Derek, in a previous mail you had stated that I should make some modifications to a few files. I'm having a bit of trouble interpreting what I should do. Hoping you can shed some wisdom here. Everything else is ready to go. Thanks.
(quoting you from previous mail) - Remove the following check from pfcmd checkup https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/pfcmd/checkup.pm#L298 Comment lines 298 to 303 ----------------------------------------------------------------------------------------------------------------- So my file should read like this now? Just verifying because it seemed odd that I hadn't commented out that first portion of that section. ======================================================================= # make sure a monitor device is present if trapping.detection is enabled if ( !$monitor_int ) { # add_problem( $FATAL, # "monitor interface not defined, please disable trapping.detection " . # "or set an interface type=...,monitor in pf.conf" # ); # } # ======================================================================== Additionally (quoting you again): - Adapt pfdetect regex. https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103 Comment lines 103 to 131 Add the following after 131 if ( $_ =~ /^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+?)\].+?\}\s+(.+?):.+?>\s(.+?):/ ) { $date = $1; $sid = $2; $descr = $3; $srcip = $5; $dstip = $6; } else { $logger->warn("unknown input: $_ "); next; } ================================================================================================================================================================== Problem I'm facing: ---- Your file looks like this that you quoted from the URL: ==================================================================================================================================================================== $logger->info("initialized"); <--------------------------------Line 93 my %CHILDREN; my $IS_CHILD = 0; my $running = 1; sub start_detectors { foreach my $id (keys %ConfigDetect) { run_detector($id); } } <--------------LINE 103 here on the URL you supplied. =head2 run_detector creates a new child to run a task =cut sub run_detector { my ($id) = @_; my $detector = $ConfigDetect{$id}; $detector->{id} = $id; my $pid = fork(); if($pid) { $CHILDREN{$pid} = $detector->{id}; $SIG{CHLD} = "IGNORE"; } elsif ($pid == 0) { $SIG{CHLD} = "DEFAULT"; $IS_CHILD = 1; _run_detector($detector); } else { } } =head2 _run_detector the task to is ran in a loop until it is finished =cut ===================================================================================================== My file looks very different and I'm unsure what to do with it. See below ----------------------------------------------------------------------------------------------------------------------------------------------------------- $logger->info("initialized"); <--------------------LINE 89 if ( !open( $snortpipe_fh, '<', "$snortpipe" ) ) { $logger->logdie("unable to open snort pipe ($snortpipe): $!"); } else { $logger->info("listening on $snortpipe"); } while (<$snortpipe_fh>) { $logger->info("alert received: $_"); if ( $_ =~ /^(.+?)\s+\[\*\*\]\s+\[\d+:(\d+):\d+\]\s+(.+?)\s+.+?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:\d+){0,1}\s+\-\>\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$ ) { <------------------------------------------LINE 103 $date = $1; $sid = $2; $descr = $3; $srcip = $4; $dstip = $6; } elsif ( $_ =~ /^(.+?)\s+\[\*\*\]\s+\[\d+:(\d+):\d+\]\s+Portscan\s+detected\s+from\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/ ) { $date = $1; $sid = $portscan_sid; $srcip = $3; $descr = "PORTSCAN"; } elsif ( $_ =~ /^(.+?)\[\*\*\] \[\d+:(\d+):\d+\]\s+\(spp_portscan2\) Portscan detected from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/ ) { $date = $1; $sid = $portscan_sid; $srcip = $3; $descr = "PORTSCAN"; } else { $logger->warn("unknown input: $_ "); next; } ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
