Re: [PacketFence-users] Suricata alerts to Packet Fence (Derek, Wuelfrath)

[Boley, Chris]

-
> 
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

------ next part --
An HTML attachment was scrubbed...

--

Message: 3
Date: Mon, 9 Nov 2015 11:52:38 -0500
From: Derek Wuelfrath <dwuelfr...@inverse.ca>
Subject: Re: [PacketFence-users] Suricata alerts to Packet Fence
(Derek, Wuelfrath)
To: ML PF <packetfence-users@lists.sourceforge.net>
Message-ID: <7b94b90d-6698-4f69-94b9-711bf0cea...@inverse.ca>
Content-Type: text/plain; charset=utf-8

Please state me the specific version of PacketFence you are running (cat 
/usr/local/pf/conf/pf-release) and I will point you the exact lines to change :)

Thanks

Cheers!
dw.

?
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) 
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Nov 4, 2015, at 10:46 AM, Boley, Chris <chrisbo...@cogentrix.com> wrote:
> 
> Derek. At last mail I had told you that adapting the regex was problematic 
> because what I had in my packet fence was very different from what you had 
> described.
> "https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L
> 103 Commenting out lines 103 to 131 and adding your new regex code 
> afterward
> According to changelog in my system: Last commit date showed Date:   Fri Jul 
> 24 10:34:46 2015 -0400 
> I'm pretty sure my version is 5.3.1
> 
> So again: 
> Where/how should I apply your suggested regex code seen below?
> 
>  if ( $_ =~
> /^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+
> ?)\].+?\}\s+(.+?):.+?>\s(.+?):/ ) {
> 
>$date = $1;
> 
>$sid = $2;
> 
>$descr = $3;
> 
>$srcip = $5;
> 
>$dstip = $6;
> 
>} else {
> 
>   $logger->warn("unknown input: $_ ");
> 
>next;
> 
>}
> 
> 
> ==
> = I saw your suggestion regarding 
> SecurityOnion however I am running Suricata from a FreeBsd platform within 
> Jails.
> Security Onion doesn't offer that for me.
> Thanks!
> 
> ----------
>  ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users




--

Message: 4
Date: Mon, 9 Nov 2015 11:53:19 -0500
From: Derek Wuelfrath <dwuelfr...@inverse.ca>
Subject: Re: [PacketFence-users] Suricata alerts to Packet Fence
(Derek, Wuelfrath)
To: ML PF <packetfence-users@lists.sourceforge.net>
Message-ID: <c67f7044-a901-48ee-8814-c999dbe10...@inverse.ca>
Content-Type: text/plain; charset=utf-8

> I saw your suggestion regarding SecurityOnion however I am running Suricata 
> from a FreeBsd platform within Jails.
> Security Onion doesn't offer that for me.

The refactor also includes support for remote Suricata and Snort :)

Cheers!
dw.

?
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) 
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Nov 4, 2015, at 10:46 AM, Boley, Chris <chrisbo...@cogentrix.com> wrote:
> 
> Derek. At last mail I had told you that adapting the regex was problematic 
> because what I had in my packet fence was very different from what you had 
> described.
> "https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L
> 103 Commenting out lines 103 to 131 and adding your new regex code 
> afterward
> According to changelog in my system: Last commit date showed Date:   Fri Jul 
> 24 10:34:46 2015 -0400 
> I'm pretty sure my version is 5.3.1
> 
> So again: 
> Where/how should I apply your suggested regex code seen below?
> 
>  if ( $_ =~
> /^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+
> ?)\].+?\}\s+(.+?):.+?>\s(.+?):/ ) {
> 
>$date = $1;
> 
>$sid = $2;
> 
>$descr = $3;
> 
>$srcip = $5;
> 
>$dstip = $6;
> 
>} else {
> 
>   $logger->warn("unknown input: $_ ");
> 
>next;
> 
>}
> 
> 
> ==
> = I saw your suggestion regarding 
> SecurityOnion however I am running Suricata from a FreeBsd platf

Re: [PacketFence-users] Suricata alerts to Packet Fence (Derek, Wuelfrath)

[Derek Wuelfrath]

> I saw your suggestion regarding SecurityOnion however I am running Suricata 
> from a FreeBsd platform within Jails.
> Security Onion doesn't offer that for me.

The refactor also includes support for remote Suricata and Snort :)

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Nov 4, 2015, at 10:46 AM, Boley, Chris  wrote:
> 
> Derek. At last mail I had told you that adapting the regex was problematic 
> because what I had in my packet fence was very different from what you had 
> described.
> "https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103
> Commenting out lines 103 to 131 and adding your new regex code afterward 
> According to changelog in my system: Last commit date showed Date:   Fri Jul 
> 24 10:34:46 2015 -0400 
> I'm pretty sure my version is 5.3.1
> 
> So again: 
> Where/how should I apply your suggested regex code seen below?
> 
>  if ( $_ =~ 
> /^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+
> ?)\].+?\}\s+(.+?):.+?>\s(.+?):/ ) {
> 
>$date = $1;
> 
>$sid = $2;
> 
>$descr = $3;
> 
>$srcip = $5;
> 
>$dstip = $6;
> 
>} else {
> 
>   $logger->warn("unknown input: $_ ");
> 
>next;
> 
>}
> 
> 
> ===
> I saw your suggestion regarding SecurityOnion however I am running Suricata 
> from a FreeBsd platform within Jails.
> Security Onion doesn't offer that for me.
> Thanks!
> 
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a 
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Suricata alerts to Packet Fence (Derek, Wuelfrath)

[Derek Wuelfrath]

Please state me the specific version of PacketFence you are running (cat 
/usr/local/pf/conf/pf-release) and I will point you the exact lines to change :)

Thanks

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Nov 4, 2015, at 10:46 AM, Boley, Chris  wrote:
> 
> Derek. At last mail I had told you that adapting the regex was problematic 
> because what I had in my packet fence was very different from what you had 
> described.
> "https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103
> Commenting out lines 103 to 131 and adding your new regex code afterward 
> According to changelog in my system: Last commit date showed Date:   Fri Jul 
> 24 10:34:46 2015 -0400 
> I'm pretty sure my version is 5.3.1
> 
> So again: 
> Where/how should I apply your suggested regex code seen below?
> 
>  if ( $_ =~ 
> /^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+
> ?)\].+?\}\s+(.+?):.+?>\s(.+?):/ ) {
> 
>$date = $1;
> 
>$sid = $2;
> 
>$descr = $3;
> 
>$srcip = $5;
> 
>$dstip = $6;
> 
>} else {
> 
>   $logger->warn("unknown input: $_ ");
> 
>next;
> 
>}
> 
> 
> ===
> I saw your suggestion regarding SecurityOnion however I am running Suricata 
> from a FreeBsd platform within Jails.
> Security Onion doesn't offer that for me.
> Thanks!
> 
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a 
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Suricata alerts to Packet Fence (Derek, Wuelfrath)

[Boley, Chris]

Derek. At last mail I had told you that adapting the regex was problematic 
because what I had in my packet fence was very different from what you had 
described.
"https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103
Commenting out lines 103 to 131 and adding your new regex code afterward 
According to changelog in my system: Last commit date showed Date:   Fri Jul 24 
10:34:46 2015 -0400 
I'm pretty sure my version is 5.3.1

So again: 
Where/how should I apply your suggested regex code seen below?

  if ( $_ =~ 
/^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+
?)\].+?\}\s+(.+?):.+?>\s(.+?):/ ) {

$date = $1;

$sid = $2;

$descr = $3;

$srcip = $5;

$dstip = $6;

} else {

   $logger->warn("unknown input: $_ ");

next;

}


===
I saw your suggestion regarding SecurityOnion however I am running Suricata 
from a FreeBsd platform within Jails.
Security Onion doesn't offer that for me.
Thanks!

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Suricata alerts to Packet Fence (Derek, Wuelfrath)

[Derek Wuelfrath]

Chris,

> - Remove the following check from pfcmd checkup
>  
> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/pfcmd/checkup.pm#L298
>  Comment lines 298 to 303
> -
> So my file should read like this now?   Just verifying because it seemed 
> odd that I hadn't commented out that first portion of that section.
> ===
># make sure a monitor device is present if trapping.detection is enabled
>if ( !$monitor_int ) {
> #add_problem( $FATAL,
> #"monitor interface not defined, please disable 
> trapping.detection " .
> #"or set an interface type=...,monitor in pf.conf"
> #);
> #}
> #
> 

You should also comment the “if” line…

> - Adapt pfdetect regex.

Which version of PacketFence are you running ?

Additionnaly, we are about to release PacketFence 5.5, which include a complete 
rewrite of violations along with pfdetect.
It will natively support SecurityOnion.

Let me know 

Cheers!
dw.

—
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Nov 2, 2015, at 10:59 AM, Boley, Chris  wrote:
> 
> Derek, in a previous mail you had stated that I should make some 
> modifications to a few files. I'm having a bit of trouble interpreting what I 
> should do. Hoping you can shed some wisdom here.  Everything else is ready to 
> go. Thanks.
> 
> (quoting you from previous mail)
> - Remove the following check from pfcmd checkup
>  
> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/pfcmd/checkup.pm#L298
>  Comment lines 298 to 303
> -
> So my file should read like this now?   Just verifying because it seemed 
> odd that I hadn't commented out that first portion of that section.
> ===
># make sure a monitor device is present if trapping.detection is enabled
>if ( !$monitor_int ) {
> #add_problem( $FATAL,
> #"monitor interface not defined, please disable 
> trapping.detection " .
> #"or set an interface type=...,monitor in pf.conf"
> #);
> #}
> #
> 
> Additionally (quoting you again):
> - Adapt pfdetect regex.
>  https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103
>  Comment lines 103 to 131
>  Add the following after 131
>  if ( $_ =~ 
> /^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+?)\].+?\}\s+(.+?):.+?>\s(.+?):/
>  ) {
> 
>$date = $1;
> 
>$sid = $2;
> 
>$descr = $3;
> 
>$srcip = $5;
> 
>$dstip = $6;
> 
>} else {
> 
>$logger->warn("unknown input: $_ ");
> 
>next;
> 
>}
> ==
> Problem I'm facing:      Your file looks like this that you quoted from 
> the URL:
> 
> $logger->info("initialized");  
> my %CHILDREN;
> my $IS_CHILD = 0;
> my $running = 1;
> 
> sub start_detectors {
>foreach my $id (keys %ConfigDetect) {
>run_detector($id);
>}
> }   <--LINE 103 here on the URL you 
> supplied.
> 
> =head2 run_detector
> creates a new child to run a task
> =cut
> 
> sub run_detector {
>my ($id) = @_;
>my $detector = $ConfigDetect{$id};
>$detector->{id} = $id;
>my $pid = fork();
>if($pid) {
>$CHILDREN{$pid} = $detector->{id};
>$SIG{CHLD} = "IGNORE";
>} elsif ($pid == 0) {
>$SIG{CHLD} = "DEFAULT";
>$IS_CHILD = 1;
>_run_detector($detector);
>} else {
>}
> }
> 
> =head2 _run_detector
> the task to is ran in a loop until it is finished
> =cut
> =
> My file looks very different and I'm unsure what to do with it. See below
> ---
> $logger->info("initialized");  
> if ( !open( $snortpipe_fh, '<', "$snortpipe" ) ) {
>$logger->logdie("unable to open snort pipe 

[PacketFence-users] Suricata alerts to Packet Fence (Derek, Wuelfrath)

[Boley, Chris]

Derek, in a previous mail you had stated that I should make some modifications 
to a few files. I'm having a bit of trouble interpreting what I should do. 
Hoping you can shed some wisdom here.  Everything else is ready to go. Thanks.

(quoting you from previous mail)
- Remove the following check from pfcmd checkup
  
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/pfcmd/checkup.pm#L298
  Comment lines 298 to 303
-
So my file should read like this now?   Just verifying because it seemed 
odd that I hadn't commented out that first portion of that section.
===
# make sure a monitor device is present if trapping.detection is enabled
if ( !$monitor_int ) {
#add_problem( $FATAL,
#"monitor interface not defined, please disable trapping.detection 
" .
#"or set an interface type=...,monitor in pf.conf"
#);
#}
#

Additionally (quoting you again):
- Adapt pfdetect regex.
  https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103
  Comment lines 103 to 131
  Add the following after 131
  if ( $_ =~ 
/^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+?)\].+?\}\s+(.+?):.+?>\s(.+?):/
 ) {

$date = $1;

$sid = $2;

$descr = $3;

$srcip = $5;

$dstip = $6;

} else {

$logger->warn("unknown input: $_ ");

next;

}
==
Problem I'm facing:      Your file looks like this that you quoted from the 
URL:

$logger->info("initialized"); {id} = $id;
my $pid = fork();
if($pid) {
$CHILDREN{$pid} = $detector->{id};
$SIG{CHLD} = "IGNORE";
} elsif ($pid == 0) {
$SIG{CHLD} = "DEFAULT";
$IS_CHILD = 1;
_run_detector($detector);
} else {
}
}

=head2 _run_detector
the task to is ran in a loop until it is finished
=cut
=
My file looks very different and I'm unsure what to do with it. See below
---
$logger->info("initialized"); logdie("unable to open snort pipe ($snortpipe): $!");
} else {
$logger->info("listening on $snortpipe");
}

while (<$snortpipe_fh>) {

$logger->info("alert received: $_");
if ( $_
=~ 
/^(.+?)\s+\[\*\*\]\s+\[\d+:(\d+):\d+\]\s+(.+?)\s+.+?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:\d+){0,1}\s+\-\>\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$
)
{ <--LINE 103
$date  = $1;
$sid   = $2;
$descr = $3;
$srcip = $4;
   $dstip = $6;
} elsif ( $_
=~ 
/^(.+?)\s+\[\*\*\]\s+\[\d+:(\d+):\d+\]\s+Portscan\s+detected\s+from\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
)
{
$date  = $1;
$sid   = $portscan_sid;
$srcip = $3;
$descr = "PORTSCAN";
} elsif ( $_
=~ /^(.+?)\[\*\*\] \[\d+:(\d+):\d+\]\s+\(spp_portscan2\) Portscan 
detected from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/
)
{
$date  = $1;
$sid   = $portscan_sid;
$srcip = $3;
$descr = "PORTSCAN";
} else {
   $logger->warn("unknown input: $_ ");
next;
}

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Suricata alerts to Packet Fence (Derek, Wuelfrath) (Boley, Chris)

[Boley, Chris]

Hi Derek progress report, 
DONE - You then need to configure syslog-ng to send a copy of the Suricata log 
to the PacketFence management IP address
  filter f_suricata { match('suricata:' value("MSGHDR")); };
  destination d_suricata { tcp("192.168.5.10"); };
  log { source(src); filter(f_suricata); destination(d_suricata); };

DONE - You need to allow tcp port 514 on the PacketFence firewall (edit the 
/usr/local/pf/conf/iptables.conf file should be enough)
DONE - Make rsyslog (running on the PacketFence server) to listen for remote 
syslog messages
  Uncomment "$ModLoad imtcp" and "$InputTCPServerRun 514" in /etc/rsyslog.conf

DONE - Make sure alert pipe file exists (/usr/local/pf/var/alert)
  mkfifo /usr/local/pf/var/alert

Added to rsyslog.conf :

#Configure rsyslog to log remote Suricata log in alert pipe
  :programname, isequal, "suricata" |/usr/local/pf/var/alert



Derek, you had put in your original instructions some portion mentioning this:
- Configure trapping on PacketFence
  trapping.detection = enabled
  services.snort = disabled
  services.suricata = disabled

My pf.conf file looks almost naked at this time because my packetfence is a 
nearly 100% fresh install so, to clarify it seems easier to:
1. take the pf.conf.defaults,
2. cp it to pf.conf.defaults1, 
3. transpose all my current pf.conf information into the defaults1 file then 
add your editing notations
4. mv pf.conf to pf.conf.bak
5. mv pf.conf.defaults1 to pf.conf

Reboot server or restart services. ( I'm still not sure what's the appropriate 
service restart syntax for packet fence services)

Before I go and do all this, am I headed in the right direction? Afterward I 
would be modifying the checkup.pm and adapting pfdetect regex.
And that should finish up what's necessary to send remote suricata server 
syslog alerts over to Packet Fence.

Thanks.
Chris Boley

-Original Message-
From: packetfence-users-requ...@lists.sourceforge.net 
[mailto:packetfence-users-requ...@lists.sourceforge.net] 
Sent: Thursday, October 15, 2015 1:22 PM
To: packetfence-users@lists.sourceforge.net
Subject: PacketFence-users Digest, Vol 90, Issue 49

Send PacketFence-users mailing list submissions to
packetfence-users@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
packetfence-users-requ...@lists.sourceforge.net

You can reach the person managing the list at
packetfence-users-ow...@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of PacketFence-users digest..."


Today's Topics:

   1. Suricata alerts to Packet Fence (DerekWuelfrath) (Boley, Chris)
   2. Re: Using Multiple SNAT Interfaces Problem (Nathan, Josh)
   3. Use vlan_filter to set voip attribute of a node (Dennis B?hring)
   4. Integration with iBoss SSO (Morgan, Darren)


--

Message: 1
Date: Wed, 14 Oct 2015 20:47:00 +0000
From: "Boley, Chris" <chrisbo...@cogentrix.com>
Subject: [PacketFence-users] Suricata alerts to Packet Fence (Derek
Wuelfrath)
To: "packetfence-users@lists.sourceforge.net"
<packetfence-users@lists.sourceforge.net>
Message-ID:
<e93378438d289546b14896cf65b683ae834...@srvchemb01.cogentrix.com>
Content-Type: text/plain; charset="us-ascii"

Hi Derek, on your last suggestion I basically replaced syslogd on freebsd with 
syslog-ng so as to more easily mimic your instructions:
You had suggested some syslog-ng config changes.
I put them verbatim right in the bottom of the cfg file without modifying 
anything else. Seemed like the easiest route to take.

filter f_suricata { match('suricata:' value("MSGHDR")); }; destination 
d_suricata { tcp("192.168.5.10"); }; log { source(src); filter(f_suricata); 
destination(d_suricata); };

On the middle (destination) line, should that be UDP and not TCP? Syslog is 
typically UDP 514. Otherwise it looks like the desired effect is happening.

A quick netstat shows:

root@suricata:/usr/ports/sysutils/syslog-ng # netstat Active Internet 
connections
Proto Recv-Q Send-Q Local Address  Foreign Address(state)
tcp4   0  0 192.168.5.249.25801192.168.5.10.shell SYN_SENT


Thanks.
Chris Boley




















-Original Message-
From: packetfence-users-requ...@lists.sourceforge.net 
[mailto:packetfence-users-requ...@lists.sourceforge.net]
Sent: Tuesday, October 13, 2015 10:53 AM
To: packetfence-users@lists.sourceforge.net
Subject: PacketFence-users Digest, Vol 90, Issue 36

Send PacketFence-users mailing list submissions to
packetfence-users@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit

[PacketFence-users] Suricata alerts to Packet Fence (Derek Wuelfrath)

[Boley, Chris]

Hi Derek, on your last suggestion I basically replaced syslogd on freebsd with 
syslog-ng so as to more easily mimic your instructions:
You had suggested some syslog-ng config changes.
I put them verbatim right in the bottom of the cfg file without modifying 
anything else. Seemed like the easiest route to take.

filter f_suricata { match('suricata:' value("MSGHDR")); };
destination d_suricata { tcp("192.168.5.10"); };
log { source(src); filter(f_suricata); destination(d_suricata); };

On the middle (destination) line, should that be UDP and not TCP? Syslog is 
typically UDP 514. Otherwise it looks like the desired effect is happening.

A quick netstat shows:

root@suricata:/usr/ports/sysutils/syslog-ng # netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address  Foreign Address(state)
tcp4   0  0 192.168.5.249.25801192.168.5.10.shell SYN_SENT


Thanks.
Chris Boley




















-Original Message-
From: packetfence-users-requ...@lists.sourceforge.net 
[mailto:packetfence-users-requ...@lists.sourceforge.net] 
Sent: Tuesday, October 13, 2015 10:53 AM
To: packetfence-users@lists.sourceforge.net
Subject: PacketFence-users Digest, Vol 90, Issue 36

Send PacketFence-users mailing list submissions to
packetfence-users@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
packetfence-users-requ...@lists.sourceforge.net

You can reach the person managing the list at
packetfence-users-ow...@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of PacketFence-users digest..."


Today's Topics:

   1. Re: Suricata alerts to Packet Fence (Derek Wuelfrath)
   2. Re: pfdhcplistener (Derek Wuelfrath)


--

Message: 1
Date: Tue, 13 Oct 2015 10:41:05 -0400
From: Derek Wuelfrath 
Subject: Re: [PacketFence-users] Suricata alerts to Packet Fence
To: ML PF 
Message-ID: <6c92c7d1-0d78-42df-be14-410dc28c8...@inverse.ca>
Content-Type: text/plain; charset="utf-8"

Hello Chris,

Are you running Suricata on a separate box (I assume). Are you running it 
standalone or withing a security suite (SecurityOnion per example).

Let me know

Cheers!
dw.

?
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) 
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Oct 9, 2015, at 5:05 PM, Boley, Chris  wrote:
> 
> Does anyone happen to know where I can find info on sending suricata alert 
> events over to Packet Fence?
>  
>  
> Chris Boley | Network Engineer | Cogentrix Energy Power Management, 
> LLC
> 
>  
> --
>  ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
-- next part --
An HTML attachment was scrubbed...

--

Message: 2
Date: Tue, 13 Oct 2015 10:52:22 -0400
From: Derek Wuelfrath 
Subject: Re: [PacketFence-users] pfdhcplistener
To: ML PF 
Message-ID: <79229123-87df-4f2f-83ab-3231b5525...@inverse.ca>
Content-Type: text/plain; charset="utf-8"

Hello Chinmay,

I?m looking at it and I?ll get back to you.

Cheers!
dw.

?
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) 
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Oct 13, 2015, at 2:17 AM, Chinmay Mahata  
> wrote:
> 
> Dear Derek,
> Any thought on my issue.
> 
> Regards,
> --Chinmay
> 
> 
> 
> From: "Chinmay Mahata" 
> Sent: Fri, 09 Oct 2015 18:13:36
> To: "packetfence-users@lists.sourceforge.net" 
> 
> Subject: Re: [PacketFence-users] pfdhcplistener Dear Derek,
>  Thanks for your quick response.   I think I could not describe my 
> problem/query properly.
> 
> DHCPD is running on only one interface (eth0) of my PF server, no issue with 
> that.
> 
> Actually at the WAN side (upstream) of my PF server there is another DHCP 
> server is running (though PF server WAN has static IP). Since pfdhcplistener 
> is running at eth1(WAN) also, in the node (web)page I can see many 
> unregistered nodes of WAN network which I don't want.
> 
> I want to see only those nodes in the webpage which are under PF server 
> and who 

Re: [PacketFence-users] Suricata alerts to Packet Fence (Derek Wuelfrath)

[Boley, Chris]

Sorry Derek, I neglected to follow the directions regarding subject line the 
first time round.

It's vanilla FreeBSD 10.2 with Suricata running. It is not a combination of 
softwares. Thanks for your response.

-Original Message-
From: packetfence-users-requ...@lists.sourceforge.net 
[mailto:packetfence-users-requ...@lists.sourceforge.net] 
Sent: Tuesday, October 13, 2015 10:53 AM
To: packetfence-users@lists.sourceforge.net
Subject: PacketFence-users Digest, Vol 90, Issue 36

Send PacketFence-users mailing list submissions to
packetfence-users@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/packetfence-users
or, via email, send a message with subject or body 'help' to
packetfence-users-requ...@lists.sourceforge.net

You can reach the person managing the list at
packetfence-users-ow...@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of PacketFence-users digest..."


Today's Topics:

   1. Re: Suricata alerts to Packet Fence (Derek Wuelfrath)
   2. Re: pfdhcplistener (Derek Wuelfrath)


--

Message: 1
Date: Tue, 13 Oct 2015 10:41:05 -0400
From: Derek Wuelfrath 
Subject: Re: [PacketFence-users] Suricata alerts to Packet Fence
To: ML PF 
Message-ID: <6c92c7d1-0d78-42df-be14-410dc28c8...@inverse.ca>
Content-Type: text/plain; charset="utf-8"

Hello Chris,

Are you running Suricata on a separate box (I assume). Are you running it 
standalone or withing a security suite (SecurityOnion per example).

Let me know

Cheers!
dw.

?
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) 
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Oct 9, 2015, at 5:05 PM, Boley, Chris  wrote:
> 
> Does anyone happen to know where I can find info on sending suricata alert 
> events over to Packet Fence?
>  
>  
> Chris Boley | Network Engineer | Cogentrix Energy Power Management, 
> LLC
> 
>  
> --
>  ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
-- next part --
An HTML attachment was scrubbed...

--

Message: 2
Date: Tue, 13 Oct 2015 10:52:22 -0400
From: Derek Wuelfrath 
Subject: Re: [PacketFence-users] pfdhcplistener
To: ML PF 
Message-ID: <79229123-87df-4f2f-83ab-3231b5525...@inverse.ca>
Content-Type: text/plain; charset="utf-8"

Hello Chinmay,

I?m looking at it and I?ll get back to you.

Cheers!
dw.

?
Derek Wuelfrath
dwuelfr...@inverse.ca :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110) 
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Oct 13, 2015, at 2:17 AM, Chinmay Mahata  
> wrote:
> 
> Dear Derek,
> Any thought on my issue.
> 
> Regards,
> --Chinmay
> 
> 
> 
> From: "Chinmay Mahata" 
> Sent: Fri, 09 Oct 2015 18:13:36
> To: "packetfence-users@lists.sourceforge.net" 
> 
> Subject: Re: [PacketFence-users] pfdhcplistener Dear Derek,
>  Thanks for your quick response.   I think I could not describe my 
> problem/query properly.
> 
> DHCPD is running on only one interface (eth0) of my PF server, no issue with 
> that.
> 
> Actually at the WAN side (upstream) of my PF server there is another DHCP 
> server is running (though PF server WAN has static IP). Since pfdhcplistener 
> is running at eth1(WAN) also, in the node (web)page I can see many 
> unregistered nodes of WAN network which I don't want.
> 
> I want to see only those nodes in the webpage which are under PF server 
> and who are getting IP addresses from DHCP server running in PF server (on 
> eth0). Hope pfdhcplistener on eth0 only can catch those. 
> 
> So I want to run only one instance of pfdhcplistener on interface eth0 
> (pfdhcplistener_eth0). Please let me know how can I do that.
> 
> Thanks again Derek.
> 
> Regards,
> --Chinmay
> 
> 
> 
> 
> 
> From: Derek Wuelfrath 
> Sent: Thu, 08 Oct 2015 22:11:09
> To: ML PF 
> Subject: Re: [PacketFence-users] pfdhcplistener Chinmay,
> 
>> The packetfence server is working as a DHCP server.
>> I see that two pfdhcplisteners are running: pfdhcplistener_eth0, 
>> pfdhcplistener_eth1.
>> 
>> 
>> But I want to run only one