date:20161007

Re: [PacketFence-users] Security Onion alerts not triggering

2016-10-07 Thread Thierry Laurion

Hi,

The "detect" trigger matches numerical SIDs found in Snort and Suricata
generated "alert" logs, which have a different format then the
"digested" logs of SecurityOnion.

As an exemple, here is the kind of logs that Suricata and Snort
generates when in "alert" mode:
'07/28/2015-09:09:59.431113  [**] [1:2221002:1] SURICATA HTTP request
field missing colon [**] [Classification: Generic Protocol Command
Decode] [Priority: 3] {TCP} 10.220.10.186:44196 -> 199.167.22.51:8000'


You should use "suricata_event" triggers in your SecurityOnion related
violations, which match text and are more generic.

Modify the violation 153for it to match "ET P2P Vuze BT UDP
Connection". That would  be a broader match and would also generate a
violation for the following SIDs:
sid-msg.map:2010140 || ET P2P Vuze BT UDP Connection ||
url,doc.emergingthreats.net/2010140 || url,vuze.com
sid-msg.map:2010141 || ET P2P Vuze BT UDP Connection (2) ||
url,doc.emergingthreats.net/2010141 || url,vuze.com
sid-msg.map:2010142 || ET P2P Vuze BT UDP Connection (3) ||
url,doc.emergingthreats.net/2010142
sid-msg.map:2010143 || ET P2P Vuze BT UDP Connection (4) ||
url,doc.emergingthreats.net/2010143
sid-msg.map:2010144 || ET P2P Vuze BT UDP Connection (5) ||
url,doc.emergingthreats.net/2010144 || url,vuze.com


Regards,
Thierry Laurion
>
> An update, I’m now getting the alerts hitting pfdetect, but they’re
> still not triggering the violation with the same ID.
>
> pfdetect.log shows:
>
> Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct  7 14:23:40
> idsman01 securityonion_ids: 14:23:40 pid(24921)  Alert Received: 0 1
> policy-violation idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET
> P2P Vuze BT UDP Connection} 10.6.198.173 24.122.228.33 17 10600 65344
> 1 2010140 6 92 92
>
> ' (main::_run_detector)
>
>  
>
>  
>
> The relevant section of violation.conf is:
>
> [153]
>
> trigger=detect::2010140
>
> actions=email_admin,reevaluate_access,log
>
> max_enable=10
>
> desc=P2P Vuze2
>
> enabled=Y
>
> template=p2p
>
> grace=2h
>
>  
>
>  
>
> *From:*Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
> *Sent:* 07 October 2016 14:56
> *To:* packetfence-users@lists.sourceforge.net
> *Subject:* [PacketFence-users] Security Onion alerts not triggering
>
>  
>
> Hi all,
>
> I have configured my security onion server to send alerts to my
> packetfence server (version 6.2.1), and I can see that they’re getting
> there through TCPdump.
>
>  
>
> IDS server:
>
> 13:37:02.260031 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 240
>
> 13:37:02.260216 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
>
> 13:37:12.271539 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
>
> 13:37:57.325078 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
>
> 13:37:57.326236 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
>
> 13:38:07.342397 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
>
> 13:38:37.377503 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
>
> 13:38:55.401715 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
>
> 13:38:55.401858 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
>
> 13:38:55.401895 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
>
> 13:38:55.401921 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
>
> 13:39:03.412383 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
>
> 13:39:07.418010 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
>
> 13:39:07.418098 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
>
> 13:39:07.418113 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
>
> 13:39:07.418132 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
>
> 13:39:07.418153 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
>
> 13:39:07.418172 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
>
> 13:39:22.434608 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
>
> PF server:
>
> 14:37:12.272395 IP idsserver.internal.domain.35871 >
> packetfence.internal.domain.syslog: SYSLOG

Re: [PacketFence-users] Security Onion alerts not triggering

2016-10-07 Thread Julien Semaan

Make sure you apply the maintenance branch 
(/usr/local/pf/addons/pf-maint.pl) as it contains fixes to a similar issue.


Regards,

- Julien

On 10/07/2016 10:26 AM, Morris, Andi wrote:


An update, I’m now getting the alerts hitting pfdetect, but they’re 
still not triggering the violation with the same ID.


pfdetect.log shows:

Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct  7 14:23:40 
idsman01 securityonion_ids: 14:23:40 pid(24921)  Alert Received: 0 1 
policy-violation idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET 
P2P Vuze BT UDP Connection} 10.6.198.173 24.122.228.33 17 10600 65344 
1 2010140 6 92 92


' (main::_run_detector)

The relevant section of violation.conf is:

[153]

trigger=detect::2010140

actions=email_admin,reevaluate_access,log

max_enable=10

desc=P2P Vuze

enabled=Y

template=p2p

grace=2h

*From:*Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
*Sent:* 07 October 2016 14:56
*To:* packetfence-users@lists.sourceforge.net
*Subject:* [PacketFence-users] Security Onion alerts not triggering

Hi all,

I have configured my security onion server to send alerts to my 
packetfence server (version 6.2.1), and I can see that they’re getting 
there through TCPdump.


IDS server:

13:37:02.260031 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 240


13:37:02.260216 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243


13:37:12.271539 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241


13:37:57.325078 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242


13:37:57.326236 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243


13:38:07.342397 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243


13:38:37.377503 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241


13:38:55.401715 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


13:38:55.401858 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


13:38:55.401895 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


13:38:55.401921 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


13:39:03.412383 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241


13:39:07.418010 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284


13:39:07.418098 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284


13:39:07.418113 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284


13:39:07.418132 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284


13:39:07.418153 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242


13:39:07.418172 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242


13:39:22.434608 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242


PF server:

14:37:12.272395 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241


14:37:57.325970 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242


14:37:57.326980 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243


14:38:07.343228 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243


14:38:37.378338 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241


14:38:55.402550 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


14:38:55.402583 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


14:38:55.402610 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


14:38:55.402632 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282


14:39:03.413187 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241


14:39:07.418795 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284


14:39:07.418819 IP

Re: [PacketFence-users] pf::enforcement::_vlan_reevaluation

2016-10-07 Thread Ludovic Zammit

Hello,

You can check the pfqueue.log to see what happened.

Can you post here the lines related to the deauthentication ?

Thanks,
Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 





> Le 7 oct. 2016 à 09:29, Schimanski Tobias  a écrit 
> :
> 
> I use web auth function with an WLC 5500. Since upgrading to version 6.3.0 
> packetfence did not re-evaluation my vlan. 
> In packetfence.log it stuck's here:
> 
> httpd.portal(2778) INFO: [mac:xx:xx:xx:xx:xx:xx] switch port is (x.x.x.x) 
> ifIndex 13 connection type: WiFi MAC Auth 
> (pf::enforcement::_vlan_reevaluation)
> 
> If I reconnect my client to the wifi, everything works fine
> 
>  
> Tobias
> --
> Check out the vibrant tech community on one of the world's most 
> engaging tech sites, SlashDot.org ! 
> http://sdm.link/slashdot___ 
> 
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
> 
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Security Onion alerts not triggering

2016-10-07 Thread Morris, Andi

An update, I'm now getting the alerts hitting pfdetect, but they're still not 
triggering the violation with the same ID.
pfdetect.log shows:
Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct  7 14:23:40 idsman01 
securityonion_ids: 14:23:40 pid(24921)  Alert Received: 0 1 policy-violation 
idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET P2P Vuze BT UDP 
Connection} 10.6.198.173 24.122.228.33 17 10600 65344 1 2010140 6 92 92
' (main::_run_detector)


The relevant section of violation.conf is:
[153]
trigger=detect::2010140
actions=email_admin,reevaluate_access,log
max_enable=10
desc=P2P Vuze
enabled=Y
template=p2p
grace=2h


From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 07 October 2016 14:56
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Security Onion alerts not triggering

Hi all,
I have configured my security onion server to send alerts to my packetfence 
server (version 6.2.1), and I can see that they're getting there through 
TCPdump.

IDS server:
13:37:02.260031 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 240
13:37:02.260216 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:37:12.271539 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:37:57.325078 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
13:37:57.326236 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:38:07.342397 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:38:37.377503 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:38:55.401715 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401858 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401895 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401921 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:39:03.412383 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:39:07.418010 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418098 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418113 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418132 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418153 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
13:39:07.418172 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
13:39:22.434608 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
PF server:
14:37:12.272395 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
14:37:57.325970 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
14:37:57.326980 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
14:38:07.343228 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
14:38:37.378338 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
14:38:55.402550 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:38:55.402583 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:38:55.402610 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:38:55.402632 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:39:03.413187 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
14:39:07.418795 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
14:39:07.418819 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
14:39:07.418836 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
14:39:07.418865 IP idsserver.internal.domain.35871 >

[PacketFence-users] Security Onion alerts not triggering

2016-10-07 Thread Morris, Andi

Hi all,
I have configured my security onion server to send alerts to my packetfence 
server (version 6.2.1), and I can see that they're getting there through 
TCPdump.

IDS server:
13:37:02.260031 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 240
13:37:02.260216 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:37:12.271539 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:37:57.325078 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
13:37:57.326236 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:38:07.342397 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
13:38:37.377503 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:38:55.401715 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401858 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401895 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:38:55.401921 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
13:39:03.412383 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
13:39:07.418010 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418098 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418113 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418132 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
13:39:07.418153 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
13:39:07.418172 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
13:39:22.434608 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
PF server:
14:37:12.272395 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
14:37:57.325970 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
14:37:57.326980 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
14:38:07.343228 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243
14:38:37.378338 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
14:38:55.402550 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:38:55.402583 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:38:55.402610 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:38:55.402632 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282
14:39:03.413187 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241
14:39:07.418795 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
14:39:07.418819 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
14:39:07.418836 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
14:39:07.418865 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284
14:39:07.418922 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242
14:39:07.418927 IP idsserver.internal.domain.35871 > 
packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242

I've configured the rsyslog as per the packetfence docs, and created the syslog 
parser and the violations I'd like to trigger. However the violation isn't 
triggering when I can see from the sguild.log on the IDS server that it's being 
seen. Looking at pfdetect.log I can see the following which suggests that for 
some reason the syslogger isn't sending the alert to packetfence:
Oct 07 14:46:41 pfdetect(11814) INFO: pfdetect starting and writing 11814 to 
/usr/local/pf/var/run/pfdetect.pid (pf::services::util::createpid)
Oct 07

[PacketFence-users] pf::enforcement::_vlan_reevaluation

2016-10-07 Thread Schimanski Tobias

I use web auth function with an WLC 5500. Since upgrading to version 6.3.0
packetfence did not re-evaluation my vlan. 
In packetfence.log it stuck's here:

httpd.portal(2778) INFO: [mac:xx:xx:xx:xx:xx:xx] switch port is (x.x.x.x)
ifIndex 13 connection type: WiFi MAC Auth
(pf::enforcement::_vlan_reevaluation)

If I reconnect my client to the wifi, everything works fine

 

Tobias



smime.p7s
Description: S/MIME cryptographic signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] MSPKI: unfinished request in component post-auth module packetfence

2016-10-07 Thread Antoine Amacher


Stefan,

If you don't see the rule in packetfence.log it means that it is not being 
trigger, either something is not matching, or there is a tpo i the rul.
In the last case you should see a message like: "error while building rule XXX" 
 in the packetfence.log. Just to be sure after deploying a rule in 
vlan_filter.conf, you need to do "bin/pfcmd configreload hard" which will force 
your configuration to be reloaded.

It seems to me that the filter is not applied.

Thanks

On Friday, October 07, 2016 02:55 EDT, "Marold, Stefan" 
 wrote:
 Hello Antoine,

after using 'bin/pfcmd checkup', I see the following line in packetfence.log:
Oct 07 02:34:19 pfcmd.pl(2179) INFO: Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)

When the user authenticates, I don't see any messages related to 
"1:EthernetEAP" in packetfence.log:
Oct 07 02:39:57 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] handling radius 
autz request: from switch_ip => (172.20.10.118), connection_type => 
Ethernet-EAP,switch_mac => (54:4a:00:88:a8:01), mac => [74:2b:62:6d:47:d4], 
port => 10101, username => "D1527.dorsten.local" (pf::radius::authorize)
Oct 07 02:39:57 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Oct 07 02:39:58 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] is of status 
unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
Oct 07 02:39:58 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] (172.20.10.118) 
Added VLAN 11 to the returned RADIUS Access-Accept 
(pf::Switch::returnRadiusAccessAccept)
Oct 07 02:40:00 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] Updating 
locationlog from accounting request (pf::api::handle_accounting_metadata)
Oct 07 02:40:02 httpd.portal(2202) INFO: [mac:[undef]] Instantiate a new 
iptables modification method. pf::ipset (pf::inline::get_technique)
Oct 07 02:40:02 httpd.portal(2037) INFO: [mac:[undef]] Instantiate a new 
iptables modification method. pf::ipset (pf::inline::get_technique)
Oct 07 02:40:02 httpd.portal(2038) INFO: [mac:[undef]] Instantiate a new 
iptables modification method. pf::ipset (pf::inline::get_technique)

I also tried to add the following rule, but it seems to have no effect:
[2:EthernetEAP]
scope = NodeInfoForAutoReg
role = default
action = modify_node
action_param = mac = $mac, status = reg, access_duration = 12H, role = default

BTW does the absence of "EAP-Type => EAP-TLS" in packetfence.log means the 
EAP-Type is not "EAP-TLS"?

Regards
Stefan


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


 
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Reregister if SSID is changing

2016-10-07 Thread Tobias Friede

Hi,

ok, I can't solve it by myself, so I have ordered a Support Contract.
I hope Inverse can help me :D

If I get a solution, I will post it here :)


Greetings
Tobias

2016-09-28 9:58 GMT+02:00 Tobias Friede :

> Hi,
>
> today I played a little bit wirh the rule set.
>
> The following workflow to reproduce my Problem:
>
> I have a portal page wich is registered to the SSID GAST-Dont-Use-It (It's
> my testing WLAN).
> I have a rule set for checking certificates (EAP-TLS) and for the SSID
> "Fraunhofer-PF" which is my Internal WLAN.
>
> If I connect a client, which is currently unregistered in PF to my GAST
> WLAN, pf is presenting the portal and I can login with an internal user
> which has assigned the role "guest".
> After that, the vlan is changing from registration VLAN to my Guest VLAN.
> Everything seems to be fine.
>
> Now, the client is connecting to Fraunhofer-PF, ok looks good, the 802.1x
> auth works and the vlan changes to my internal VLAN Now I move the
> client back to the guest WiFI. In the PF interface (Auditing) I can see
> that a news radius request is coming into PF, but PF sends back the
> "Internal" VLAN not the registration VLAN :(
>
> Source and Role doesn't change to guest.
>
>
> Gruß
> Tobias
>
>
> 2016-09-27 22:44 GMT+02:00 Tobias Friede :
>
>>
>> Hi Antoine,
>>
>>> There is a reevaluate happening every time a user connect to a SSID as
>>> long as there is a new RADIUS request coming in.
>>>
>>  that's what I expected. My Aerohive and my Cisco WLC of course send a
>> news Radius request... But pf doesn't reevaluate the acces, the old rule
>> from the first connection persists.
>>
>>> Now for what you want to do, you could create a set of rules in your
>>> source of authentication, AD I presume, and use the condition SSID. Send
>>> back the role guest if the SSID is guest, or apply your normal rules if the
>>> SSID is internal.
>>>
>> Yes, I have a rule for my WPA2 encrypted Wifi with 802.1x auth (no I
>> don't use AD Auth, I use our client certificates from our Windows CA and
>> make a EAP-TLS Authentification.)
>> In that rule, I defined the appropriate SSID.
>>
>> currently I use the Internal Database for guest Users, but how can I
>> configure a rule with internal users? Is it the "Legacy Source"? When I try
>> to edit that rule, I get the following message:
>> "Error! The file is not readable."
>>
>>
>> Greetings
>> Tobias
>>
>> On 09/21/2016 05:46 AM, Tobias Friede wrote:
>>>
>>> Hi,
>>>
>>> is it possible to reevaluate acces everytime, a client/user make a
>>> reconnect on our wifi?
>>>
>>>
>>> Greetings
>>> Tobias
>>>
>>> 2016-09-02 11:36 GMT+02:00 Tobias Friede :
>>>
 Hi,

 No one with an Idea how to fix my problem?
 Or is it better to use two packetfence servers, one for internal
 authentification and one for hotspot services?

 Greetings
 Tobias

 2016-09-01 9:20 GMT+02:00 Tobias Friede :
 > Hi,
 >
 > I have the following problem. I have 2 SSIDs:
 > Guest and Internal.
 >
 > The Guest WiFi is OPEN an just secured with a captive page. The
 > internal is secured wit 802.1x EAP-TLS
 > If a user connects to the guest wifi and log in with a guest account,
 > our Aerohive APS and Cisco WLC will move them to the correct vLAN.
 > Everything seems to be fine. Unregistration via PF interface works
 > fine too, so CoA is working.
 >
 > But If a user moves to the internal WiFi, the VLAN doesn't change back
 > to the internal vLAN.
 > The client still remains in guest VLAN, I think, because the client is
 > registered for the guest user account.
 > Is there any solution to solve this?
 >
 >
 >
 > Greetings
 > Tobias

>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>> ___
>>> PacketFence-users mailing 
>>> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>> --
>>> Antoine amacheraamac...@inverse.ca  ::  www.inverse.ca +1.514.447.4918 x130 
>>>  :: +1 (866) 353-6153 x130
>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
>>> (www.packetfence.org)
>>>
>>>
>>> 
>>> --
>>>
>>> ___
>>> PacketFence-users mailing list
>>> PacketFence-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

Re: [PacketFence-users] Sponsor configuration in inline deployment

2016-10-07 Thread Riccardo Pelliccioli

My "Sponsor Enabled User" had expiration date set on 2038-10-03 00:00:00 
in the mysql password table and that's why I reach the error message. 
Just I had to change it with one in a shorter period (2018-10-03 
00:00:00) and that's solved the issue.


BR,

Rick


On 10/6/2016 5:45 PM, Fabrice Durand wrote:


Not sure to understand how you fixed it.



Le 2016-10-06 à 11:33, Riccardo Pelliccioli a écrit :


Solved,

I had to reduce de expiration period

BR

Rick


On 10/6/2016 5:19 PM, Riccardo Pelliccioli wrote:


Thank you Fabrice,

I made a step forward; with this profile I'm able to make the 
registration; the sponsor receive the email with the link for the 
activation but i receive a strange wrong password message; into the 
logs I can find:


Oct 06 11:13:07 httpd.portal(2914) INFO: [mac:00:50:56:aa:37:67] 
[00:50:56:aa:37:67] Activation code sent to email x...@xxx.it from 
x...@gmail.com successfully verified.  for activation type: sponsor 
(pf::activation::validate_code)
Oct 06 11:13:07 httpd.portal(2914) INFO: [mac:00:50:56:aa:37:67] 
Password validation failed for Pippo: password has expired 
(pf::password::validate_password)
Oct 06 11:13:07 httpd.portal(2914) ERROR: [mac:00:50:56:aa:37:67] 
unable to read password file '/usr/local/pf/conf/admin.conf' 
(pf::Authentication::Source::HtpasswdSource::authenticate)


The last line I think isn't useful

BR,

Rick


On 10/6/2016 2:34 PM, Fabrice Durand wrote:


Hello Rick,

what you can do is to create a new portal profile with a network 
filter.


So let say that your inline network is 192.168.0.0/24 then create a 
portal profile with this filter and assign the authentication 
sources you want to use.


Regards

Fabrice



Le 2016-10-06 à 05:02, Riccardo Pelliccioli a écrit :


Hi Fabrice,

many thanks for your answer.

This is clear to me and I have a local user defined as a "sponsor" 
anyway the problem looks like I'm not able to use the external 
source (just in the external source I'm able to define the 
"Sponsor-based registration"; instead from the logs I can see I'm 
still using the "local source" (then the wrong htpasswd file 
defined into internal sources)


How may I force it to use the external?

Many thanks for your support

BR,

Rick


On 10/6/2016 2:15 AM, Durand fabrice wrote:


Hi Riccardo,

when you create a local user in PacketFence you are able to set 
the "Mark as sponsor" on this user (define an email address too).


You can't use File1 as a sponsor source since you need to match 
with an email address (and in a htpasswd file it's not possible).


Keep in mind that only authentication sources that can contain an 
email address are allowed to be use for sponsor. (LDAP, AD, local).


Regards

Fabrice



Le 2016-10-05 à 11:46, Riccardo Pelliccioli a écrit :


Hi there,

in the scenario with inline deployment using ZEN appliance 6.2.1 
I woul dlike to depoly a Self registration Captive Portal with 2 
options:


 1. Sponsored authentication
 2. SMS authentication

For the sponsored authentication I'm not able to grant 
sponsoring privileges to a local user and in the log file 
packetfence.log I have the following messages:


Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key FilterEngine::Profile 
in local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key config::Profiles in 
local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] 
Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:unknown] Memory 
configuration is not valid anymore for key 
resource::authentication_sources in local cached_hash 
(pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Memory configuration is not valid anymore for key 
config::Profiles in local cached_hash (pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
Memory configuration is not valid anymore for key 
resource::authentication_lookup in local cached_hash 
(pfconfig::cached::is_valid)
Oct 05 11:31:42 httpd.portal(2234) INFO: [mac:00:50:56:aa:37:67] 
registering  guest through a sponsor 
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Sponsor::do_sponsor_registration)
*Oct 05 11:31:42 httpd.portal(2234) INFO: 
[mac:00:50:56:aa:37:67] Using sources local, file1 for matching 
(pf::authentication::match)*


file1 look like a pointer to a htmlaccess file but I think this 
is deprecated due a specific mysql table for users (password 
table) and I'm also able to see the

Re: [PacketFence-users] MSPKI: unfinished request in component post-auth module packetfence

2016-10-07 Thread Marold, Stefan

Hello Antoine,

after using 'bin/pfcmd checkup', I see the following line in packetfence.log:
Oct 07 02:34:19 pfcmd.pl(2179) INFO: Instantiate profile default 
(pf::Portal::ProfileFactory::_from_profile)

When the user authenticates, I don't see any messages related to 
"1:EthernetEAP" in packetfence.log:
Oct 07 02:39:57 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] handling radius 
autz request: from switch_ip => (172.20.10.118), connection_type => 
Ethernet-EAP,switch_mac => (54:4a:00:88:a8:01), mac => [74:2b:62:6d:47:d4], 
port => 10101, username => "D1527.dorsten.local" (pf::radius::authorize)
Oct 07 02:39:57 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Oct 07 02:39:58 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] is of status 
unreg; belongs into registration VLAN (pf::role::getRegistrationRole)
Oct 07 02:39:58 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] (172.20.10.118) 
Added VLAN 11 to the returned RADIUS Access-Accept 
(pf::Switch::returnRadiusAccessAccept)
Oct 07 02:40:00 httpd.aaa(1754) INFO: [mac:74:2b:62:6d:47:d4] Updating 
locationlog from accounting request (pf::api::handle_accounting_metadata)
Oct 07 02:40:02 httpd.portal(2202) INFO: [mac:[undef]] Instantiate a new 
iptables modification method. pf::ipset (pf::inline::get_technique)
Oct 07 02:40:02 httpd.portal(2037) INFO: [mac:[undef]] Instantiate a new 
iptables modification method. pf::ipset (pf::inline::get_technique)
Oct 07 02:40:02 httpd.portal(2038) INFO: [mac:[undef]] Instantiate a new 
iptables modification method. pf::ipset (pf::inline::get_technique)

I also tried to add the following rule, but it seems to have no effect:
[2:EthernetEAP]
scope = NodeInfoForAutoReg
role = default
action = modify_node
action_param = mac = $mac, status = reg, access_duration = 12H, role = default

BTW does the absence of "EAP-Type => EAP-TLS" in packetfence.log means the 
EAP-Type is not "EAP-TLS"?

Regards
Stefan


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Security Onion alerts not triggering

Re: [PacketFence-users] Security Onion alerts not triggering

Re: [PacketFence-users] pf::enforcement::_vlan_reevaluation

Re: [PacketFence-users] Security Onion alerts not triggering

[PacketFence-users] Security Onion alerts not triggering

[PacketFence-users] pf::enforcement::_vlan_reevaluation

Re: [PacketFence-users] MSPKI: unfinished request in component post-auth module packetfence

Re: [PacketFence-users] Reregister if SSID is changing

Re: [PacketFence-users] Sponsor configuration in inline deployment

Re: [PacketFence-users] MSPKI: unfinished request in component post-auth module packetfence

10 matches

Site Navigation

Mail list logo

Footer information