> Its been a long day… He’s not even sure of his own name ! ;)
> ?Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU Cheers! -dw. — Derek Wuelfrath [email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) > On May 11, 2016, at 16:25, Sallee, Jake <[email protected]> wrote: > > NVM > > Ignore that last email. > > I somehow missed the whole last portion of your email. > > Its been a long day... > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > ________________________________________ > From: Sallee, Jake <[email protected]> > Sent: Wednesday, May 11, 2016 3:18 PM > To: [email protected] > Subject: Re: [PacketFence-users] Sending Security Onion alerts to PacketFence > > How are you exporting the alerts from SO? > > > In my tests I had to re-write the parsing logic in PF because the format they > were leaving my SO box in was not the standard SNORT format. > > > ?Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > ________________________________ > From: [email protected] <[email protected]> > Sent: Wednesday, May 11, 2016 12:59 PM > To: [email protected] > Subject: Re: [PacketFence-users] Sending Security Onion alerts to PacketFence > > Hi, > > What about IP-Tables?? > > Greets, > Holger > > Von: Morgan, Darren [mailto:[email protected]] > Gesendet: Montag, 9. Mai 2016 17:48 > An: [email protected] > Betreff: [PacketFence-users] Sending Security Onion alerts to PacketFence > > Hi, > > We have SecurityOnion (using Suricata) and PacketFence working well on our > network. I'm currently trying to send the alerts from the Security Onion > server to the PacketFence server. I've followed the instructions within the > Administration Guide (Chapter 13 - We're using PF version 5.7) But I can't > seem to get the alerts to be shown in PacketFence. Does anyone have any > ideas where I can start trying to solve this issue? I've changed the > syslog-ng.conf on the SecurityOnion server to log to a file to prove it works > (Every alert shows in the file) but when I set it to send to the PacketFence > server nothing appears to happen. There seems to be an outgoing connection > from the Security Onion server to our PacketFence server; > > Output of netstat -peanut; > > udp 0 0 127.0.0.1:52444 127.0.0.1:514 > ESTABLISHED 989 20594 1641/ossec-csyslogd > udp 0 0 192.168.XXX.231:57654 192.168.XXX.232:514 > ESTABLISHED 0 13027154 8498/syslog-ng > udp 0 0 0.0.0.0:514 0.0.0.0:* > 0 13027150 8498/syslog-ng > > But I don't seem to get an equivalent connection on the PacketFence server > side; > > udp 0 0 0.0.0.0:514 0.0.0.0:* > 0 699304 3167/rsyslogd > > So I assume the port is just listening. > > I've checked that on the PacketFence server I've modified the rsyslog.conf, > and created the securityonion_ids.conf, and made sure the alerting pipe > exists. Also configured a new syslog parser through the GUI and created > alerts (In this case to alert on any P2P traffic, which Security Onion shows > that we have approx. 150 incidents a day) > > Does anyone have any pointers where I can start digging to solve this? > > Many thanks > > Darren Morgan > Systems Manager > Oundle School > > > > > This email is sent from either Oundle School or Laxton Junior School for The > Corporation of Oundle School and is intended only for the addressee named > above. The Corporation of Oundle School is a Charity incorporated under > Royal Charter RC000396 and charity number 309921. > www.oundleschool.org.uk<http://www.oundleschool.org.uk> > > > > ________________________________ > > Scanned by iCritical. > > > > ------------------------------------------------------------------------------ > Mobile security can be enabling, not merely restricting. Employees who > bring their own devices (BYOD) to work are irked by the imposition of MDM > restrictions. Mobile Device Manager Plus allows you to control only the > apps on BYO-devices by containerizing them, leaving personal data untouched! > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > Mobile security can be enabling, not merely restricting. Employees who > bring their own devices (BYOD) to work are irked by the imposition of MDM > restrictions. Mobile Device Manager Plus allows you to control only the > apps on BYO-devices by containerizing them, leaving personal data untouched! > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
