inverse.ca>
> > > > Inverse inc. :: Leaders behind SOGo
> > (http://www.sogo.nu) and
> > > > PacketFence (http://packetfence.org)
> > > >
> > > >
> > > >
> > >
> >
>
> ------------------------------------------------------------------------------
> > > > Download BIRT iHub F-Type - The Free
> > Enterprise-Grade BIRT
> > > Server
> > > > from Actuate! Instantly Supercharge Your Business
> > Reports and
> > > > Dashboards
> > > > with Interactivity, Sharing, Native Excel Exports,
> App
> > > Integration
> > > > & more
> > > > Get technology previously reserved for billion-dollar
> > > > corporations, FREE
> > > >
> > >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> > > > _______________________________________________
> > > > PacketFence-users mailing list
> > > > PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>
> > > <mailto:PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>>
> > > > <mailto:PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>
> > > <mailto:PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>>>
> > > >
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
> ------------------------------------------------------------------------------
> > > > Download BIRT iHub F-Type - The Free Enterprise-Grade
> > BIRT Server
> > > > from Actuate! Instantly Supercharge Your Business
> > Reports and
> > > Dashboards
> > > > with Interactivity, Sharing, Native Excel Exports, App
> > > Integration & more
> > > > Get technology previously reserved for billion-dollar
> > > corporations, FREE
> > > >
> > >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> > > >
> > > >
> > > > _______________________________________________
> > > > PacketFence-users mailing list
> > > > PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>
> > > <mailto:PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>>
> > > >
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > >
> > >
> > > --
> > > Fabrice Durand
> > > fdur...@inverse.ca <mailto:fdur...@inverse.ca>
> > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>> ::
> > +1.514.447.4918 <tel:%2B1.514.447.4918>
> > > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca
> > <http://www.inverse.ca>
> > > <http://www.inverse.ca>
> > > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu)
> and
> > > PacketFence (http://packetfence.org)
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > > Download BIRT iHub F-Type - The Free Enterprise-Grade
> > BIRT Server
> > > from Actuate! Instantly Supercharge Your Business
> > Reports and
> > > Dashboards
> > > with Interactivity, Sharing, Native Excel Exports, App
> > Integration
> > > & more
> > > Get technology previously reserved for billion-dollar
> > > corporations, FREE
> > >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> > > _______________________________________________
> > > PacketFence-users mailing list
> > > PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>
> > > <mailto:PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>>
> > >
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> > >
> > >
> > >
> > >
> > >
> >
>
> ------------------------------------------------------------------------------
> > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT
> > Server
> > > from Actuate! Instantly Supercharge Your Business Reports
> > and Dashboards
> > > with Interactivity, Sharing, Native Excel Exports, App
> > Integration & more
> > > Get technology previously reserved for billion-dollar
> > corporations, FREE
> > >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> > >
> > >
> > > _______________________________________________
> > > PacketFence-users mailing list
> > > PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>
> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> > --
> > Fabrice Durand
> > fdur...@inverse.ca <mailto:fdur...@inverse.ca> ::
> > +1.514.447.4918 <tel:%2B1.514.447.4918> (x135) ::
> > www.inverse.ca <http://www.inverse.ca>
> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> > PacketFence (http://packetfence.org)
> >
> >
> >
>
> ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and
> > Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App
> > Integration & more
> > Get technology previously reserved for billion-dollar
> > corporations, FREE
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> > _______________________________________________
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > <mailto:PacketFence-users@lists.sourceforge.net>
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> >
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice Durand
> fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
