Chris, > Derek, you had put in your original instructions some portion mentioning this: > - Configure trapping on PacketFence > trapping.detection = enabled > services.snort = disabled > services.suricata = disabled > > My pf.conf file looks almost naked at this time because my packetfence is a > nearly 100% fresh install so, to clarify it seems easier to: > 1. take the pf.conf.defaults, > 2. cp it to pf.conf.defaults1, > 3. transpose all my current pf.conf information into the defaults1 file then > add your editing notations > 4. mv pf.conf to pf.conf.bak > 5. mv pf.conf.defaults1 to pf.conf
You can simply add the followings to your existing pf.conf file :) [trapping] detection = enabled [services] snort = disabled suricata = disabled > Reboot server or restart services. ( I'm still not sure what's the > appropriate service restart syntax for packet fence services) Unless you experience what we call “a Zammitbug”, it is very unlikely that you’ll need to reboot the server. At this point, you may simply want to restart the the rsyslog and PacketFence services, as follow: service rsyslog restart service packetfence restart One thing tho, you may want to modify the checkup.pm file BEFORE restarting PacketFence otherwise you may certainly hit a FATAL error saying to monitoring interface is configured while having trapping.detection enabled. Let me know ! Derek — Derek Wuelfrath [email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) > On Oct 15, 2015, at 2:28 PM, Boley, Chris <[email protected]> wrote: > > Hi Derek progress report, > DONE - You then need to configure syslog-ng to send a copy of the Suricata > log to the PacketFence management IP address > filter f_suricata { match('suricata:' value("MSGHDR")); }; > destination d_suricata { tcp("192.168.5.10"); }; > log { source(src); filter(f_suricata); destination(d_suricata); }; > > DONE - You need to allow tcp port 514 on the PacketFence firewall (edit the > /usr/local/pf/conf/iptables.conf file should be enough) > DONE - Make rsyslog (running on the PacketFence server) to listen for remote > syslog messages > Uncomment "$ModLoad imtcp" and "$InputTCPServerRun 514" in /etc/rsyslog.conf > > DONE - Make sure alert pipe file exists (/usr/local/pf/var/alert) > mkfifo /usr/local/pf/var/alert > > Added to rsyslog.conf : > > #Configure rsyslog to log remote Suricata log in alert pipe > :programname, isequal, "suricata" |/usr/local/pf/var/alert > > > > Derek, you had put in your original instructions some portion mentioning this: > - Configure trapping on PacketFence > trapping.detection = enabled > services.snort = disabled > services.suricata = disabled > > My pf.conf file looks almost naked at this time because my packetfence is a > nearly 100% fresh install so, to clarify it seems easier to: > 1. take the pf.conf.defaults, > 2. cp it to pf.conf.defaults1, > 3. transpose all my current pf.conf information into the defaults1 file then > add your editing notations > 4. mv pf.conf to pf.conf.bak > 5. mv pf.conf.defaults1 to pf.conf > > Reboot server or restart services. ( I'm still not sure what's the > appropriate service restart syntax for packet fence services) > > Before I go and do all this, am I headed in the right direction? Afterward I > would be modifying the checkup.pm and adapting pfdetect regex. > And that should finish up what's necessary to send remote suricata server > syslog alerts over to Packet Fence. > > Thanks. > Chris Boley > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] > Sent: Thursday, October 15, 2015 1:22 PM > To: [email protected] > Subject: PacketFence-users Digest, Vol 90, Issue 49 > > Send PacketFence-users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/packetfence-users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific than "Re: > Contents of PacketFence-users digest..." > > > Today's Topics: > > 1. Suricata alerts to Packet Fence (Derek Wuelfrath) (Boley, Chris) > 2. Re: Using Multiple SNAT Interfaces Problem (Nathan, Josh) > 3. Use vlan_filter to set voip attribute of a node (Dennis B?hring) > 4. Integration with iBoss SSO (Morgan, Darren) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 14 Oct 2015 20:47:00 +0000 > From: "Boley, Chris" <[email protected]> > Subject: [PacketFence-users] Suricata alerts to Packet Fence (Derek > Wuelfrath) > To: "[email protected]" > <[email protected]> > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="us-ascii" > > Hi Derek, on your last suggestion I basically replaced syslogd on freebsd > with syslog-ng so as to more easily mimic your instructions: > You had suggested some syslog-ng config changes. > I put them verbatim right in the bottom of the cfg file without modifying > anything else. Seemed like the easiest route to take. > > filter f_suricata { match('suricata:' value("MSGHDR")); }; destination > d_suricata { tcp("192.168.5.10"); }; log { source(src); filter(f_suricata); > destination(d_suricata); }; > > On the middle (destination) line, should that be UDP and not TCP? Syslog is > typically UDP 514. Otherwise it looks like the desired effect is happening. > > A quick netstat shows: > > root@suricata:/usr/ports/sysutils/syslog-ng # netstat Active Internet > connections > Proto Recv-Q Send-Q Local Address Foreign Address (state) > tcp4 0 0 192.168.5.249.25801 192.168.5.10.shell SYN_SENT > > > Thanks. > Chris Boley > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] > Sent: Tuesday, October 13, 2015 10:53 AM > To: [email protected] > Subject: PacketFence-users Digest, Vol 90, Issue 36 > > Send PacketFence-users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/packetfence-users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific than "Re: > Contents of PacketFence-users digest..." > > > Today's Topics: > > 1. Re: Suricata alerts to Packet Fence (Derek Wuelfrath) > 2. Re: pfdhcplistener (Derek Wuelfrath) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 13 Oct 2015 10:41:05 -0400 > From: Derek Wuelfrath <[email protected]> > Subject: Re: [PacketFence-users] Suricata alerts to Packet Fence > To: ML PF <[email protected]> > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > Hello Chris, > > Are you running Suricata on a separate box (I assume). Are you running it > standalone or withing a security suite (SecurityOnion per example). > > Let me know > > Cheers! > dw. > > ? > Derek Wuelfrath > [email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > >> On Oct 9, 2015, at 5:05 PM, Boley, Chris <[email protected]> wrote: >> >> Does anyone happen to know where I can find info on sending suricata alert >> events over to Packet Fence? >> >> >> Chris Boley | Network Engineer | Cogentrix Energy Power Management, >> LLC >> >> >> ---------------------------------------------------------------------- >> -------- _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 2 > Date: Tue, 13 Oct 2015 10:52:22 -0400 > From: Derek Wuelfrath <[email protected]> > Subject: Re: [PacketFence-users] pfdhcplistener > To: ML PF <[email protected]> > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > Hello Chinmay, > > I?m looking at it and I?ll get back to you. > > Cheers! > dw. > > ? > Derek Wuelfrath > [email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > >> On Oct 13, 2015, at 2:17 AM, Chinmay Mahata <[email protected]> >> wrote: >> >> Dear Derek, >> Any thought on my issue..... >> >> Regards, >> --Chinmay >> >> >> >> From: "Chinmay Mahata" <[email protected]> >> Sent: Fri, 09 Oct 2015 18:13:36 >> To: "[email protected]" >> <[email protected]> >> Subject: Re: [PacketFence-users] pfdhcplistener Dear Derek, >> Thanks for your quick response. I think I could not describe my >> problem/query properly. >> >> DHCPD is running on only one interface (eth0) of my PF server, no issue with >> that. >> >> Actually at the WAN side (upstream) of my PF server there is another DHCP >> server is running (though PF server WAN has static IP). Since pfdhcplistener >> is running at eth1(WAN) also, in the node (web)page I can see many >> unregistered nodes of WAN network which I don't want. >> >> I want to see only those nodes in the webpage which are under PF server >> and who are getting IP addresses from DHCP server running in PF server (on >> eth0). Hope pfdhcplistener on eth0 only can catch those. >> >> So I want to run only one instance of pfdhcplistener on interface eth0 >> (pfdhcplistener_eth0). Please let me know how can I do that. >> >> Thanks again Derek. >> >> Regards, >> --Chinmay >> >> >> >> >> >> From: Derek Wuelfrath <[email protected]> >> Sent: Thu, 08 Oct 2015 22:11:09 >> To: ML PF <[email protected]> >> Subject: Re: [PacketFence-users] pfdhcplistener Chinmay, >> >>> The packetfence server is working as a DHCP server. >>> I see that two pfdhcplisteners are running: pfdhcplistener_eth0, >>> pfdhcplistener_eth1. >>> >>> >>> But I want to run only one pfdhcplistener viz. pfdhcplistener_eth0. Can it >>> be possible (or it may cause other problem)? Which config item do I need to >>> modify for that? >> >> ?pfdhcplistener?, as its name says, listen for dhcp packets. >> PacketFence starts a ?pfdhcplistener? daemon on each of the required network >> interfaces (in this case, management and inline). >> >> ?pfdhcplistener? is not acting as a DHCP server, dhcpd is. ?pfdhcplistener? >> is only listening to DHCP packet for MAC <-> IP association useful in >> PacketFence. >> >> If you do a >> ps uafx | grep dhcpd >> you should see the dhcpd daemon running with only eth0 as listening >> interface. >> >> Cheers! >> dw. >> >> ? >> Derek Wuelfrath >> [email protected] :: +1.514.447.491 >> <x-msg://f5mail.rediff.com/cgi-bin/prored.cgi?red=http://1.514.447.491 >> &isImage=0&BlockImage=0&rediffng=0&rogue=ba42cf6a7cd18481ec5520d40f020 >> 7840b977b09>8 (x110) :: +1.866.353.615 >> <x-msg://f5mail.rediff.com/cgi-bin/prored.cgi?red=http://1.866.353.615 >> &isImage=0&BlockImage=0&rediffng=0&rogue=af879f62ee1a7599566197d6e2221 >> d8167f40afc>3 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu >> <http://www.sogo.nu/>) and PacketFence (www.packetfence.org >> <http://www.packetfence.org/>) >> >>> On Oct 8, 2015, at 10:42 AM, Chinmay Mahata <[email protected]> >>> wrote: >>> >>> Hi, >>> I have setup packetfence(5.4.0) with inline enforcement having below >>> interface details (LAN: eth0, WAN: eth1). >>> >>> [interface eth0] >>> enforcement=inlinel2 >>> type=internal >>> >>> [interface eth1] >>> type=management >>> >>> The packetfence server is working as a DHCP server. >>> I see that two pfdhcplisteners are running: pfdhcplistener_eth0, >>> pfdhcplistener_eth1. >>> >>> >>> But I want to run only one pfdhcplistener viz. pfdhcplistener_eth0. Can it >>> be possible (or it may cause other problem)? Which config item do I need to >>> modify for that? >>> >>> Waiting for your help. >>> >>> Thanks in advance. >>> --Chinmay >>> >>> >>> >>> Get your own FREE website, FREE domain & FREE mobile app with Company >>> email. ? >>> >>> <https://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail. >>> com/signatureline.htm@Middle?>Know More > >>> <http://track.rediff.com/click?url=___http://businessemail.rediff.com >>> ?sc_cid=sign-1-10-13___&cmp=host&lnk=sign-1-10-13&nsrv1=host>-------- >>> --------------------------------------------------------------------- >>> - _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> <x-msg://f5mail.rediff.com/cgi-bin/prored.cgi?red=https%3A%2F%2Flists >>> .sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&isImage=0&Blo >>> ckImage=0&rediffng=0&rogue=fed20659922918f122f7abeaae6537fdd08a0e78> >> >> ---------------------------------------------------------------------- >> -------- _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> <x-msg://f5mail.rediff.com/cgi-bin/prored.cgi?red=https%3A%2F%2Flists. >> sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&isImage=0&Block >> Image=0&rediffng=0&rogue=fed20659922918f122f7abeaae6537fdd08a0e78> >> >> >> Get your own FREE website, FREE domain & FREE mobile app with Company email. >> ? >> >> <https://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.c >> om/signatureline.htm@Middle?>Know More > >> <http://track.rediff.com/click?url=___http://businessemail.rediff.com? >> sc_cid=sign-1-10-13___&cmp=host&lnk=sign-1-10-13&nsrv1=host> >> ---------------------------------------------------------------------- >> -------- _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> <https://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.c >> om/signatureline.htm@Middle?> Get your own FREE website, FREE domain & >> FREE mobile app with Company email. >> Know More > >> <http://track.rediff.com/click?url=___http://businessemail.rediff.com? >> sc_cid=sign-1-10-13___&cmp=host&lnk=sign-1-10-13&nsrv1=host>---------- >> -------------------------------------------------------------------- >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > ------------------------------------------------------------------------------ > > > ------------------------------ > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > End of PacketFence-users Digest, Vol 90, Issue 36 > ************************************************* > > > > ------------------------------ > > Message: 2 > Date: Thu, 15 Oct 2015 13:35:33 +0200 > From: "Nathan, Josh" <[email protected]> > Subject: Re: [PacketFence-users] Using Multiple SNAT Interfaces > Problem > To: [email protected] > Message-ID: > <CAOPjWNJgL8Arzzxypgfh=stg2xaqozkj61ti3rwp1drjsvk...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Thanks Fabrice! I was able to get it working with that! > > Thanks, > Joshua Nathan > IT Administrator > Black Forest Academy > +49 (0) 7626-9161-630 > > > On Wed, Oct 14, 2015 at 3:36 PM, Fabrice DURAND <[email protected]> wrote: > >> Hello Joshua, >> >> you will need to configure iproute2 to do that. >> http://www.lartc.org/howto/ >> >> regards >> Fabrice >> >> >> >> Le 2015-10-14 05:08, Nathan, Josh a ?crit : >>> Hello all, >>> >>> So... I see where PacketFence has the option to specify that there >>> are multiple SNAT interfaces, but I've not found where/all to >>> specify which one to use... Here's what I want to do. >>> >>> Within an Inline environment, I want to specify that VLAN 15 (ex. >>> eth0.15) reaches the Internet via eth1, and VLAN 16 (eth0.16) >>> reaches the Internet via eth2. Is there a built-in way for >>> PacketFence to do that? In the networks.conf file I see the NATing >>> enabled or disabled option, but I haven't see where I can flag >>> different internal interfaces to use different SNAT interfaces. >>> >>> Thanks, >>> Joshua Nathan >>> IT Administrator >>> Black Forest Academy >>> +49 (0) 7626-9161-630 >>> >>> >>> >>> >> ---------------------------------------------------------------------- >> -------- >>> >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> -- >> Fabrice Durand >> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >> PacketFence ( >> http://packetfence.org) >> >> >> >> ---------------------------------------------------------------------- >> -------- >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 3 > Date: Thu, 15 Oct 2015 16:53:05 +0200 > From: Dennis B?hring <[email protected]> > Subject: [PacketFence-users] Use vlan_filter to set voip attribute of > a node > To: [email protected] > Message-ID: > <CA+SvL9kZBtJZeRfB4TCN=_tm8t9Uni5YXvzeBdMfCuo=7=e...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Hi, > > i want to set the voip attribute for our siemens phones via a vlan filter. > > I can match them > > [siemens_phones] > filter = node_info > operator = match > attribute = mac > value = ^(00:1a:e8).* > > But how do i set the voip attribute ? > > > regards > Dennis > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 4 > Date: Thu, 15 Oct 2015 15:32:45 +0000 > From: "Morgan, Darren" <[email protected]> > Subject: [PacketFence-users] Integration with iBoss SSO > To: "[email protected]" > <[email protected]> > Message-ID: > <C04EE09D46961F4494DD2B386287BC2B019869B62D@os-mbx04.oundleschool.local> > > Content-Type: text/plain; charset="us-ascii" > > Hi, > Does anyone have any experience with integrating PF with iBoss. Have basic > PF set up and working well with our network and authenticating though AD now > and would like all devices to authenticate through the iBoss filter. > > Not really sure where to start on the iBoss side? > > Regards > > Darren Morgan > Systems Manager > Oundle School > Tel: 01832 277349 > ? Please consider the environment before printing this e-mail > > > This email is sent from either Oundle School or Laxton Junior School for The > Corporation of Oundle School and is intended only for the addressee named > above. The Corporation of Oundle School is a Charity incorporated under > Royal Charter RC000396 and charity number 309921. www.oundleschool.org.uk > Scanned by iCritical. > > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > ------------------------------------------------------------------------------ > > > ------------------------------ > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > End of PacketFence-users Digest, Vol 90, Issue 49 > ************************************************* > > ------------------------------------------------------------------------------ > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
