[PacketFence-users] Send remote Suricata sensor alerts to PacketFence via syslog
I'm looking for the correct information to send syslog based alert data from a remote Suricata sensor to Packet fence. I'm unsure of how to make PacketFence know that it will be getting alerts via syslog . I've tried to find the appropriate documentation regarding this, however it seems a bit hard to locate. Can anyone point me in the correct direction? So far I think I would need to change suricata.yaml to reflect the following items (I'd be grateful for any advice there): # a line based alerts log similar to fast.log into syslog - syslog: enabled: yes identity: "suricata" facility: local5 level: Alert # Define your logging outputs. If none are defined, or they are all # disabled you will get the default - console output. outputs: - console: enabled: no - file: enabled: yes filename: /var/log/suricata.log - syslog: enabled: yes facility: local5 format: "[%i] <%d> -- " I'm using vanilla syslogd on FreeBSD as my syslog on the sensor. I realize I will have to make some changes to its config to forward the alerts to the PacketFence server. I'm not even sure if the syslog format that will be input from suricata to syslogd will be compatible. I might have to manipulate it with a template in the conf file. I'm happy to do the reading. I've googled and googled and found not much of any meaningful info where this topic is concerned. I was hoping someone might know of some useful documentation on how to manipulate PacketFence and get it to start acting on Suricata alerts... Chris Boley | Network Engineer | Cogentrix Energy Power Management, LLC -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Send remote Suricata sensor alerts to PacketFence via syslog
Hello Chris, Sorry, I replied to your first message. I did exactly what you are looking for, but, using syslog-ng on the remote sensor. - You first need to configure Suricata to log to syslog (i think it is the default behavior) - You then need to configure syslog-ng to send a copy of the Suricata log to the PacketFence management IP address filter f_suricata { match('suricata:' value("MSGHDR")); }; destination d_suricata { tcp(“PACKETFENCE_MANAGEMENT_IP"); }; log { source(s_syslog); filter(f_suricata); destination(d_suricata); }; - You need to allow tcp port 514 on the PacketFence firewall (edit the /usr/local/pf/conf/iptables.conf file should be enough) - Make rsyslog (running on the PacketFence server) to listen for remote syslog messages Uncomment "$ModLoad imtcp" and "$InputTCPServerRun 514" in /etc/rsyslog.conf - Make sure alert pipe file exists (/usr/local/pf/var/alert) mkfifo /usr/local/pf/var/alert - Configure rsyslog to log remote Suricata log in alert pipe :programname, isequal, "suricata" |/usr/local/pf/var/alert - Configure trapping on PacketFence trapping.detection = enabled services.snort = disabled services.suricata = disabled - Remove the following check from pfcmd checkup https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/pfcmd/checkup.pm#L298 Comment lines 298 to 303 - Adapt pfdetect regex. https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103 Comment lines 103 to 131 Add the following after 131 if ( $_ =~ /^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+?)\].+?\}\s+(.+?):.+?>\s(.+?):/ ) { $date = $1; $sid = $2; $descr = $3; $srcip = $5; $dstip = $6; } else { $logger->warn("unknown input: $_ "); next; } Restart both packetfence and rsyslog Let me know how it goes. Cheers! dw. — Derek Wuelfrath dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) > On Oct 13, 2015, at 8:55 AM, Boley, Chriswrote: > > I'm looking for the correct information to send syslog based alert data from > a remote Suricata sensor to Packet fence. > I'm unsure of how to make PacketFence know that it will be getting alerts via > syslog . > I've tried to find the appropriate documentation regarding this, however it > seems a bit hard to locate. > Can anyone point me in the correct direction? > > So far I think I would need to change suricata.yaml to reflect the following > items (I'd be grateful for any advice there): > > # a line based alerts log similar to fast.log into syslog > - syslog: > enabled: yes > identity: "suricata" > facility: local5 > level: Alert > > # Define your logging outputs. If none are defined, or they are all > # disabled you will get the default - console output. > outputs: > - console: > enabled: no > - file: > enabled: yes > filename: /var/log/suricata.log > - syslog: > enabled: yes > facility: local5 > format: "[%i] <%d> -- " > > I'm using vanilla syslogd on FreeBSD as my syslog on the sensor. > I realize I will have to make some changes to its config to forward the > alerts to the PacketFence server. > I'm not even sure if the syslog format that will be input from suricata to > syslogd will be compatible. > I might have to manipulate it with a template in the conf file. > > > I'm happy to do the reading. > I've googled and googled and found not much of any meaningful info where this > topic is concerned. > I was hoping someone might know of some useful documentation on how to > manipulate PacketFence and get it to start acting on Suricata alerts... > > > Chris Boley | Network Engineer | Cogentrix Energy Power Management, LLC > > > -- > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Send remote Suricata sensor alerts to PacketFence via syslog
Thanks Derek! I will dig into this and let you know where I land. -Original Message- From: packetfence-users-requ...@lists.sourceforge.net [mailto:packetfence-users-requ...@lists.sourceforge.net] Sent: Tuesday, October 13, 2015 2:38 PM To: packetfence-users@lists.sourceforge.net Subject: PacketFence-users Digest, Vol 90, Issue 37 Send PacketFence-users mailing list submissions to packetfence-users@lists.sourceforge.net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/packetfence-users or, via email, send a message with subject or body 'help' to packetfence-users-requ...@lists.sourceforge.net You can reach the person managing the list at packetfence-users-ow...@lists.sourceforge.net When replying, please edit your Subject line so it is more specific than "Re: Contents of PacketFence-users digest..." Today's Topics: 1. Re: Send remote Suricata sensor alerts to PacketFence via syslog (Derek Wuelfrath) 2. Re: PacketFence-users Digest, Vol 90, Issue 36 (Boley, Chris) 3. Re: tweaking the create users page (Derek Wuelfrath) -- Message: 1 Date: Tue, 13 Oct 2015 11:08:07 -0400 From: Derek Wuelfrath <dwuelfr...@inverse.ca> Subject: Re: [PacketFence-users] Send remote Suricata sensor alerts to PacketFence via syslog To: ML PF <packetfence-users@lists.sourceforge.net> Message-ID: <852d9a2f-31af-446b-806b-5a34d29be...@inverse.ca> Content-Type: text/plain; charset=utf-8 Hello Chris, Sorry, I replied to your first message. I did exactly what you are looking for, but, using syslog-ng on the remote sensor. - You first need to configure Suricata to log to syslog (i think it is the default behavior) - You then need to configure syslog-ng to send a copy of the Suricata log to the PacketFence management IP address filter f_suricata { match('suricata:' value("MSGHDR")); }; destination d_suricata { tcp(?PACKETFENCE_MANAGEMENT_IP"); }; log { source(s_syslog); filter(f_suricata); destination(d_suricata); }; - You need to allow tcp port 514 on the PacketFence firewall (edit the /usr/local/pf/conf/iptables.conf file should be enough) - Make rsyslog (running on the PacketFence server) to listen for remote syslog messages Uncomment "$ModLoad imtcp" and "$InputTCPServerRun 514" in /etc/rsyslog.conf - Make sure alert pipe file exists (/usr/local/pf/var/alert) mkfifo /usr/local/pf/var/alert - Configure rsyslog to log remote Suricata log in alert pipe :programname, isequal, "suricata" |/usr/local/pf/var/alert - Configure trapping on PacketFence trapping.detection = enabled services.snort = disabled services.suricata = disabled - Remove the following check from pfcmd checkup https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/pfcmd/checkup.pm#L298 Comment lines 298 to 303 - Adapt pfdetect regex. https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103 Comment lines 103 to 131 Add the following after 131 if ( $_ =~ /^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+?)\].+?\}\s+(.+?):.+?>\s(.+?):/ ) { $date = $1; $sid = $2; $descr = $3; $srcip = $5; $dstip = $6; } else { $logger->warn("unknown input: $_ "); next; } Restart both packetfence and rsyslog Let me know how it goes. Cheers! dw. ? Derek Wuelfrath dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) > On Oct 13, 2015, at 8:55 AM, Boley, Chris <chrisbo...@cogentrix.com> wrote: > > I'm looking for the correct information to send syslog based alert data from > a remote Suricata sensor to Packet fence. > I'm unsure of how to make PacketFence know that it will be getting alerts via > syslog . > I've tried to find the appropriate documentation regarding this, however it > seems a bit hard to locate. > Can anyone point me in the correct direction? > > So far I think I would need to change suricata.yaml to reflect the following > items (I'd be grateful for any advice there): > > # a line based alerts log similar to fast.log into syslog > - syslog: > enabled: yes > identity: "suricata" > facility: local5 > level: Alert > > # Define your logging outputs. If none are defined, or they are all > # disabled you will get the default - console output. > outputs: > - console: > enabled: no > - file: > enabled: yes > filename: /var/log/suricata.log > - syslog: > enabled: yes > facility: local5 > format: "[%i] <%d> -- " > > I'm using va