Hi,
The "detect" trigger matches numerical SIDs found in Snort and Suricata
generated "alert" logs, which have a different format then the
"digested" logs of SecurityOnion.
As an exemple, here is the kind of logs that Suricata and Snort
generates when in "alert" mode:
'07/28/2015-09:09:59.431113 [**] [1:2221002:1] SURICATA HTTP request
field missing colon [**] [Classification: Generic Protocol Command
Decode] [Priority: 3] {TCP} 10.220.10.186:44196 -> 199.167.22.51:8000'
You should use "suricata_event" triggers in your SecurityOnion related
violations, which match text and are more generic.
Modify the violation 1500003for it to match "ET P2P Vuze BT UDP
Connection". That would be a broader match and would also generate a
violation for the following SIDs:
sid-msg.map:2010140 || ET P2P Vuze BT UDP Connection ||
url,doc.emergingthreats.net/2010140 || url,vuze.com
sid-msg.map:2010141 || ET P2P Vuze BT UDP Connection (2) ||
url,doc.emergingthreats.net/2010141 || url,vuze.com
sid-msg.map:2010142 || ET P2P Vuze BT UDP Connection (3) ||
url,doc.emergingthreats.net/2010142
sid-msg.map:2010143 || ET P2P Vuze BT UDP Connection (4) ||
url,doc.emergingthreats.net/2010143
sid-msg.map:2010144 || ET P2P Vuze BT UDP Connection (5) ||
url,doc.emergingthreats.net/2010144 || url,vuze.com
Regards,
Thierry Laurion
>
> An update, I’m now getting the alerts hitting pfdetect, but they’re
> still not triggering the violation with the same ID.
>
> pfdetect.log shows:
>
> Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct 7 14:23:40
> idsman01 securityonion_ids: 14:23:40 pid(24921) Alert Received: 0 1
> policy-violation idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET
> P2P Vuze BT UDP Connection} 10.6.198.173 24.122.228.33 17 10600 65344
> 1 2010140 6 92 92
>
> ' (main::_run_detector)
>
>
>
>
>
> The relevant section of violation.conf is:
>
> [1500003]
>
> trigger=detect::2010140
>
> actions=email_admin,reevaluate_access,log
>
> max_enable=10
>
> desc=P2P Vuze2
>
> enabled=Y
>
> template=p2p
>
> grace=2h
>
>
>
>
>
> *From:*Morris, Andi [mailto:[email protected]]
> *Sent:* 07 October 2016 14:56
> *To:* [email protected]
> *Subject:* [PacketFence-users] Security Onion alerts not triggering
>
>
>
> Hi all,
>
> I have configured my security onion server to send alerts to my
> packetfence server (version 6.2.1), and I can see that they’re getting
> there through TCPdump.
>
>
>
> IDS server:
>
> 13:37:02.260031 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 240
>
> 13:37:02.260216 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
>
> 13:37:12.271539 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
>
> 13:37:57.325078 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
>
> 13:37:57.326236 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
>
> 13:38:07.342397 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
>
> 13:38:37.377503 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
>
> 13:38:55.401715 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
>
> 13:38:55.401858 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
>
> 13:38:55.401895 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
>
> 13:38:55.401921 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
>
> 13:39:03.412383 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
>
> 13:39:07.418010 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
>
> 13:39:07.418098 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
>
> 13:39:07.418113 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
>
> 13:39:07.418132 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
>
> 13:39:07.418153 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
>
> 13:39:07.418172 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
>
> 13:39:22.434608 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
>
> PF server:
>
> 14:37:12.272395 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
>
> 14:37:57.325970 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
>
> 14:37:57.326980 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
>
> 14:38:07.343228 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
>
> 14:38:37.378338 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
>
> 14:38:55.402550 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
>
> 14:38:55.402583 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
>
> 14:38:55.402610 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
>
> 14:38:55.402632 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
>
> 14:39:03.413187 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
>
> 14:39:07.418795 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
>
> 14:39:07.418819 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
>
> 14:39:07.418836 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
>
> 14:39:07.418865 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
>
> 14:39:07.418922 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
>
> 14:39:07.418927 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
>
>
>
> I’ve configured the rsyslog as per the packetfence docs, and created
> the syslog parser and the violations I’d like to trigger. However the
> violation isn’t triggering when I can see from the sguild.log on the
> IDS server that it’s being seen. Looking at pfdetect.log I can see the
> following which suggests that for some reason the syslogger isn’t
> sending the alert to packetfence:
>
> Oct 07 14:46:41 pfdetect(11814) INFO: pfdetect starting and writing
> 11814 to /usr/local/pf/var/run/pfdetect.pid
> (pf::services::util::createpid)
>
> Oct 07 14:46:41 pfdetect(11814) INFO: initialized (main::)
>
>
>
> /var/log/messages shows:
>
> Oct 7 13:53:09 idsserver sguil_alert: 13:53:09 pid(29886) Alert
> Received: 0 1 policy-violation idsserver-eth0-7 {2016-10-07 13:53:08}
> 21 173758 {ET P2P Vuze BT UDP Connection} 10.6.198.173 117.199.69.129
> 17 10600 10600 1 2010140 6 77 77
>
>
>
> Is the format causing issues?
>
> How about the timestamp? I can see that the IDS server is using UTC
> but my PF server is on GMT+1.
>
>
>
> Cheers,
>
> Andi
>
>
>
> -------------------------------------
>
> Andi Morris
>
> IT Security Officer
> Cardiff Metropolitan University
>
> T: 02920 205720
> E: [email protected] <mailto:[email protected]>
>
> --------------------------------------
>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
