Hi,
What about IP-Tables??
Greets,
Holger
Von: Morgan, Darren [mailto:[email protected]]
Gesendet: Montag, 9. Mai 2016 17:48
An: [email protected]
Betreff: [PacketFence-users] Sending Security Onion alerts to PacketFence
Hi,
We have SecurityOnion (using Suricata) and PacketFence working well on our
network. I'm currently trying to send the alerts from the Security Onion
server to the PacketFence server. I've followed the instructions within the
Administration Guide (Chapter 13 - We're using PF version 5.7) But I can't seem
to get the alerts to be shown in PacketFence. Does anyone have any ideas where
I can start trying to solve this issue? I've changed the syslog-ng.conf on the
SecurityOnion server to log to a file to prove it works (Every alert shows in
the file) but when I set it to send to the PacketFence server nothing appears
to happen. There seems to be an outgoing connection from the Security Onion
server to our PacketFence server;
Output of netstat -peanut;
udp 0 0 127.0.0.1:52444 127.0.0.1:514 ESTABLISHED
989 20594 1641/ossec-csyslogd
udp 0 0 192.168.XXX.231:57654 192.168.XXX.232:514 ESTABLISHED
0 13027154 8498/syslog-ng
udp 0 0 0.0.0.0:514 0.0.0.0:*
0 13027150 8498/syslog-ng
But I don't seem to get an equivalent connection on the PacketFence server side;
udp 0 0 0.0.0.0:514 0.0.0.0:*
0 699304 3167/rsyslogd
So I assume the port is just listening.
I've checked that on the PacketFence server I've modified the rsyslog.conf, and
created the securityonion_ids.conf, and made sure the alerting pipe exists.
Also configured a new syslog parser through the GUI and created alerts (In this
case to alert on any P2P traffic, which Security Onion shows that we have
approx. 150 incidents a day)
Does anyone have any pointers where I can start digging to solve this?
Many thanks
Darren Morgan
Systems Manager
Oundle School
This email is sent from either Oundle School or Laxton Junior School for The
Corporation of Oundle School and is intended only for the addressee named
above. The Corporation of Oundle School is a Charity incorporated under Royal
Charter RC000396 and charity number 309921.
www.oundleschool.org.uk<http://www.oundleschool.org.uk>
________________________________
Scanned by iCritical.
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
