Hi Derek progress report,
DONE - You then need to configure syslog-ng to send a copy of the Suricata log
to the PacketFence management IP address
filter f_suricata { match('suricata:' value("MSGHDR")); };
destination d_suricata { tcp("192.168.5.10"); };
log { source(src); filter(f_suricata); destination(d_suricata); };
DONE - You need to allow tcp port 514 on the PacketFence firewall (edit the
/usr/local/pf/conf/iptables.conf file should be enough)
DONE - Make rsyslog (running on the PacketFence server) to listen for remote
syslog messages
Uncomment "$ModLoad imtcp" and "$InputTCPServerRun 514" in /etc/rsyslog.conf
DONE - Make sure alert pipe file exists (/usr/local/pf/var/alert)
mkfifo /usr/local/pf/var/alert
Added to rsyslog.conf :
#Configure rsyslog to log remote Suricata log in alert pipe
:programname, isequal, "suricata" |/usr/local/pf/var/alert
Derek, you had put in your original instructions some portion mentioning this:
- Configure trapping on PacketFence
trapping.detection = enabled
services.snort = disabled
services.suricata = disabled
My pf.conf file looks almost naked at this time because my packetfence is a
nearly 100% fresh install so, to clarify it seems easier to:
1. take the pf.conf.defaults,
2. cp it to pf.conf.defaults1,
3. transpose all my current pf.conf information into the defaults1 file then
add your editing notations
4. mv pf.conf to pf.conf.bak
5. mv pf.conf.defaults1 to pf.conf
Reboot server or restart services. ( I'm still not sure what's the appropriate
service restart syntax for packet fence services)
Before I go and do all this, am I headed in the right direction? Afterward I
would be modifying the checkup.pm and adapting pfdetect regex.
And that should finish up what's necessary to send remote suricata server
syslog alerts over to Packet Fence.
Thanks.
Chris Boley
-----Original Message-----
From: [email protected]
[mailto:[email protected]]
Sent: Thursday, October 15, 2015 1:22 PM
To: [email protected]
Subject: PacketFence-users Digest, Vol 90, Issue 49
Send PacketFence-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific than "Re:
Contents of PacketFence-users digest..."
Today's Topics:
1. Suricata alerts to Packet Fence (Derek Wuelfrath) (Boley, Chris)
2. Re: Using Multiple SNAT Interfaces Problem (Nathan, Josh)
3. Use vlan_filter to set voip attribute of a node (Dennis B?hring)
4. Integration with iBoss SSO (Morgan, Darren)
----------------------------------------------------------------------
Message: 1
Date: Wed, 14 Oct 2015 20:47:00 +0000
From: "Boley, Chris" <[email protected]>
Subject: [PacketFence-users] Suricata alerts to Packet Fence (Derek
Wuelfrath)
To: "[email protected]"
<[email protected]>
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="us-ascii"
Hi Derek, on your last suggestion I basically replaced syslogd on freebsd with
syslog-ng so as to more easily mimic your instructions:
You had suggested some syslog-ng config changes.
I put them verbatim right in the bottom of the cfg file without modifying
anything else. Seemed like the easiest route to take.
filter f_suricata { match('suricata:' value("MSGHDR")); }; destination
d_suricata { tcp("192.168.5.10"); }; log { source(src); filter(f_suricata);
destination(d_suricata); };
On the middle (destination) line, should that be UDP and not TCP? Syslog is
typically UDP 514. Otherwise it looks like the desired effect is happening.
A quick netstat shows:
root@suricata:/usr/ports/sysutils/syslog-ng # netstat Active Internet
connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.5.249.25801 192.168.5.10.shell SYN_SENT
Thanks.
Chris Boley
-----Original Message-----
From: [email protected]
[mailto:[email protected]]
Sent: Tuesday, October 13, 2015 10:53 AM
To: [email protected]
Subject: PacketFence-users Digest, Vol 90, Issue 36
Send PacketFence-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific than "Re:
Contents of PacketFence-users digest..."
Today's Topics:
1. Re: Suricata alerts to Packet Fence (Derek Wuelfrath)
2. Re: pfdhcplistener (Derek Wuelfrath)
----------------------------------------------------------------------
Message: 1
Date: Tue, 13 Oct 2015 10:41:05 -0400
From: Derek Wuelfrath <[email protected]>
Subject: Re: [PacketFence-users] Suricata alerts to Packet Fence
To: ML PF <[email protected]>
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
Hello Chris,
Are you running Suricata on a separate box (I assume). Are you running it
standalone or withing a security suite (SecurityOnion per example).
Let me know
Cheers!
dw.
?
Derek Wuelfrath
[email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Oct 9, 2015, at 5:05 PM, Boley, Chris <[email protected]> wrote:
>
> Does anyone happen to know where I can find info on sending suricata alert
> events over to Packet Fence?
>
>
> Chris Boley | Network Engineer | Cogentrix Energy Power Management,
> LLC
>
>
> ----------------------------------------------------------------------
> -------- _______________________________________________
> PacketFence-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 2
Date: Tue, 13 Oct 2015 10:52:22 -0400
From: Derek Wuelfrath <[email protected]>
Subject: Re: [PacketFence-users] pfdhcplistener
To: ML PF <[email protected]>
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
Hello Chinmay,
I?m looking at it and I?ll get back to you.
Cheers!
dw.
?
Derek Wuelfrath
[email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Oct 13, 2015, at 2:17 AM, Chinmay Mahata <[email protected]>
> wrote:
>
> Dear Derek,
> Any thought on my issue.....
>
> Regards,
> --Chinmay
>
>
>
> From: "Chinmay Mahata" <[email protected]>
> Sent: Fri, 09 Oct 2015 18:13:36
> To: "[email protected]"
> <[email protected]>
> Subject: Re: [PacketFence-users] pfdhcplistener Dear Derek,
> Thanks for your quick response. I think I could not describe my
> problem/query properly.
>
> DHCPD is running on only one interface (eth0) of my PF server, no issue with
> that.
>
> Actually at the WAN side (upstream) of my PF server there is another DHCP
> server is running (though PF server WAN has static IP). Since pfdhcplistener
> is running at eth1(WAN) also, in the node (web)page I can see many
> unregistered nodes of WAN network which I don't want.
>
> I want to see only those nodes in the webpage which are under PF server
> and who are getting IP addresses from DHCP server running in PF server (on
> eth0). Hope pfdhcplistener on eth0 only can catch those.
>
> So I want to run only one instance of pfdhcplistener on interface eth0
> (pfdhcplistener_eth0). Please let me know how can I do that.
>
> Thanks again Derek.
>
> Regards,
> --Chinmay
>
>
>
>
>
> From: Derek Wuelfrath <[email protected]>
> Sent: Thu, 08 Oct 2015 22:11:09
> To: ML PF <[email protected]>
> Subject: Re: [PacketFence-users] pfdhcplistener Chinmay,
>
>> The packetfence server is working as a DHCP server.
>> I see that two pfdhcplisteners are running: pfdhcplistener_eth0,
>> pfdhcplistener_eth1.
>>
>>
>> But I want to run only one pfdhcplistener viz. pfdhcplistener_eth0. Can it
>> be possible (or it may cause other problem)? Which config item do I need to
>> modify for that?
>
> ?pfdhcplistener?, as its name says, listen for dhcp packets.
> PacketFence starts a ?pfdhcplistener? daemon on each of the required network
> interfaces (in this case, management and inline).
>
> ?pfdhcplistener? is not acting as a DHCP server, dhcpd is. ?pfdhcplistener?
> is only listening to DHCP packet for MAC <-> IP association useful in
> PacketFence.
>
> If you do a
> ps uafx | grep dhcpd
> you should see the dhcpd daemon running with only eth0 as listening interface.
>
> Cheers!
> dw.
>
> ?
> Derek Wuelfrath
> [email protected] :: +1.514.447.491
> <x-msg://f5mail.rediff.com/cgi-bin/prored.cgi?red=http://1.514.447.491
> &isImage=0&BlockImage=0&rediffng=0&rogue=ba42cf6a7cd18481ec5520d40f020
> 7840b977b09>8 (x110) :: +1.866.353.615
> <x-msg://f5mail.rediff.com/cgi-bin/prored.cgi?red=http://1.866.353.615
> &isImage=0&BlockImage=0&rediffng=0&rogue=af879f62ee1a7599566197d6e2221
> d8167f40afc>3 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu
> <http://www.sogo.nu/>) and PacketFence (www.packetfence.org
> <http://www.packetfence.org/>)
>
>> On Oct 8, 2015, at 10:42 AM, Chinmay Mahata <[email protected]>
>> wrote:
>>
>> Hi,
>> I have setup packetfence(5.4.0) with inline enforcement having below
>> interface details (LAN: eth0, WAN: eth1).
>>
>> [interface eth0]
>> enforcement=inlinel2
>> type=internal
>>
>> [interface eth1]
>> type=management
>>
>> The packetfence server is working as a DHCP server.
>> I see that two pfdhcplisteners are running: pfdhcplistener_eth0,
>> pfdhcplistener_eth1.
>>
>>
>> But I want to run only one pfdhcplistener viz. pfdhcplistener_eth0. Can it
>> be possible (or it may cause other problem)? Which config item do I need to
>> modify for that?
>>
>> Waiting for your help.
>>
>> Thanks in advance.
>> --Chinmay
>>
>>
>>
>> Get your own FREE website, FREE domain & FREE mobile app with Company email.
>> ?
>>
>> <https://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.
>> com/signatureline.htm@Middle?>Know More >
>> <http://track.rediff.com/click?url=___http://businessemail.rediff.com
>> ?sc_cid=sign-1-10-13___&cmp=host&lnk=sign-1-10-13&nsrv1=host>--------
>> ---------------------------------------------------------------------
>> - _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> <x-msg://f5mail.rediff.com/cgi-bin/prored.cgi?red=https%3A%2F%2Flists
>> .sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&isImage=0&Blo
>> ckImage=0&rediffng=0&rogue=fed20659922918f122f7abeaae6537fdd08a0e78>
>
> ----------------------------------------------------------------------
> -------- _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <x-msg://f5mail.rediff.com/cgi-bin/prored.cgi?red=https%3A%2F%2Flists.
> sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&isImage=0&Block
> Image=0&rediffng=0&rogue=fed20659922918f122f7abeaae6537fdd08a0e78>
>
>
> Get your own FREE website, FREE domain & FREE mobile app with Company email. ?
>
> <https://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.c
> om/signatureline.htm@Middle?>Know More >
> <http://track.rediff.com/click?url=___http://businessemail.rediff.com?
> sc_cid=sign-1-10-13___&cmp=host&lnk=sign-1-10-13&nsrv1=host>
> ----------------------------------------------------------------------
> -------- _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> <https://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.c
> om/signatureline.htm@Middle?> Get your own FREE website, FREE domain &
> FREE mobile app with Company email.
> Know More >
> <http://track.rediff.com/click?url=___http://businessemail.rediff.com?
> sc_cid=sign-1-10-13___&cmp=host&lnk=sign-1-10-13&nsrv1=host>----------
> --------------------------------------------------------------------
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------------------------------------------------------
------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
End of PacketFence-users Digest, Vol 90, Issue 36
*************************************************
------------------------------
Message: 2
Date: Thu, 15 Oct 2015 13:35:33 +0200
From: "Nathan, Josh" <[email protected]>
Subject: Re: [PacketFence-users] Using Multiple SNAT Interfaces
Problem
To: [email protected]
Message-ID:
<CAOPjWNJgL8Arzzxypgfh=stg2xaqozkj61ti3rwp1drjsvk...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Thanks Fabrice! I was able to get it working with that!
Thanks,
Joshua Nathan
IT Administrator
Black Forest Academy
+49 (0) 7626-9161-630
On Wed, Oct 14, 2015 at 3:36 PM, Fabrice DURAND <[email protected]> wrote:
> Hello Joshua,
>
> you will need to configure iproute2 to do that.
> http://www.lartc.org/howto/
>
> regards
> Fabrice
>
>
>
> Le 2015-10-14 05:08, Nathan, Josh a ?crit :
> > Hello all,
> >
> > So... I see where PacketFence has the option to specify that there
> > are multiple SNAT interfaces, but I've not found where/all to
> > specify which one to use... Here's what I want to do.
> >
> > Within an Inline environment, I want to specify that VLAN 15 (ex.
> > eth0.15) reaches the Internet via eth1, and VLAN 16 (eth0.16)
> > reaches the Internet via eth2. Is there a built-in way for
> > PacketFence to do that? In the networks.conf file I see the NATing
> > enabled or disabled option, but I haven't see where I can flag
> > different internal interfaces to use different SNAT interfaces.
> >
> > Thanks,
> > Joshua Nathan
> > IT Administrator
> > Black Forest Academy
> > +49 (0) 7626-9161-630
> >
> >
> >
> >
> ----------------------------------------------------------------------
> --------
> >
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> PacketFence (
> http://packetfence.org)
>
>
>
> ----------------------------------------------------------------------
> --------
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 3
Date: Thu, 15 Oct 2015 16:53:05 +0200
From: Dennis B?hring <[email protected]>
Subject: [PacketFence-users] Use vlan_filter to set voip attribute of
a node
To: [email protected]
Message-ID:
<CA+SvL9kZBtJZeRfB4TCN=_tm8t9Uni5YXvzeBdMfCuo=7=e...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi,
i want to set the voip attribute for our siemens phones via a vlan filter.
I can match them
[siemens_phones]
filter = node_info
operator = match
attribute = mac
value = ^(00:1a:e8).*
But how do i set the voip attribute ?
regards
Dennis
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 4
Date: Thu, 15 Oct 2015 15:32:45 +0000
From: "Morgan, Darren" <[email protected]>
Subject: [PacketFence-users] Integration with iBoss SSO
To: "[email protected]"
<[email protected]>
Message-ID:
<C04EE09D46961F4494DD2B386287BC2B019869B62D@os-mbx04.oundleschool.local>
Content-Type: text/plain; charset="us-ascii"
Hi,
Does anyone have any experience with integrating PF with iBoss. Have basic PF
set up and working well with our network and authenticating though AD now and
would like all devices to authenticate through the iBoss filter.
Not really sure where to start on the iBoss side?
Regards
Darren Morgan
Systems Manager
Oundle School
Tel: 01832 277349
? Please consider the environment before printing this e-mail
This email is sent from either Oundle School or Laxton Junior School for The
Corporation of Oundle School and is intended only for the addressee named
above. The Corporation of Oundle School is a Charity incorporated under Royal
Charter RC000396 and charity number 309921. www.oundleschool.org.uk Scanned
by iCritical.
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------------------------------------------------------
------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
End of PacketFence-users Digest, Vol 90, Issue 49
*************************************************
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
