Hello Jacek,
I am not sure where you should find the Nessus ID for the trigger, but
what you have seems to be right.
Your whole configuration looks fine.
For the error you get it seems to be a bug in the code, try to apply the
following patch, restart pfqueue and try again.
diff --git a/lib/pf/scan/nessus6.pm b/lib/pf/scan/nessus6.pm
index ec15b57..17043d9 100644
--- a/lib/pf/scan/nessus6.pm
+++ b/lib/pf/scan/nessus6.pm
@@ -103,7 +103,7 @@ sub startScan {
return 1;
}
- my $scanner_id = $nessus->get_scanner_id(name => $scanner_name);
+ my $scanner_id = $nessus->get_scan_id(name => $scanner_name);
if ($scanner_id eq ""){
$logger->warn("Nessus scanner name doesn't exist ".$scanner_id);
return 1;
You could create a file nessus_patch.diff and use the patch command to
apply it:
patch -p1 < nessus_patch.diff
Let us know if that help,
Thanks
On 06/28/2017 11:39 AM, Jacek Kurek via PacketFence-users wrote:
Hi All,
I have a problem with configuration. Of course I read documentation
and tutorials but it isn't resolve my problem. Could you help me with
that?
My purpose is builiding that configuration (PF+Nessus) which in when I
plug to the switch some vulnerable host (e.g. witch wannacry
vulnerability) then Nessus is detecting it and moving that host to
separate VLAN.
I have installed and configured PacketFence. I'm using test switch
which is Cisco Catalyst 2960G. PF was configure in vlan enforcement
and VLAN enforcement works fine.
Next, I installed Nessus 6. I'm added new account for collaborating
with PacketFence and I created new scanner and new policy in Nessus
(both are called "wannacry_audit"). Next in PacketFence I created new
scaner. I chose Nessus6 and I filled all required gaps, also name of
the scaner and policy. Next I go to Violation configuration. _My first
question is: can I use existing violation called "Nessus Scan" or I
should create a new violation with different (new) ID?_ Because I'm
wasn't sure, I modified existing "Nessus scan". _Next question: how
and where I could find ID of the scaner which should be added to
triggers?_
I'm found in Nessus subdirectory file which should be related witch
the type of scanner which I chose (WannaCry Ransomware (MS17-010 /
CVE-2017-0144). The file is
//opt/nessus/lib/nessus/plugins/smb_nt_ms17-010.nasl/. The file
includes a line "script_id(97737);". I suppose that 97737 is the ID
which I having to write as trigger in the violation. So I did it.
Next configuration step which I made was editing of default
configuration profile and adding defined scanner (wannacry_audit) to
the profile. Finally I connected to the switch port laptop with
out-of-date Windows XP system. Unfortunately in a log file
packetfence.log I saw every time error lines such as below (I bolded it):
Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO:
[mac:00:24:e8:xx:xx:xx] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO:
[mac:00:24:e8:xx:xx:xx] grace expired on violation 1200004 for node
00:24:e8:xx:xx:xx (pf::violation::violation_add)
Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO:
[mac:00:24:e8:xx:xx:xx] violation 1200004 added for 00:24:e8:xx:xx:xx
(pf::violation::violation_add)
Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO:
[mac:00:24:e8:xx:xx:xx] executing action 'log' on class 1200004
(pf::action::action_execute)
Jun 22 22:54:19 pf pfqueue: pfqueue(2083) INFO:
[mac:00:24:e8:xx:xx:xx] /usr/local/pf/logs/violation.log 2017-06-22
22:54:19: Post Reg System Scan (1200004) detected on node
00:24:e8:xx:xx:xx (192.168.0.11) (pf::action::action_log)
Jun 22 22:54:20 pf pfqueue: pfqueue(2083) INFO:
[mac:00:24:e8:xx:xx:xx] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
Jun 22 22:54:20 pf pfqueue: pfqueue(2083) INFO:
[mac:00:24:e8:xx:xx:xx] New ID generated: 149816486064eeff
(pf::util::generate_id)
*_Jun 22 22:54:21 pf pfqueue: pfqueue(2083) ERROR:
[mac:00:24:e8:xx:xx:xx] Can't locate object method "get_scanner_id"
via package "Net::Nessus::REST" at
/usr/local/pf/lib/pf/scan/nessus6.pm line 106.
(pf::api::can_fork::notify)_*
Could you tell me what's the problem? I was trying to modifying
configuration on a different way (both on PacketFence and on Nessus),
but every time the error happened and vulnerability scanner doesn't work.
Best regards,
Jacek Kurek
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
