Hello Michael,
>> I configure a violation with a trigger of Suricata Event 2523358, the
>> violation is not triggered
The “suricata_event” trigger type takes a string matching the rule name as a
trigger id, which, in your case, is “ET TOR”.
To trigger violation based on the detected alert ID, you should use the
“detect” trigger type rather than the “suricata_event” one.
Let me know
Cheers!
dw.
—
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Feb 18, 2016, at 1:21 PM, Ludovic Zammit <lzam...@inverse.ca> wrote:
>
> Hello Michael,
>
> Can you post the configuration of your violation from the
> conf/violations.conf here ?
>
> Thanks,
> Ludovic Zammit
> lzam...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x145) ::
> www.inverse.ca <http://www.inverse.ca/>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu
> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org
> <http://packetfence.org/>)
>
>
>
>
>
>> Le 18 févr. 2016 à 11:38, Michael R. Haag <michael.h...@madisoncounty.ny.gov
>> <mailto:michael.h...@madisoncounty.ny.gov>> a écrit :
>>
>> Hello,
>>
>> I have Suricata on SecurityOnion sending events to a Packetfence 5.7.0 ZEN
>> server. The events do arrive on the Packetfence server and show in
>> /usr/local/pf/logs/pfdetect.log. For example:
>>
>> Feb 18 11:32:09 pfdetect(13855) INFO: alert received: 'Feb 18 16:32:09
>> SecurityOnion sguil_alert: 16:32:08 pid(3772) Alert Received: 0 2
>> misc-attack SecurityOnion-eth1 {2016-02-18 16:32:07} 2 24242 {ET TOR Known
>> Tor Relay/Router (Not Exit) Node Traffic group 680} 94.242.231.98
>> 192.168.12.201 6 443 53764 1 2523358 2493 112 112
>> ' (main::_run_detector)
>>
>>
>> If I configure a violation with a trigger of Suricata Event 2523358, the
>> violation is not triggered. I must be missing something. What should I check
>> to troubleshoot this issue?
>>
>>
>> Thank you,
>>
>> Michael R. Haag
>> Computer Services Technician
>> Department of Information Technology
>> Madison County, NY
>> (315) 366-2204
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
>>
>> <http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________>
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
