Re: [PacketFence-users] Suricata alerts to Packet Fence (Derek, Wuelfrath)
-
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
-- next part --
An HTML attachment was scrubbed...
--
Message: 3
Date: Mon, 9 Nov 2015 11:52:38 -0500
From: Derek Wuelfrath <dwuelfr...@inverse.ca>
Subject: Re: [PacketFence-users] Suricata alerts to Packet Fence
(Derek, Wuelfrath)
To: ML PF <packetfence-users@lists.sourceforge.net>
Message-ID: <7b94b90d-6698-4f69-94b9-711bf0cea...@inverse.ca>
Content-Type: text/plain; charset=utf-8
Please state me the specific version of PacketFence you are running (cat
/usr/local/pf/conf/pf-release) and I will point you the exact lines to change :)
Thanks
Cheers!
dw.
?
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Nov 4, 2015, at 10:46 AM, Boley, Chris <chrisbo...@cogentrix.com> wrote:
>
> Derek. At last mail I had told you that adapting the regex was problematic
> because what I had in my packet fence was very different from what you had
> described.
> "https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L
> 103 Commenting out lines 103 to 131 and adding your new regex code
> afterward
> According to changelog in my system: Last commit date showed Date: Fri Jul
> 24 10:34:46 2015 -0400
> I'm pretty sure my version is 5.3.1
>
> So again:
> Where/how should I apply your suggested regex code seen below?
>
> if ( $_ =~
> /^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+
> ?)\].+?\}\s+(.+?):.+?>\s(.+?):/ ) {
>
>$date = $1;
>
>$sid = $2;
>
>$descr = $3;
>
>$srcip = $5;
>
>$dstip = $6;
>
>} else {
>
> $logger->warn("unknown input: $_ ");
>
>next;
>
>}
>
>
> ==
> = I saw your suggestion regarding
> SecurityOnion however I am running Suricata from a FreeBsd platform within
> Jails.
> Security Onion doesn't offer that for me.
> Thanks!
>
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Message: 4
Date: Mon, 9 Nov 2015 11:53:19 -0500
From: Derek Wuelfrath <dwuelfr...@inverse.ca>
Subject: Re: [PacketFence-users] Suricata alerts to Packet Fence
(Derek, Wuelfrath)
To: ML PF <packetfence-users@lists.sourceforge.net>
Message-ID: <c67f7044-a901-48ee-8814-c999dbe10...@inverse.ca>
Content-Type: text/plain; charset=utf-8
> I saw your suggestion regarding SecurityOnion however I am running Suricata
> from a FreeBsd platform within Jails.
> Security Onion doesn't offer that for me.
The refactor also includes support for remote Suricata and Snort :)
Cheers!
dw.
?
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Nov 4, 2015, at 10:46 AM, Boley, Chris <chrisbo...@cogentrix.com> wrote:
>
> Derek. At last mail I had told you that adapting the regex was problematic
> because what I had in my packet fence was very different from what you had
> described.
> "https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L
> 103 Commenting out lines 103 to 131 and adding your new regex code
> afterward
> According to changelog in my system: Last commit date showed Date: Fri Jul
> 24 10:34:46 2015 -0400
> I'm pretty sure my version is 5.3.1
>
> So again:
> Where/how should I apply your suggested regex code seen below?
>
> if ( $_ =~
> /^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+
> ?)\].+?\}\s+(.+?):.+?>\s(.+?):/ ) {
>
>$date = $1;
>
>$sid = $2;
>
>$descr = $3;
>
>$srcip = $5;
>
>$dstip = $6;
>
>} else {
>
> $logger->warn("unknown input: $_ ");
>
>next;
>
>}
>
>
> ==
> = I saw your suggestion regarding
> SecurityOnion however I am running Suricata from a FreeBsd platf
Re: [PacketFence-users] Suricata alerts to Packet Fence (Derek, Wuelfrath)
Derek. At last mail I had told you that adapting the regex was problematic
because what I had in my packet fence was very different from what you had
described.
"https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103
Commenting out lines 103 to 131 and adding your new regex code afterward
According to changelog in my system: Last commit date showed Date: Fri Jul 24
10:34:46 2015 -0400
I'm pretty sure my version is 5.3.1
So again:
Where/how should I apply your suggested regex code seen below?
if ( $_ =~
/^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+
?)\].+?\}\s+(.+?):.+?>\s(.+?):/ ) {
$date = $1;
$sid = $2;
$descr = $3;
$srcip = $5;
$dstip = $6;
} else {
$logger->warn("unknown input: $_ ");
next;
}
===
I saw your suggestion regarding SecurityOnion however I am running Suricata
from a FreeBsd platform within Jails.
Security Onion doesn't offer that for me.
Thanks!
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Suricata alerts to Packet Fence (Derek, Wuelfrath)
Derek, in a previous mail you had stated that I should make some modifications
to a few files. I'm having a bit of trouble interpreting what I should do.
Hoping you can shed some wisdom here. Everything else is ready to go. Thanks.
(quoting you from previous mail)
- Remove the following check from pfcmd checkup
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/pfcmd/checkup.pm#L298
Comment lines 298 to 303
-
So my file should read like this now? Just verifying because it seemed
odd that I hadn't commented out that first portion of that section.
===
# make sure a monitor device is present if trapping.detection is enabled
if ( !$monitor_int ) {
#add_problem( $FATAL,
#"monitor interface not defined, please disable trapping.detection
" .
#"or set an interface type=...,monitor in pf.conf"
#);
#}
#
Additionally (quoting you again):
- Adapt pfdetect regex.
https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103
Comment lines 103 to 131
Add the following after 131
if ( $_ =~
/^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+?)\].+?\}\s+(.+?):.+?>\s(.+?):/
) {
$date = $1;
$sid = $2;
$descr = $3;
$srcip = $5;
$dstip = $6;
} else {
$logger->warn("unknown input: $_ ");
next;
}
==
Problem I'm facing: Your file looks like this that you quoted from the
URL:
$logger->info("initialized"); {id} = $id;
my $pid = fork();
if($pid) {
$CHILDREN{$pid} = $detector->{id};
$SIG{CHLD} = "IGNORE";
} elsif ($pid == 0) {
$SIG{CHLD} = "DEFAULT";
$IS_CHILD = 1;
_run_detector($detector);
} else {
}
}
=head2 _run_detector
the task to is ran in a loop until it is finished
=cut
=
My file looks very different and I'm unsure what to do with it. See below
---
$logger->info("initialized"); logdie("unable to open snort pipe ($snortpipe): $!");
} else {
$logger->info("listening on $snortpipe");
}
while (<$snortpipe_fh>) {
$logger->info("alert received: $_");
if ( $_
=~
/^(.+?)\s+\[\*\*\]\s+\[\d+:(\d+):\d+\]\s+(.+?)\s+.+?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:\d+){0,1}\s+\-\>\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$
)
{ <--LINE 103
$date = $1;
$sid = $2;
$descr = $3;
$srcip = $4;
$dstip = $6;
} elsif ( $_
=~
/^(.+?)\s+\[\*\*\]\s+\[\d+:(\d+):\d+\]\s+Portscan\s+detected\s+from\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
)
{
$date = $1;
$sid = $portscan_sid;
$srcip = $3;
$descr = "PORTSCAN";
} elsif ( $_
=~ /^(.+?)\[\*\*\] \[\d+:(\d+):\d+\]\s+\(spp_portscan2\) Portscan
detected from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
)
{
$date = $1;
$sid = $portscan_sid;
$srcip = $3;
$descr = "PORTSCAN";
} else {
$logger->warn("unknown input: $_ ");
next;
}
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Suricata alerts to Packet Fence (Derek, Wuelfrath) (Boley, Chris)
Hi Derek progress report,
DONE - You then need to configure syslog-ng to send a copy of the Suricata log
to the PacketFence management IP address
filter f_suricata { match('suricata:' value("MSGHDR")); };
destination d_suricata { tcp("192.168.5.10"); };
log { source(src); filter(f_suricata); destination(d_suricata); };
DONE - You need to allow tcp port 514 on the PacketFence firewall (edit the
/usr/local/pf/conf/iptables.conf file should be enough)
DONE - Make rsyslog (running on the PacketFence server) to listen for remote
syslog messages
Uncomment "$ModLoad imtcp" and "$InputTCPServerRun 514" in /etc/rsyslog.conf
DONE - Make sure alert pipe file exists (/usr/local/pf/var/alert)
mkfifo /usr/local/pf/var/alert
Added to rsyslog.conf :
#Configure rsyslog to log remote Suricata log in alert pipe
:programname, isequal, "suricata" |/usr/local/pf/var/alert
Derek, you had put in your original instructions some portion mentioning this:
- Configure trapping on PacketFence
trapping.detection = enabled
services.snort = disabled
services.suricata = disabled
My pf.conf file looks almost naked at this time because my packetfence is a
nearly 100% fresh install so, to clarify it seems easier to:
1. take the pf.conf.defaults,
2. cp it to pf.conf.defaults1,
3. transpose all my current pf.conf information into the defaults1 file then
add your editing notations
4. mv pf.conf to pf.conf.bak
5. mv pf.conf.defaults1 to pf.conf
Reboot server or restart services. ( I'm still not sure what's the appropriate
service restart syntax for packet fence services)
Before I go and do all this, am I headed in the right direction? Afterward I
would be modifying the checkup.pm and adapting pfdetect regex.
And that should finish up what's necessary to send remote suricata server
syslog alerts over to Packet Fence.
Thanks.
Chris Boley
-Original Message-
From: packetfence-users-requ...@lists.sourceforge.net
[mailto:packetfence-users-requ...@lists.sourceforge.net]
Sent: Thursday, October 15, 2015 1:22 PM
To: packetfence-users@lists.sourceforge.net
Subject: PacketFence-users Digest, Vol 90, Issue 49
Send PacketFence-users mailing list submissions to
packetfence-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
packetfence-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
packetfence-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific than "Re:
Contents of PacketFence-users digest..."
Today's Topics:
1. Suricata alerts to Packet Fence (DerekWuelfrath) (Boley, Chris)
2. Re: Using Multiple SNAT Interfaces Problem (Nathan, Josh)
3. Use vlan_filter to set voip attribute of a node (Dennis B?hring)
4. Integration with iBoss SSO (Morgan, Darren)
--
Message: 1
Date: Wed, 14 Oct 2015 20:47:00 +
From: "Boley, Chris" <chrisbo...@cogentrix.com>
Subject: [PacketFence-users] Suricata alerts to Packet Fence (Derek
Wuelfrath)
To: "packetfence-users@lists.sourceforge.net"
<packetfence-users@lists.sourceforge.net>
Message-ID:
<e93378438d289546b14896cf65b683ae834...@srvchemb01.cogentrix.com>
Content-Type: text/plain; charset="us-ascii"
Hi Derek, on your last suggestion I basically replaced syslogd on freebsd with
syslog-ng so as to more easily mimic your instructions:
You had suggested some syslog-ng config changes.
I put them verbatim right in the bottom of the cfg file without modifying
anything else. Seemed like the easiest route to take.
filter f_suricata { match('suricata:' value("MSGHDR")); }; destination
d_suricata { tcp("192.168.5.10"); }; log { source(src); filter(f_suricata);
destination(d_suricata); };
On the middle (destination) line, should that be UDP and not TCP? Syslog is
typically UDP 514. Otherwise it looks like the desired effect is happening.
A quick netstat shows:
root@suricata:/usr/ports/sysutils/syslog-ng # netstat Active Internet
connections
Proto Recv-Q Send-Q Local Address Foreign Address(state)
tcp4 0 0 192.168.5.249.25801192.168.5.10.shell SYN_SENT
Thanks.
Chris Boley
-Original Message-
From: packetfence-users-requ...@lists.sourceforge.net
[mailto:packetfence-users-requ...@lists.sourceforge.net]
Sent: Tuesday, October 13, 2015 10:53 AM
To: packetfence-users@lists.sourceforge.net
Subject: PacketFence-users Digest, Vol 90, Issue 36
Send PacketFence-users mailing list submissions to
packetfence-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
[PacketFence-users] Suricata alerts to Packet Fence (Derek Wuelfrath)
Hi Derek, on your last suggestion I basically replaced syslogd on freebsd with
syslog-ng so as to more easily mimic your instructions:
You had suggested some syslog-ng config changes.
I put them verbatim right in the bottom of the cfg file without modifying
anything else. Seemed like the easiest route to take.
filter f_suricata { match('suricata:' value("MSGHDR")); };
destination d_suricata { tcp("192.168.5.10"); };
log { source(src); filter(f_suricata); destination(d_suricata); };
On the middle (destination) line, should that be UDP and not TCP? Syslog is
typically UDP 514. Otherwise it looks like the desired effect is happening.
A quick netstat shows:
root@suricata:/usr/ports/sysutils/syslog-ng # netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address(state)
tcp4 0 0 192.168.5.249.25801192.168.5.10.shell SYN_SENT
Thanks.
Chris Boley
-Original Message-
From: packetfence-users-requ...@lists.sourceforge.net
[mailto:packetfence-users-requ...@lists.sourceforge.net]
Sent: Tuesday, October 13, 2015 10:53 AM
To: packetfence-users@lists.sourceforge.net
Subject: PacketFence-users Digest, Vol 90, Issue 36
Send PacketFence-users mailing list submissions to
packetfence-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
packetfence-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
packetfence-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific than "Re:
Contents of PacketFence-users digest..."
Today's Topics:
1. Re: Suricata alerts to Packet Fence (Derek Wuelfrath)
2. Re: pfdhcplistener (Derek Wuelfrath)
--
Message: 1
Date: Tue, 13 Oct 2015 10:41:05 -0400
From: Derek Wuelfrath <dwuelfr...@inverse.ca>
Subject: Re: [PacketFence-users] Suricata alerts to Packet Fence
To: ML PF <packetfence-users@lists.sourceforge.net>
Message-ID: <6c92c7d1-0d78-42df-be14-410dc28c8...@inverse.ca>
Content-Type: text/plain; charset="utf-8"
Hello Chris,
Are you running Suricata on a separate box (I assume). Are you running it
standalone or withing a security suite (SecurityOnion per example).
Let me know
Cheers!
dw.
?
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Oct 9, 2015, at 5:05 PM, Boley, Chris <chrisbo...@cogentrix.com> wrote:
>
> Does anyone happen to know where I can find info on sending suricata alert
> events over to Packet Fence?
>
>
> Chris Boley | Network Engineer | Cogentrix Energy Power Management,
> LLC
>
>
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
-- next part --
An HTML attachment was scrubbed...
--
Message: 2
Date: Tue, 13 Oct 2015 10:52:22 -0400
From: Derek Wuelfrath <dwuelfr...@inverse.ca>
Subject: Re: [PacketFence-users] pfdhcplistener
To: ML PF <packetfence-users@lists.sourceforge.net>
Message-ID: <79229123-87df-4f2f-83ab-3231b5525...@inverse.ca>
Content-Type: text/plain; charset="utf-8"
Hello Chinmay,
I?m looking at it and I?ll get back to you.
Cheers!
dw.
?
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Oct 13, 2015, at 2:17 AM, Chinmay Mahata <chinmay_mah...@rediffmail.com>
> wrote:
>
> Dear Derek,
> Any thought on my issue.
>
> Regards,
> --Chinmay
>
>
>
> From: "Chinmay Mahata" <chinmay_mah...@rediffmail.com>
> Sent: Fri, 09 Oct 2015 18:13:36
> To: "packetfence-users@lists.sourceforge.net"
> <packetfence-users@lists.sourceforge.net>
> Subject: Re: [PacketFence-users] pfdhcplistener Dear Derek,
> Thanks for your quick response. I think I could not describe my
> problem/query properly.
>
> DHCPD is running on only one interface (eth0) of my PF server, no issue with
> that.
>
> Actually at the WAN side (upstream) of my PF server there is another DHCP
> server is running (though PF s
[PacketFence-users] Send remote Suricata sensor alerts to PacketFence via syslog
I'm looking for the correct information to send syslog based alert data from a remote Suricata sensor to Packet fence. I'm unsure of how to make PacketFence know that it will be getting alerts via syslog . I've tried to find the appropriate documentation regarding this, however it seems a bit hard to locate. Can anyone point me in the correct direction? So far I think I would need to change suricata.yaml to reflect the following items (I'd be grateful for any advice there): # a line based alerts log similar to fast.log into syslog - syslog: enabled: yes identity: "suricata" facility: local5 level: Alert # Define your logging outputs. If none are defined, or they are all # disabled you will get the default - console output. outputs: - console: enabled: no - file: enabled: yes filename: /var/log/suricata.log - syslog: enabled: yes facility: local5 format: "[%i] <%d> -- " I'm using vanilla syslogd on FreeBSD as my syslog on the sensor. I realize I will have to make some changes to its config to forward the alerts to the PacketFence server. I'm not even sure if the syslog format that will be input from suricata to syslogd will be compatible. I might have to manipulate it with a template in the conf file. I'm happy to do the reading. I've googled and googled and found not much of any meaningful info where this topic is concerned. I was hoping someone might know of some useful documentation on how to manipulate PacketFence and get it to start acting on Suricata alerts... Chris Boley | Network Engineer | Cogentrix Energy Power Management, LLC -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Send remote Suricata sensor alerts to PacketFence via syslog
Thanks Derek! I will dig into this and let you know where I land.
-Original Message-
From: packetfence-users-requ...@lists.sourceforge.net
[mailto:packetfence-users-requ...@lists.sourceforge.net]
Sent: Tuesday, October 13, 2015 2:38 PM
To: packetfence-users@lists.sourceforge.net
Subject: PacketFence-users Digest, Vol 90, Issue 37
Send PacketFence-users mailing list submissions to
packetfence-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
packetfence-users-requ...@lists.sourceforge.net
You can reach the person managing the list at
packetfence-users-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific than "Re:
Contents of PacketFence-users digest..."
Today's Topics:
1. Re: Send remote Suricata sensor alerts to PacketFence via
syslog (Derek Wuelfrath)
2. Re: PacketFence-users Digest, Vol 90, Issue 36 (Boley, Chris)
3. Re: tweaking the create users page (Derek Wuelfrath)
--
Message: 1
Date: Tue, 13 Oct 2015 11:08:07 -0400
From: Derek Wuelfrath <dwuelfr...@inverse.ca>
Subject: Re: [PacketFence-users] Send remote Suricata sensor alerts to
PacketFence via syslog
To: ML PF <packetfence-users@lists.sourceforge.net>
Message-ID: <852d9a2f-31af-446b-806b-5a34d29be...@inverse.ca>
Content-Type: text/plain; charset=utf-8
Hello Chris,
Sorry, I replied to your first message.
I did exactly what you are looking for, but, using syslog-ng on the remote
sensor.
- You first need to configure Suricata to log to syslog (i think it is the
default behavior)
- You then need to configure syslog-ng to send a copy of the Suricata log to
the PacketFence management IP address
filter f_suricata { match('suricata:' value("MSGHDR")); };
destination d_suricata { tcp(?PACKETFENCE_MANAGEMENT_IP"); };
log { source(s_syslog); filter(f_suricata); destination(d_suricata); };
- You need to allow tcp port 514 on the PacketFence firewall (edit the
/usr/local/pf/conf/iptables.conf file should be enough)
- Make rsyslog (running on the PacketFence server) to listen for remote syslog
messages
Uncomment "$ModLoad imtcp" and "$InputTCPServerRun 514" in /etc/rsyslog.conf
- Make sure alert pipe file exists (/usr/local/pf/var/alert)
mkfifo /usr/local/pf/var/alert
- Configure rsyslog to log remote Suricata log in alert pipe
:programname, isequal, "suricata" |/usr/local/pf/var/alert
- Configure trapping on PacketFence
trapping.detection = enabled
services.snort = disabled
services.suricata = disabled
- Remove the following check from pfcmd checkup
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/pfcmd/checkup.pm#L298
Comment lines 298 to 303
- Adapt pfdetect regex.
https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103
Comment lines 103 to 131
Add the following after 131
if ( $_ =~
/^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+?)\].+?\}\s+(.+?):.+?>\s(.+?):/
) {
$date = $1;
$sid = $2;
$descr = $3;
$srcip = $5;
$dstip = $6;
} else {
$logger->warn("unknown input: $_ ");
next;
}
Restart both packetfence and rsyslog
Let me know how it goes.
Cheers!
dw.
?
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Oct 13, 2015, at 8:55 AM, Boley, Chris <chrisbo...@cogentrix.com> wrote:
>
> I'm looking for the correct information to send syslog based alert data from
> a remote Suricata sensor to Packet fence.
> I'm unsure of how to make PacketFence know that it will be getting alerts via
> syslog .
> I've tried to find the appropriate documentation regarding this, however it
> seems a bit hard to locate.
> Can anyone point me in the correct direction?
>
> So far I think I would need to change suricata.yaml to reflect the following
> items (I'd be grateful for any advice there):
>
> # a line based alerts log similar to fast.log into syslog
> - syslog:
> enabled: yes
> identity: "suricata"
> facility: local5
> level: Alert
>
> # Define your logging outputs. If none are defined, or they are all
> # disabled you will get the default - console output.
> outputs:
> - console:
> enabled: no
> - file:
> enabled: yes
> filename: /var/log/suricata.log
> - syslog:
> enabled: yes
> facility: local5
> format: "[%i] <%d> -- "
>
> I'm using va
Re: [PacketFence-users] Suricata alerts to Packet Fence (Derek Wuelfrath)
Sorry Derek, I neglected to follow the directions regarding subject line the first time round. It's vanilla FreeBSD 10.2 with Suricata running. It is not a combination of softwares. Thanks for your response. -Original Message- From: packetfence-users-requ...@lists.sourceforge.net [mailto:packetfence-users-requ...@lists.sourceforge.net] Sent: Tuesday, October 13, 2015 10:53 AM To: packetfence-users@lists.sourceforge.net Subject: PacketFence-users Digest, Vol 90, Issue 36 Send PacketFence-users mailing list submissions to packetfence-users@lists.sourceforge.net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/packetfence-users or, via email, send a message with subject or body 'help' to packetfence-users-requ...@lists.sourceforge.net You can reach the person managing the list at packetfence-users-ow...@lists.sourceforge.net When replying, please edit your Subject line so it is more specific than "Re: Contents of PacketFence-users digest..." Today's Topics: 1. Re: Suricata alerts to Packet Fence (Derek Wuelfrath) 2. Re: pfdhcplistener (Derek Wuelfrath) -- Message: 1 Date: Tue, 13 Oct 2015 10:41:05 -0400 From: Derek Wuelfrath <dwuelfr...@inverse.ca> Subject: Re: [PacketFence-users] Suricata alerts to Packet Fence To: ML PF <packetfence-users@lists.sourceforge.net> Message-ID: <6c92c7d1-0d78-42df-be14-410dc28c8...@inverse.ca> Content-Type: text/plain; charset="utf-8" Hello Chris, Are you running Suricata on a separate box (I assume). Are you running it standalone or withing a security suite (SecurityOnion per example). Let me know Cheers! dw. ? Derek Wuelfrath dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) > On Oct 9, 2015, at 5:05 PM, Boley, Chris <chrisbo...@cogentrix.com> wrote: > > Does anyone happen to know where I can find info on sending suricata alert > events over to Packet Fence? > > > Chris Boley | Network Engineer | Cogentrix Energy Power Management, > LLC > > > -- > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > <https://lists.sourceforge.net/lists/listinfo/packetfence-users> -- next part -- An HTML attachment was scrubbed... -- Message: 2 Date: Tue, 13 Oct 2015 10:52:22 -0400 From: Derek Wuelfrath <dwuelfr...@inverse.ca> Subject: Re: [PacketFence-users] pfdhcplistener To: ML PF <packetfence-users@lists.sourceforge.net> Message-ID: <79229123-87df-4f2f-83ab-3231b5525...@inverse.ca> Content-Type: text/plain; charset="utf-8" Hello Chinmay, I?m looking at it and I?ll get back to you. Cheers! dw. ? Derek Wuelfrath dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) > On Oct 13, 2015, at 2:17 AM, Chinmay Mahata <chinmay_mah...@rediffmail.com> > wrote: > > Dear Derek, > Any thought on my issue. > > Regards, > --Chinmay > > > > From: "Chinmay Mahata" <chinmay_mah...@rediffmail.com> > Sent: Fri, 09 Oct 2015 18:13:36 > To: "packetfence-users@lists.sourceforge.net" > <packetfence-users@lists.sourceforge.net> > Subject: Re: [PacketFence-users] pfdhcplistener Dear Derek, > Thanks for your quick response. I think I could not describe my > problem/query properly. > > DHCPD is running on only one interface (eth0) of my PF server, no issue with > that. > > Actually at the WAN side (upstream) of my PF server there is another DHCP > server is running (though PF server WAN has static IP). Since pfdhcplistener > is running at eth1(WAN) also, in the node (web)page I can see many > unregistered nodes of WAN network which I don't want. > > I want to see only those nodes in the webpage which are under PF server > and who are getting IP addresses from DHCP server running in PF server (on > eth0). Hope pfdhcplistener on eth0 only can catch those. > > So I want to run only one instance of pfdhcplistener on interface eth0 > (pfdhcplistener_eth0). Please let me know how can I do that. > > Thanks again Derek. > > Regards, > --Chinmay > > > > > > From: Derek Wuelfrath <dwuelfr...@inverse.ca> > Sent: Thu, 08 Oct 2
Re: [PacketFence-users] PacketFence-users Digest, Vol 90, Issue 36
Derek, yes it's a separate unit. FreeBSD 10.2 with Suricata running on it. No special suite of softwares. It's just the Suricata install. -Original Message- From: packetfence-users-requ...@lists.sourceforge.net [mailto:packetfence-users-requ...@lists.sourceforge.net] Sent: Tuesday, October 13, 2015 10:53 AM To: packetfence-users@lists.sourceforge.net Subject: PacketFence-users Digest, Vol 90, Issue 36 Send PacketFence-users mailing list submissions to packetfence-users@lists.sourceforge.net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/packetfence-users or, via email, send a message with subject or body 'help' to packetfence-users-requ...@lists.sourceforge.net You can reach the person managing the list at packetfence-users-ow...@lists.sourceforge.net When replying, please edit your Subject line so it is more specific than "Re: Contents of PacketFence-users digest..." Today's Topics: 1. Re: Suricata alerts to Packet Fence (Derek Wuelfrath) 2. Re: pfdhcplistener (Derek Wuelfrath) -- Message: 1 Date: Tue, 13 Oct 2015 10:41:05 -0400 From: Derek Wuelfrath <dwuelfr...@inverse.ca> Subject: Re: [PacketFence-users] Suricata alerts to Packet Fence To: ML PF <packetfence-users@lists.sourceforge.net> Message-ID: <6c92c7d1-0d78-42df-be14-410dc28c8...@inverse.ca> Content-Type: text/plain; charset="utf-8" Hello Chris, Are you running Suricata on a separate box (I assume). Are you running it standalone or withing a security suite (SecurityOnion per example). Let me know Cheers! dw. ? Derek Wuelfrath dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) > On Oct 9, 2015, at 5:05 PM, Boley, Chris <chrisbo...@cogentrix.com> wrote: > > Does anyone happen to know where I can find info on sending suricata alert > events over to Packet Fence? > > > Chris Boley | Network Engineer | Cogentrix Energy Power Management, > LLC > > > -- > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > <https://lists.sourceforge.net/lists/listinfo/packetfence-users> -- next part -- An HTML attachment was scrubbed... -- Message: 2 Date: Tue, 13 Oct 2015 10:52:22 -0400 From: Derek Wuelfrath <dwuelfr...@inverse.ca> Subject: Re: [PacketFence-users] pfdhcplistener To: ML PF <packetfence-users@lists.sourceforge.net> Message-ID: <79229123-87df-4f2f-83ab-3231b5525...@inverse.ca> Content-Type: text/plain; charset="utf-8" Hello Chinmay, I?m looking at it and I?ll get back to you. Cheers! dw. ? Derek Wuelfrath dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) > On Oct 13, 2015, at 2:17 AM, Chinmay Mahata <chinmay_mah...@rediffmail.com> > wrote: > > Dear Derek, > Any thought on my issue. > > Regards, > --Chinmay > > > > From: "Chinmay Mahata" <chinmay_mah...@rediffmail.com> > Sent: Fri, 09 Oct 2015 18:13:36 > To: "packetfence-users@lists.sourceforge.net" > <packetfence-users@lists.sourceforge.net> > Subject: Re: [PacketFence-users] pfdhcplistener Dear Derek, > Thanks for your quick response. I think I could not describe my > problem/query properly. > > DHCPD is running on only one interface (eth0) of my PF server, no issue with > that. > > Actually at the WAN side (upstream) of my PF server there is another DHCP > server is running (though PF server WAN has static IP). Since pfdhcplistener > is running at eth1(WAN) also, in the node (web)page I can see many > unregistered nodes of WAN network which I don't want. > > I want to see only those nodes in the webpage which are under PF server > and who are getting IP addresses from DHCP server running in PF server (on > eth0). Hope pfdhcplistener on eth0 only can catch those. > > So I want to run only one instance of pfdhcplistener on interface eth0 > (pfdhcplistener_eth0). Please let me know how can I do that. > > Thanks again Derek. > > Regards, > --Chinmay > > > > > > From: Derek Wuelfrath <dwuelfr...@inverse.ca> > Sent: Thu, 08 Oct 2015 22:11:09 > To: ML PF <packetfence-users@lists.sourceforge.net> >
[PacketFence-users] Suricata alerts to Packet Fence
Does anyone happen to know where I can find info on sending suricata alert events over to Packet Fence? Chris Boley | Network Engineer | Cogentrix Energy Power Management, LLC -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
