Chris, > - Remove the following check from pfcmd checkup > > https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/pfcmd/checkup.pm#L298 > Comment lines 298 to 303 > ----------------------------------------------------------------------------------------------------------------- > So my file should read like this now? Just verifying because it seemed > odd that I hadn't commented out that first portion of that section. > ======================================================================= > # make sure a monitor device is present if trapping.detection is enabled > if ( !$monitor_int ) { > # add_problem( $FATAL, > # "monitor interface not defined, please disable > trapping.detection " . > # "or set an interface type=...,monitor in pf.conf" > # ); > # } > # > ========================================================================
You should also comment the “if” line… > - Adapt pfdetect regex. Which version of PacketFence are you running ? Additionnaly, we are about to release PacketFence 5.5, which include a complete rewrite of violations along with pfdetect. It will natively support SecurityOnion. Let me know Cheers! dw. — Derek Wuelfrath [email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) > On Nov 2, 2015, at 10:59 AM, Boley, Chris <[email protected]> wrote: > > Derek, in a previous mail you had stated that I should make some > modifications to a few files. I'm having a bit of trouble interpreting what I > should do. Hoping you can shed some wisdom here. Everything else is ready to > go. Thanks. > > (quoting you from previous mail) > - Remove the following check from pfcmd checkup > > https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/pfcmd/checkup.pm#L298 > Comment lines 298 to 303 > ----------------------------------------------------------------------------------------------------------------- > So my file should read like this now? Just verifying because it seemed > odd that I hadn't commented out that first portion of that section. > ======================================================================= > # make sure a monitor device is present if trapping.detection is enabled > if ( !$monitor_int ) { > # add_problem( $FATAL, > # "monitor interface not defined, please disable > trapping.detection " . > # "or set an interface type=...,monitor in pf.conf" > # ); > # } > # > ======================================================================== > Additionally (quoting you again): > - Adapt pfdetect regex. > https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103 > Comment lines 103 to 131 > Add the following after 131 > if ( $_ =~ > /^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+?)\].+?\}\s+(.+?):.+?>\s(.+?):/ > ) { > > $date = $1; > > $sid = $2; > > $descr = $3; > > $srcip = $5; > > $dstip = $6; > > } else { > > $logger->warn("unknown input: $_ "); > > next; > > } > ================================================================================================================================================================== > Problem I'm facing: ---- Your file looks like this that you quoted from > the URL: > ==================================================================================================================================================================== > $logger->info("initialized"); <--------------------------------Line 93 > > my %CHILDREN; > my $IS_CHILD = 0; > my $running = 1; > > sub start_detectors { > foreach my $id (keys %ConfigDetect) { > run_detector($id); > } > } <--------------LINE 103 here on the URL you > supplied. > > =head2 run_detector > creates a new child to run a task > =cut > > sub run_detector { > my ($id) = @_; > my $detector = $ConfigDetect{$id}; > $detector->{id} = $id; > my $pid = fork(); > if($pid) { > $CHILDREN{$pid} = $detector->{id}; > $SIG{CHLD} = "IGNORE"; > } elsif ($pid == 0) { > $SIG{CHLD} = "DEFAULT"; > $IS_CHILD = 1; > _run_detector($detector); > } else { > } > } > > =head2 _run_detector > the task to is ran in a loop until it is finished > =cut > ===================================================================================================== > My file looks very different and I'm unsure what to do with it. See below > ----------------------------------------------------------------------------------------------------------------------------------------------------------- > $logger->info("initialized"); <--------------------LINE 89 > > if ( !open( $snortpipe_fh, '<', "$snortpipe" ) ) { > $logger->logdie("unable to open snort pipe ($snortpipe): $!"); > } else { > $logger->info("listening on $snortpipe"); > } > > while (<$snortpipe_fh>) { > > $logger->info("alert received: $_"); > if ( $_ > =~ > /^(.+?)\s+\[\*\*\]\s+\[\d+:(\d+):\d+\]\s+(.+?)\s+.+?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:\d+){0,1}\s+\-\>\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$ > ) > { <------------------------------------------LINE 103 > $date = $1; > $sid = $2; > $descr = $3; > $srcip = $4; > $dstip = $6; > } elsif ( $_ > =~ > /^(.+?)\s+\[\*\*\]\s+\[\d+:(\d+):\d+\]\s+Portscan\s+detected\s+from\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/ > ) > { > $date = $1; > $sid = $portscan_sid; > $srcip = $3; > $descr = "PORTSCAN"; > } elsif ( $_ > =~ /^(.+?)\[\*\*\] \[\d+:(\d+):\d+\]\s+\(spp_portscan2\) Portscan > detected from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/ > ) > { > $date = $1; > $sid = $portscan_sid; > $srcip = $3; > $descr = "PORTSCAN"; > } else { > $logger->warn("unknown input: $_ "); > next; > } > > ------------------------------------------------------------------------------ > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
