[PacketFence-users] Send remote Suricata sensor alerts to PacketFence via syslog

2015-10-13 Thread Boley, Chris 
I'm looking for the correct information to send syslog based alert data from a 
remote Suricata sensor to Packet fence. 
I'm unsure of how to make PacketFence know that it will be getting alerts via 
syslog . 
I've tried to find the appropriate documentation regarding this, however it 
seems a bit hard to locate. 
Can anyone point me in the correct direction?

So far I think I would need to change suricata.yaml to reflect the following 
items (I'd be grateful for any advice there):

# a line based alerts log similar to fast.log into syslog
   - syslog:
  enabled: yes
   identity: "suricata"
   facility: local5
   level: Alert 

# Define your logging outputs.  If none are defined, or they are all
  # disabled you will get the default - console output.
  outputs:
  - console:
  enabled: no
  - file:
  enabled: yes
  filename: /var/log/suricata.log
  - syslog:
  enabled: yes
  facility: local5
  format: "[%i] <%d> -- "

I'm using vanilla syslogd on FreeBSD as my syslog on the sensor.
 I realize I will have to make some changes to its config to forward the alerts 
to the PacketFence server.
I'm not even sure if the syslog format that will be input from suricata to 
syslogd will be compatible. 
I might have to manipulate it with a template in the conf file.


I'm happy to do the reading. 
I've googled and googled and found not much of any meaningful info where this 
topic is concerned. 
I was hoping someone might know of some useful documentation on how to 
manipulate PacketFence and get it to start acting on Suricata alerts...


Chris Boley | Network Engineer | Cogentrix Energy Power Management, LLC 


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Send remote Suricata sensor alerts to PacketFence via syslog

2015-10-13 Thread Derek Wuelfrath 
Hello Chris,

Sorry, I replied to your first message.

I did exactly what you are looking for, but, using syslog-ng on the remote 
sensor.

- You first need to configure Suricata to log to syslog (i think it is the 
default behavior)

- You then need to configure syslog-ng to send a copy of the Suricata log to 
the PacketFence management IP address
  filter f_suricata { match('suricata:' value("MSGHDR")); };
  destination d_suricata { tcp(“PACKETFENCE_MANAGEMENT_IP"); };
  log { source(s_syslog); filter(f_suricata); destination(d_suricata); };

- You need to allow tcp port 514 on the PacketFence firewall (edit the 
/usr/local/pf/conf/iptables.conf file should be enough)

- Make rsyslog (running on the PacketFence server) to listen for remote syslog 
messages
  Uncomment "$ModLoad imtcp" and "$InputTCPServerRun 514" in /etc/rsyslog.conf

- Make sure alert pipe file exists (/usr/local/pf/var/alert)
  mkfifo /usr/local/pf/var/alert

- Configure rsyslog to log remote Suricata log in alert pipe
  :programname, isequal, "suricata" |/usr/local/pf/var/alert

- Configure trapping on PacketFence
  trapping.detection = enabled
  services.snort = disabled
  services.suricata = disabled

- Remove the following check from pfcmd checkup
  
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/pfcmd/checkup.pm#L298
  Comment lines 298 to 303

- Adapt pfdetect regex.
  https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103
  Comment lines 103 to 131
  Add the following after 131
  if ( $_ =~ 
/^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+?)\].+?\}\s+(.+?):.+?>\s(.+?):/
 ) {

$date = $1;

$sid = $2;

$descr = $3;

$srcip = $5;

$dstip = $6;

} else {

$logger->warn("unknown input: $_ ");

next;

}

Restart both packetfence and rsyslog

Let me know how it goes.

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Oct 13, 2015, at 8:55 AM, Boley, Chris  wrote:
> 
> I'm looking for the correct information to send syslog based alert data from 
> a remote Suricata sensor to Packet fence. 
> I'm unsure of how to make PacketFence know that it will be getting alerts via 
> syslog . 
> I've tried to find the appropriate documentation regarding this, however it 
> seems a bit hard to locate. 
> Can anyone point me in the correct direction?
> 
> So far I think I would need to change suricata.yaml to reflect the following 
> items (I'd be grateful for any advice there):
> 
> # a line based alerts log similar to fast.log into syslog
>   - syslog:
>  enabled: yes
>   identity: "suricata"
>   facility: local5
>   level: Alert 
> 
> # Define your logging outputs.  If none are defined, or they are all
>  # disabled you will get the default - console output.
>  outputs:
>  - console:
>  enabled: no
>  - file:
>  enabled: yes
>  filename: /var/log/suricata.log
>  - syslog:
>  enabled: yes
>  facility: local5
>  format: "[%i] <%d> -- "
> 
> I'm using vanilla syslogd on FreeBSD as my syslog on the sensor.
> I realize I will have to make some changes to its config to forward the 
> alerts to the PacketFence server.
> I'm not even sure if the syslog format that will be input from suricata to 
> syslogd will be compatible. 
> I might have to manipulate it with a template in the conf file.
> 
> 
> I'm happy to do the reading. 
> I've googled and googled and found not much of any meaningful info where this 
> topic is concerned. 
> I was hoping someone might know of some useful documentation on how to 
> manipulate PacketFence and get it to start acting on Suricata alerts...
> 
> 
> Chris Boley | Network Engineer | Cogentrix Energy Power Management, LLC 
> 
> 
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Send remote Suricata sensor alerts to PacketFence via syslog

2015-10-13 Thread Boley, Chris 
Thanks Derek! I will dig into this and let you know where I land.

-Original Message-
From: packetfence-users-requ...@lists.sourceforge.net 
[mailto:packetfence-users-requ...@lists.sourceforge.net] 
Sent: Tuesday, October 13, 2015 2:38 PM
To: packetfence-users@lists.sourceforge.net
Subject: PacketFence-users Digest, Vol 90, Issue 37

Send PacketFence-users mailing list submissions to
packetfence-users@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
packetfence-users-requ...@lists.sourceforge.net

You can reach the person managing the list at
packetfence-users-ow...@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of PacketFence-users digest..."


Today's Topics:

   1. Re: Send remote Suricata sensor alerts to PacketFence via
  syslog (Derek Wuelfrath)
   2. Re: PacketFence-users Digest, Vol 90, Issue 36 (Boley, Chris)
   3. Re: tweaking the create users page (Derek Wuelfrath)


--

Message: 1
Date: Tue, 13 Oct 2015 11:08:07 -0400
From: Derek Wuelfrath <dwuelfr...@inverse.ca>
Subject: Re: [PacketFence-users] Send remote Suricata sensor alerts to
        PacketFence via syslog
To: ML PF <packetfence-users@lists.sourceforge.net>
Message-ID: <852d9a2f-31af-446b-806b-5a34d29be...@inverse.ca>
Content-Type: text/plain; charset=utf-8

Hello Chris,

Sorry, I replied to your first message.

I did exactly what you are looking for, but, using syslog-ng on the remote 
sensor.

- You first need to configure Suricata to log to syslog (i think it is the 
default behavior)

- You then need to configure syslog-ng to send a copy of the Suricata log to 
the PacketFence management IP address
  filter f_suricata { match('suricata:' value("MSGHDR")); };
  destination d_suricata { tcp(?PACKETFENCE_MANAGEMENT_IP"); };
  log { source(s_syslog); filter(f_suricata); destination(d_suricata); };

- You need to allow tcp port 514 on the PacketFence firewall (edit the 
/usr/local/pf/conf/iptables.conf file should be enough)

- Make rsyslog (running on the PacketFence server) to listen for remote syslog 
messages
  Uncomment "$ModLoad imtcp" and "$InputTCPServerRun 514" in /etc/rsyslog.conf

- Make sure alert pipe file exists (/usr/local/pf/var/alert)
  mkfifo /usr/local/pf/var/alert

- Configure rsyslog to log remote Suricata log in alert pipe
  :programname, isequal, "suricata" |/usr/local/pf/var/alert

- Configure trapping on PacketFence
  trapping.detection = enabled
  services.snort = disabled
  services.suricata = disabled

- Remove the following check from pfcmd checkup
  
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/pfcmd/checkup.pm#L298
  Comment lines 298 to 303

- Adapt pfdetect regex.
  https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103
  Comment lines 103 to 131
  Add the following after 131
  if ( $_ =~ 
/^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+?)\].+?\}\s+(.+?):.+?>\s(.+?):/
 ) {

$date = $1;

$sid = $2;

$descr = $3;

$srcip = $5;

$dstip = $6;

} else {

$logger->warn("unknown input: $_ ");

next;

}

Restart both packetfence and rsyslog

Let me know how it goes.

Cheers!
dw.

?
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) 
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Oct 13, 2015, at 8:55 AM, Boley, Chris <chrisbo...@cogentrix.com> wrote:
> 
> I'm looking for the correct information to send syslog based alert data from 
> a remote Suricata sensor to Packet fence. 
> I'm unsure of how to make PacketFence know that it will be getting alerts via 
> syslog . 
> I've tried to find the appropriate documentation regarding this, however it 
> seems a bit hard to locate. 
> Can anyone point me in the correct direction?
> 
> So far I think I would need to change suricata.yaml to reflect the following 
> items (I'd be grateful for any advice there):
> 
> # a line based alerts log similar to fast.log into syslog
>   - syslog:
>  enabled: yes
>   identity: "suricata"
>   facility: local5
>   level: Alert
> 
> # Define your logging outputs.  If none are defined, or they are all  
> # disabled you will get the default - console output.
>  outputs:
>  - console:
>  enabled: no
>  - file:
>  enabled: yes
>  filename: /var/log/suricata.log
>  - syslog:
>  enabled: yes
>  facility: local5
>  format: "[%i] <%d> -- "
> 
> I'm using va