Ok so to be sure that snort works let´s enable all the rules in snort and restart it and do a cat on the alert file (or tail -f )
Le 2015-02-19 11:09, Rosario Ippolito a écrit : > This is the output from lsof /usr/local/pf/var/alert > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > pfdetect 3458 root 4r FIFO 8,1 0t0 1841054 > /usr/local/pf/var/alert > snort 3539 pf 7w FIFO 8,1 0t0 1841054 > /usr/local/pf/var/alert > > From this output, it seems that the file is used > > > 2015-02-19 16:59 GMT+01:00 Fabrice DURAND <fdur...@inverse.ca > <mailto:fdur...@inverse.ca>>: > > What about lsof /usr/local/pf/var/alert does snort process use it ? > > Regards > Fabrice > > Le 2015-02-19 10:51, Rosario Ippolito a écrit : > > I removed the file alert, I restarted PacketFence, and the file has > > appeared again, and again I see nothingrunning the command > > /usr/loca/pf/var/alert. Nothing to do? > > > > 2015-02-19 16:27 GMT+01:00 Rosario Ippolito > <sarrus.ippol...@gmail.com <mailto:sarrus.ippol...@gmail.com> > > <mailto:sarrus.ippol...@gmail.com > <mailto:sarrus.ippol...@gmail.com>>>: > > > > Ok, thanks a lot Fabrice! I'll try and let you know. > > > > Kind Regards, > > Rosario Ippoito > > > > 2015-02-19 16:22 GMT+01:00 Fabrice DURAND > <fdur...@inverse.ca <mailto:fdur...@inverse.ca> > > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>>>: > > > > Ok so this must be fixed before trying to make pfdetect work > > with snort. > > It should work but can you try to remove the alert file and > > restart > > snort and check with cat what appear inside (you > probably have > > to wait > > until a detection occur). > > If the alert file is not there then touch alert (or mkfifo > > alert) and > > restart snort. > > > > Regards > > Fabrice > > > > Le 2015-02-19 10:00, Rosario Ippolito a écrit : > > > No, I can't see anything.. > > > > > > 2015-02-19 15:52 GMT+01:00 Fabrice DURAND > > <fdur...@inverse.ca <mailto:fdur...@inverse.ca> > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>> > > > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca> > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>>>>: > > > > > > Ok, i can remember exactly but if you do a cat on > this file: > > > > > > cat /usr/local/pf/var/alert > > > > > > do you see something ? > > > > > > Regards > > > Fabrice > > > > > > Le 2015-02-19 09:47, Rosario Ippolito a écrit : > > > > Hello Fabrice, > > > > thanks for the quick response! I had already > tried to > > see that file, > > > > sorry, but I can not open it. May I delete it and > > create a new one? > > > > (Maybe the file is corrupted) > > > > > > > > > > > > > > > > > > > > 2015-02-19 15:35 GMT+01:00 Fabrice DURAND > > <fdur...@inverse.ca <mailto:fdur...@inverse.ca> > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>> > > > <mailto:fdur...@inverse.ca > <mailto:fdur...@inverse.ca> <mailto:fdur...@inverse.ca > <mailto:fdur...@inverse.ca>>> > > > > <mailto:fdur...@inverse.ca > <mailto:fdur...@inverse.ca> <mailto:fdur...@inverse.ca > <mailto:fdur...@inverse.ca>> > > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca> > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>>>>>: > > > > > > > > Hello Rosario, > > > > > > > > snort is suppose to send the alert in this file > > /usr/local/pf > > > > /var/alert > > > > , does it contain something ? > > > > > > > > Regards > > > > Fabrice > > > > > > > > Le 2015-02-19 07:47, Rosario Ippolito a écrit : > > > > > Hello everybody PacketFence's users, > > > > > I have to ask some questions about Snort > > (Version 2.9.1.2) in > > > > > PacketFence 4.6, deployed in out-of-band (Vlan > > > Enforcement) mode. I > > > > > have followed the Guide step by step, so: > > > > > > > > > > 1- I have enabled detection and select > Snort as > > detection > > > engine. > > > > > > > > > > 2- I have configured the eth1 interface in my > > PacketFence > > > server in > > > > > monitor type. This interface is connected > to a cisco > > > switch where > > > > > PacketFence is also connected, and all > traffic pass > > > through this > > > > switch. > > > > > > > > > > [interface eth1] > > > > > type=monitor > > > > > > > > > > 3- I have loaded these rules in > > /usr/local/pf/conf/snort > > > > > > > > > > classification.config.example > > > > > emerging-exploit.rules > > > > > emerging-scan.rules > > > > > emerging-worm.rules > > > > > reference.config > > > > > emerging-attack_response.rules > > > > > emerging-malware.rules > > > > > emerging-shellcode.rules > > > > > local.rules > > > > > reference.config.example > > > > > classification.config > > > > > emerging-botcc.rules > > > > > emerging-p2p.rules > > > > > emerging-trojan.rules > > > > > local.rules.example > > > > > > > > > > 4- I have this snort.conf file > > > > > > > > > > # Snort configuration > > > > > # This file is manipulated on PacketFence's > > startup before > > > being > > > > given > > > > > to snort > > > > > var HOME_NET [%%trapping-range%%] > > > > > var EXTERNAL_NET !$HOME_NET > > > > > var DHCP_SERVERS [%%dhcp_servers%%] > > > > > var DNS_SERVERS [%%dns_servers%%] > > > > > var HTTP_PORTS 80 > > > > > var SSH_PORTS 22 > > > > > var ORACLE_PORTS 1521 > > > > > var SHELLCODE_PORTS any > > > > > var HTTP_SERVERS $HOME_NET > > > > > var SQL_SERVERS $HOME_NET > > > > > var SMTP_SERVERS $HOME_NET > > > > > var TELNET_SERVERS $HOME_NET > > > > > > > > > > var VALIDDHCP [$DHCP_SERVERS] > > > > > var RULE_PATH %%install_dir%%/conf/snort > > > > > output alert_fast: %%install_dir%%/var/alert > > > > > # updated several preprocessor for snort 2.8.5 > > (values > > > taken from > > > > > /etc/snort/snort.conf) > > > > > preprocessor stream5_global: max_tcp 8192, > > track_tcp yes, \ > > > > > track_udp no > > > > > preprocessor stream5_tcp: policy first, > > > use_static_footprint_sizes > > > > > preprocessor http_inspect: global > iis_unicode_map > > > > > /etc/snort/unicode.map 1252 > > > > > preprocessor http_inspect_server: server > default \ > > > > > profile all ports { 80 8080 8180 } > > oversize_dir_length 500 > > > > > #preprocessor conversation: timeout 120, > > max_conversations > > > 65335 > > > > > #preprocessor portscan2: scanners_max 10000, > > targets_max > > > 10000, > > > > > target_limit 400, port_limit 400, timeout 60, > > log /dev/null > > > > > #preprocessor portscan2-ignorehosts: > $EXTERNAL_NET > > > > > preprocessor perfmonitor: time 600 flow > max file > > > > > %%install_dir%%/logs/snortstat pktcnt 90000 > > > > > output alert_syslog: LOG_AUTH LOG_ALERT > > > > > > > > > > config flowbits_size: 256 > > > > > config disable_decode_alerts > > > > > config disable_tcpopt_experimental_alerts > > > > > config disable_tcpopt_obsolete_alerts > > > > > config disable_tcpopt_ttcp_alerts > > > > > config disable_ttcp_alerts > > > > > config disable_tcpopt_alerts > > > > > config disable_ipopt_alerts > > > > > > > > > > include $RULE_PATH/classification.config > > > > > include $RULE_PATH/reference.config > > > > > %%snort_rules%% > > > > > > > > > > 5- Snort starts with PacketFence and it works, > > so I try to > > > > "snort" the > > > > > traffic, with the "snort -i eth1" command, > and, > > really, I > > > see some > > > > > traffic from the vlans that I have > configured in my > > > network. The > > > > > problem is that even though I have > configured the > > > violation.conf > > > > file > > > > > to respond to alert snort.... snort does not > > give me any > > > alert. > > > > I have > > > > > no log in pfdetect.log, is this normal? > > > > > > > > > > > > > > > For test snort, I have added in > local.rules the > > statement: > > > > > > > > > > "alert tcp any any <> any 80 (msg: "Test > rule"; sid: > > > 1000001;)" > > > > > > > > > > and I have just added in violations.conf file > > this other > > > statement: > > > > > > > > > > [1000001] > > > > > desc=Test web > > > > > priority=10 > > > > > template=banned_devices > > > > > enabled=Y > > > > > actions=trap,log > > > > > trigger=Detect::1000001 > > > > > > > > > > > > > > > But there is no raised alert from > > PacketFence..Should I > > > enable all > > > > > alert in the violations.conf file? > > > > > > > > > > > > > > > Sorry for all these questions..I hope somebody > > can help me. > > > > Thanks you > > > > > very much in advance!! > > > > > > > > > > > > > > > Best regards, > > > > > Rosario Ippolito > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > Download BIRT iHub F-Type - The Free > > Enterprise-Grade BIRT > > > Server > > > > > from Actuate! Instantly Supercharge Your > > Business Reports and > > > > Dashboards > > > > > with Interactivity, Sharing, Native Excel > > Exports, App > > > > Integration & more > > > > > Get technology previously reserved for > > billion-dollar > > > > corporations, FREE > > > > > > > > > > > > > > > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > > > > > > > > > > > > > > > _______________________________________________ > > > > > PacketFence-users mailing list > > > > > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net>> > > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net>>> > > > > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net>> > > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net>>>> > > > > > > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > > > > > > > -- > > > > Fabrice Durand > > > > fdur...@inverse.ca > <mailto:fdur...@inverse.ca> <mailto:fdur...@inverse.ca > <mailto:fdur...@inverse.ca>> > > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca> > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>>> > > > <mailto:fdur...@inverse.ca > <mailto:fdur...@inverse.ca> <mailto:fdur...@inverse.ca > <mailto:fdur...@inverse.ca>> > > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca> > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>>>> :: > > > +1.514.447.4918 <tel:%2B1.514.447.4918> > <tel:%2B1.514.447.4918> <tel:%2B1.514.447.4918> > > > > <tel:%2B1.514.447.4918> (x135) :: > www.inverse.ca <http://www.inverse.ca> > > <http://www.inverse.ca> > > > <http://www.inverse.ca> > > > > <http://www.inverse.ca> > > > > Inverse inc. :: Leaders behind SOGo > > (http://www.sogo.nu) and > > > > PacketFence (http://packetfence.org) > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Download BIRT iHub F-Type - The Free > > Enterprise-Grade BIRT > > > Server > > > > from Actuate! Instantly Supercharge Your > Business > > Reports and > > > > Dashboards > > > > with Interactivity, Sharing, Native Excel > Exports, App > > > Integration > > > > & more > > > > Get technology previously reserved for > billion-dollar > > > > corporations, FREE > > > > > > > > > > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > > > _______________________________________________ > > > > PacketFence-users mailing list > > > > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net>> > > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net>>> > > > > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net>> > > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net>>>> > > > > > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > Download BIRT iHub F-Type - The Free > Enterprise-Grade > > BIRT Server > > > > from Actuate! Instantly Supercharge Your Business > > Reports and > > > Dashboards > > > > with Interactivity, Sharing, Native Excel > Exports, App > > > Integration & more > > > > Get technology previously reserved for > billion-dollar > > > corporations, FREE > > > > > > > > > > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > > > > > > > > > > > _______________________________________________ > > > > PacketFence-users mailing list > > > > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net>> > > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net>>> > > > > > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > > > > -- > > > Fabrice Durand > > > fdur...@inverse.ca <mailto:fdur...@inverse.ca> > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>> > > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca> > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>>> :: > > +1.514.447.4918 <tel:%2B1.514.447.4918> > <tel:%2B1.514.447.4918> > > > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca > <http://www.inverse.ca> > > <http://www.inverse.ca> > > > <http://www.inverse.ca> > > > Inverse inc. :: Leaders behind SOGo > (http://www.sogo.nu) and > > > PacketFence (http://packetfence.org) > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Download BIRT iHub F-Type - The Free Enterprise-Grade > > BIRT Server > > > from Actuate! Instantly Supercharge Your Business > > Reports and > > > Dashboards > > > with Interactivity, Sharing, Native Excel Exports, App > > Integration > > > & more > > > Get technology previously reserved for billion-dollar > > > corporations, FREE > > > > > > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > > _______________________________________________ > > > PacketFence-users mailing list > > > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net>> > > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net>>> > > > > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT > > Server > > > from Actuate! Instantly Supercharge Your Business Reports > > and Dashboards > > > with Interactivity, Sharing, Native Excel Exports, App > > Integration & more > > > Get technology previously reserved for billion-dollar > > corporations, FREE > > > > > > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > > > > > > > > _______________________________________________ > > > PacketFence-users mailing list > > > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net>> > > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > -- > > Fabrice Durand > > fdur...@inverse.ca <mailto:fdur...@inverse.ca> > <mailto:fdur...@inverse.ca <mailto:fdur...@inverse.ca>> :: > > +1.514.447.4918 <tel:%2B1.514.447.4918> > <tel:%2B1.514.447.4918> (x135) :: > > www.inverse.ca <http://www.inverse.ca> > <http://www.inverse.ca> > > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > > PacketFence (http://packetfence.org) > > > > > > > > ------------------------------------------------------------------------------ > > Download BIRT iHub F-Type - The Free Enterprise-Grade > BIRT Server > > from Actuate! Instantly Supercharge Your Business > Reports and > > Dashboards > > with Interactivity, Sharing, Native Excel Exports, App > > Integration & more > > Get technology previously reserved for billion-dollar > > corporations, FREE > > > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > _______________________________________________ > > PacketFence-users mailing list > > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > <mailto:PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net>> > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > > from Actuate! Instantly Supercharge Your Business Reports and > Dashboards > > with Interactivity, Sharing, Native Excel Exports, App > Integration & more > > Get technology previously reserved for billion-dollar > corporations, FREE > > > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > > > > > _______________________________________________ > > PacketFence-users mailing list > > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > -- > Fabrice Durand > fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca > <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > PacketFence (http://packetfence.org) > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and > Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration > & more > Get technology previously reserved for billion-dollar > corporations, FREE > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
