Hi All,I have a problem with configuration. Of
course I read documentation and tutorials but it isn't resolve my
problem. Could you help me with that?My purpose is builiding
that configuration (PF+Nessus) which in when I plug to the switch some
vulnerable host (e.g. witch wannacry vulnerability) then Nessus is
detecting it and moving that host to separate VLAN.I have
installed and configured PacketFence. I'm using test switch which is
Cisco Catalyst 2960G. PF was configure in vlan enforcement and VLAN
enforcement works fine.Next, I installed Nessus 6. I'm added new
account for collaborating with PacketFence and I created new scanner
and new policy in Nessus (both are called "wannacry_audit"). Next in
PacketFence I created new scaner. I chose Nessus6 and I filled all
required gaps, also name of the scaner and policy. Next I go to
Violation configuration. My first question is: can I use existing
violation called "Nessus Scan" or I should create a new violation with
different (new) ID? Because I'm wasn't sure, I modified existing "Nessus scan".
Next question: how and where I could find ID of the scaner which should be
added to triggers?I'm
found in Nessus subdirectory file which should be related witch the
type of scanner which I chose (WannaCry Ransomware (MS17-010 /
CVE-2017-0144). The file is /opt/nessus/lib/nessus/plugins/smb_nt_ms17-010.nasl.
The file includes a line "script_id(97737);". I suppose that 97737 is
the ID which I having to write as trigger in the violation. So I did it.Next
configuration step which I made was editing of default configuration
profile and adding defined scanner (wannacry_audit) to the profile.
Finally I connected to the switch port laptop with out-of-date Windows
XP system. Unfortunately in a log file packetfence.log I saw every time
error lines such as below (I bolded it):Jun 22 22:54:19 pf
pfqueue: pfqueue(2083) INFO: [mac:00:24:e8:xx:xx:xx] Instantiate profile
default (pf::Connection::ProfileFactory::_from_profile)Jun 22
22:54:19 pf pfqueue: pfqueue(2083) INFO: [mac:00:24:e8:xx:xx:xx] grace
expired on violation 1200004 for node 00:24:e8:xx:xx:xx
(pf::violation::violation_add)Jun 22 22:54:19 pf pfqueue:
pfqueue(2083) INFO: [mac:00:24:e8:xx:xx:xx] violation 1200004 added for
00:24:e8:xx:xx:xx (pf::violation::violation_add)Jun 22 22:54:19 pf
pfqueue: pfqueue(2083) INFO: [mac:00:24:e8:xx:xx:xx] executing action
'log' on class 1200004 (pf::action::action_execute)Jun 22 22:54:19
pf pfqueue: pfqueue(2083) INFO: [mac:00:24:e8:xx:xx:xx]
/usr/local/pf/logs/violation.log 2017-06-22 22:54:19: Post Reg System
Scan (1200004) detected on node 00:24:e8:xx:xx:xx (192.168.0.11)
(pf::action::action_log)Jun 22 22:54:20 pf pfqueue: pfqueue(2083)
INFO: [mac:00:24:e8:xx:xx:xx] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)Jun 22 22:54:20 pf
pfqueue: pfqueue(2083) INFO: [mac:00:24:e8:xx:xx:xx] New ID generated:
149816486064eeff (pf::util::generate_id)Jun 22 22:54:21 pf
pfqueue: pfqueue(2083) ERROR: [mac:00:24:e8:xx:xx:xx] Can't locate
object method "get_scanner_id" via package "Net::Nessus::REST" at
/usr/local/pf/lib/pf/scan/nessus6.pm line 106. (pf::api::can_fork::notify)Could
you tell me what's the problem? I was trying to modifying configuration
on a different way (both on PacketFence and on Nessus), but every time
the error happened and vulnerability scanner doesn't work.Best regards,Jacek
Kurek
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
