Re: [PacketFence-users] Security Onion alerts not triggering
Hi, I do have a security onion parser, however I’m not running the maintenance branch as this is a production system. I’m guessing I’m hitting the issue that Julien said is fixed in the maintenance branch. Cheers, Andi From: Thierry Laurion [mailto:tlaur...@inverse.ca] Sent: 13 October 2016 17:20 To: Morris, Andi <amor...@cardiffmet.ac.uk>; packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] Security Onion alerts not triggering Hi, I created a unit test (https://github.com/inverse-inc/packetfence/pull/1759) and can validate that the "security_onion" syslog parser still works correctly directly from the log you previously gave, and that the "detect" violation trigger still works fine and fires on parsed SIDs. Clarifications from previous post: The "detect" violation trigger serves to test upon unified Snort/Suricata/SecurityOnion outputs and find the SID part of the message extracted from the different syslog parsers configured on your system. The "suricata_event" violation trigger serves to test upon unified Snort/Suricata/SecurityOnion outputs and find the "message" part of the message extracted from the different syslog parsers configured on your system. Can you validate that you have a "security_onion" syslog parser configured in the GUI, as define at section 13.1.3 here: https://packetfence.org/doc/PacketFence_Administration_Guide.html#_blocking_malicious_activities_with_violations Else I cannot understand why your usage of "detect" violation trigger was not working previously if you have ran the maintenance. I'm glad it works, though. Thierry On 10/13/2016 10:04 AM, Thierry Laurion wrote: I investigated a little more with my coworker and you seem to have found a bug! :) You should be able to use the detect trigger with SIDs if the SecurityOnion syslog parser is activated, which seems to be the case. I will return to you once it is fixed; it seems that SecurityOnion changed its format or something! I will reply to the list when done. Thanks for reporting. Thierry On 10/13/2016 09:48 AM, Morris, Andi wrote: Apologies, I thought I did. I didn’t mean to email you directly. I’ll update the list now. Cheers, Andi From: Thierry Laurion [mailto:tlaur...@inverse.ca] Sent: 13 October 2016 14:47 To: Morris, Andi <amor...@cardiffmet.ac.uk><mailto:amor...@cardiffmet.ac.uk> Subject: Re: [PacketFence-users] Security Onion alerts not triggering My pleasure! You should write that to the list, so that the whole community knows it worked. Thanks, On 10/13/2016 05:44 AM, Morris, Andi wrote: Thanks Thierry, this fixed my issue. Chers, Andi From: Thierry Laurion [mailto:tlaur...@inverse.ca] Sent: 07 October 2016 18:09 To: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Cc: Morris, Andi <amor...@cardiffmet.ac.uk><mailto:amor...@cardiffmet.ac.uk> Subject: Re: [PacketFence-users] Security Onion alerts not triggering Hi, The "detect" trigger matches numerical SIDs found in Snort and Suricata generated "alert" logs, which have a different format then the "digested" logs of SecurityOnion. As an exemple, here is the kind of logs that Suricata and Snort generates when in "alert" mode: '07/28/2015-09:09:59.431113 [**] [1:2221002:1] SURICATA HTTP request field missing colon [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.220.10.186:44196 -> 199.167.22.51:8000' You should use "suricata_event" triggers in your SecurityOnion related violations, which match text and are more generic. Modify the violation 153 for it to match "ET P2P Vuze BT UDP Connection". That would be a broader match and would also generate a violation for the following SIDs: sid-msg.map:2010140 || ET P2P Vuze BT UDP Connection || url,doc.emergingthreats.net/2010140 || url,vuze.com sid-msg.map:2010141 || ET P2P Vuze BT UDP Connection (2) || url,doc.emergingthreats.net/2010141 || url,vuze.com sid-msg.map:2010142 || ET P2P Vuze BT UDP Connection (3) || url,doc.emergingthreats.net/2010142 sid-msg.map:2010143 || ET P2P Vuze BT UDP Connection (4) || url,doc.emergingthreats.net/2010143 sid-msg.map:2010144 || ET P2P Vuze BT UDP Connection (5) || url,doc.emergingthreats.net/2010144 || url,vuze.com Regards, Thierry Laurion An update, I’m now getting the alerts hitting pfdetect, but they’re still not triggering the violation with the same ID. pfdetect.log shows: Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct 7 14:23:40 idsman01 securityonion_ids: 14:23:40 pid(24921) Alert Received: 0 1 policy-violation idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET P2P Vuze BT UDP Connection} 10.6.198.173 24.122.228.33 17 10600 65344 1 2010140 6 92 92 ' (main::_run_detector) The relevant section of violation.conf is: [
Re: [PacketFence-users] Security Onion alerts not triggering
Thanks Thierry, this fixed my issue. Cheers, Andi From: Thierry Laurion [mailto:tlaur...@inverse.ca] Sent: 07 October 2016 18:09 To: packetfence-users@lists.sourceforge.net Cc: Morris, Andi <amor...@cardiffmet.ac.uk> Subject: Re: [PacketFence-users] Security Onion alerts not triggering Hi, The "detect" trigger matches numerical SIDs found in Snort and Suricata generated "alert" logs, which have a different format then the "digested" logs of SecurityOnion. As an exemple, here is the kind of logs that Suricata and Snort generates when in "alert" mode: '07/28/2015-09:09:59.431113 [**] [1:2221002:1] SURICATA HTTP request field missing colon [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.220.10.186:44196 -> 199.167.22.51:8000' You should use "suricata_event" triggers in your SecurityOnion related violations, which match text and are more generic. Modify the violation 153 for it to match "ET P2P Vuze BT UDP Connection". That would be a broader match and would also generate a violation for the following SIDs: sid-msg.map:2010140 || ET P2P Vuze BT UDP Connection || url,doc.emergingthreats.net/2010140 || url,vuze.com sid-msg.map:2010141 || ET P2P Vuze BT UDP Connection (2) || url,doc.emergingthreats.net/2010141 || url,vuze.com sid-msg.map:2010142 || ET P2P Vuze BT UDP Connection (3) || url,doc.emergingthreats.net/2010142 sid-msg.map:2010143 || ET P2P Vuze BT UDP Connection (4) || url,doc.emergingthreats.net/2010143 sid-msg.map:2010144 || ET P2P Vuze BT UDP Connection (5) || url,doc.emergingthreats.net/2010144 || url,vuze.com Regards, Thierry Laurion An update, I’m now getting the alerts hitting pfdetect, but they’re still not triggering the violation with the same ID. pfdetect.log shows: Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct 7 14:23:40 idsman01 securityonion_ids: 14:23:40 pid(24921) Alert Received: 0 1 policy-violation idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET P2P Vuze BT UDP Connection} 10.6.198.173 24.122.228.33 17 10600 65344 1 2010140 6 92 92 ' (main::_run_detector) The relevant section of violation.conf is: [153] trigger=detect::2010140 actions=email_admin,reevaluate_access,log max_enable=10 desc=P2P Vuze2 enabled=Y template=p2p grace=2h From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk] Sent: 07 October 2016 14:56 To: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Subject: [PacketFence-users] Security Onion alerts not triggering Hi all, I have configured my security onion server to send alerts to my packetfence server (version 6.2.1), and I can see that they’re getting there through TCPdump. IDS server: 13:37:02.260031 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 240 13:37:02.260216 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 13:37:12.271539 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 13:37:57.325078 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 13:37:57.326236 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 13:38:07.342397 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 13:38:37.377503 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 13:38:55.401715 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 13:38:55.401858 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 13:38:55.401895 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 13:38:55.401921 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 13:39:03.412383 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 13:39:07.418010 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 13:39:07.418098 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 13:39:07.418113 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 13:39:07.418132 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 13:39:07.418153 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 13:39:07.418172 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog:
Re: [PacketFence-users] Security Onion alerts not triggering
Hi, The "detect" trigger matches numerical SIDs found in Snort and Suricata generated "alert" logs, which have a different format then the "digested" logs of SecurityOnion. As an exemple, here is the kind of logs that Suricata and Snort generates when in "alert" mode: '07/28/2015-09:09:59.431113 [**] [1:2221002:1] SURICATA HTTP request field missing colon [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 10.220.10.186:44196 -> 199.167.22.51:8000' You should use "suricata_event" triggers in your SecurityOnion related violations, which match text and are more generic. Modify the violation 153for it to match "ET P2P Vuze BT UDP Connection". That would be a broader match and would also generate a violation for the following SIDs: sid-msg.map:2010140 || ET P2P Vuze BT UDP Connection || url,doc.emergingthreats.net/2010140 || url,vuze.com sid-msg.map:2010141 || ET P2P Vuze BT UDP Connection (2) || url,doc.emergingthreats.net/2010141 || url,vuze.com sid-msg.map:2010142 || ET P2P Vuze BT UDP Connection (3) || url,doc.emergingthreats.net/2010142 sid-msg.map:2010143 || ET P2P Vuze BT UDP Connection (4) || url,doc.emergingthreats.net/2010143 sid-msg.map:2010144 || ET P2P Vuze BT UDP Connection (5) || url,doc.emergingthreats.net/2010144 || url,vuze.com Regards, Thierry Laurion > > An update, I’m now getting the alerts hitting pfdetect, but they’re > still not triggering the violation with the same ID. > > pfdetect.log shows: > > Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct 7 14:23:40 > idsman01 securityonion_ids: 14:23:40 pid(24921) Alert Received: 0 1 > policy-violation idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET > P2P Vuze BT UDP Connection} 10.6.198.173 24.122.228.33 17 10600 65344 > 1 2010140 6 92 92 > > ' (main::_run_detector) > > > > > > The relevant section of violation.conf is: > > [153] > > trigger=detect::2010140 > > actions=email_admin,reevaluate_access,log > > max_enable=10 > > desc=P2P Vuze2 > > enabled=Y > > template=p2p > > grace=2h > > > > > > *From:*Morris, Andi [mailto:amor...@cardiffmet.ac.uk] > *Sent:* 07 October 2016 14:56 > *To:* packetfence-users@lists.sourceforge.net > *Subject:* [PacketFence-users] Security Onion alerts not triggering > > > > Hi all, > > I have configured my security onion server to send alerts to my > packetfence server (version 6.2.1), and I can see that they’re getting > there through TCPdump. > > > > IDS server: > > 13:37:02.260031 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 240 > > 13:37:02.260216 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 > > 13:37:12.271539 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 > > 13:37:57.325078 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 > > 13:37:57.326236 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 > > 13:38:07.342397 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 > > 13:38:37.377503 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 > > 13:38:55.401715 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 > > 13:38:55.401858 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 > > 13:38:55.401895 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 > > 13:38:55.401921 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 > > 13:39:03.412383 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 > > 13:39:07.418010 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 > > 13:39:07.418098 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 > > 13:39:07.418113 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 > > 13:39:07.418132 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 > > 13:39:07.418153 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 > > 13:39:07.418172 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 > > 13:39:22.434608 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 > > PF server: > > 14:37:12.272395 IP idsserver.internal.domain.35871 > > packetfence.internal.domain.syslog: SYSLOG
Re: [PacketFence-users] Security Onion alerts not triggering
Make sure you apply the maintenance branch (/usr/local/pf/addons/pf-maint.pl) as it contains fixes to a similar issue. Regards, - Julien On 10/07/2016 10:26 AM, Morris, Andi wrote: An update, I’m now getting the alerts hitting pfdetect, but they’re still not triggering the violation with the same ID. pfdetect.log shows: Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct 7 14:23:40 idsman01 securityonion_ids: 14:23:40 pid(24921) Alert Received: 0 1 policy-violation idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET P2P Vuze BT UDP Connection} 10.6.198.173 24.122.228.33 17 10600 65344 1 2010140 6 92 92 ' (main::_run_detector) The relevant section of violation.conf is: [153] trigger=detect::2010140 actions=email_admin,reevaluate_access,log max_enable=10 desc=P2P Vuze enabled=Y template=p2p grace=2h *From:*Morris, Andi [mailto:amor...@cardiffmet.ac.uk] *Sent:* 07 October 2016 14:56 *To:* packetfence-users@lists.sourceforge.net *Subject:* [PacketFence-users] Security Onion alerts not triggering Hi all, I have configured my security onion server to send alerts to my packetfence server (version 6.2.1), and I can see that they’re getting there through TCPdump. IDS server: 13:37:02.260031 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 240 13:37:02.260216 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 13:37:12.271539 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 13:37:57.325078 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 13:37:57.326236 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 13:38:07.342397 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 13:38:37.377503 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 13:38:55.401715 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 13:38:55.401858 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 13:38:55.401895 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 13:38:55.401921 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 13:39:03.412383 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 13:39:07.418010 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 13:39:07.418098 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 13:39:07.418113 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 13:39:07.418132 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 13:39:07.418153 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 13:39:07.418172 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 13:39:22.434608 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 PF server: 14:37:12.272395 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 14:37:57.325970 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 14:37:57.326980 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 14:38:07.343228 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 14:38:37.378338 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 14:38:55.402550 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 14:38:55.402583 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 14:38:55.402610 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 14:38:55.402632 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 14:39:03.413187 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 14:39:07.418795 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 14:39:07.418819 IP
Re: [PacketFence-users] Security Onion alerts not triggering
An update, I'm now getting the alerts hitting pfdetect, but they're still not triggering the violation with the same ID. pfdetect.log shows: Oct 07 15:23:40 pfdetect(11814) INFO: alert received: 'Oct 7 14:23:40 idsman01 securityonion_ids: 14:23:40 pid(24921) Alert Received: 0 1 policy-violation idshalls01-eth0-7 {2016-10-07 14:23:39} 21 173773 {ET P2P Vuze BT UDP Connection} 10.6.198.173 24.122.228.33 17 10600 65344 1 2010140 6 92 92 ' (main::_run_detector) The relevant section of violation.conf is: [153] trigger=detect::2010140 actions=email_admin,reevaluate_access,log max_enable=10 desc=P2P Vuze enabled=Y template=p2p grace=2h From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk] Sent: 07 October 2016 14:56 To: packetfence-users@lists.sourceforge.net Subject: [PacketFence-users] Security Onion alerts not triggering Hi all, I have configured my security onion server to send alerts to my packetfence server (version 6.2.1), and I can see that they're getting there through TCPdump. IDS server: 13:37:02.260031 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 240 13:37:02.260216 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 13:37:12.271539 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 13:37:57.325078 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 13:37:57.326236 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 13:38:07.342397 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 13:38:37.377503 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 13:38:55.401715 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 13:38:55.401858 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 13:38:55.401895 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 13:38:55.401921 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 13:39:03.412383 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 13:39:07.418010 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 13:39:07.418098 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 13:39:07.418113 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 13:39:07.418132 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 13:39:07.418153 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 13:39:07.418172 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 13:39:22.434608 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 PF server: 14:37:12.272395 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 14:37:57.325970 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 242 14:37:57.326980 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 14:38:07.343228 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 243 14:38:37.378338 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 14:38:55.402550 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 14:38:55.402583 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 14:38:55.402610 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 14:38:55.402632 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 282 14:39:03.413187 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 241 14:39:07.418795 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 14:39:07.418819 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 14:39:07.418836 IP idsserver.internal.domain.35871 > packetfence.internal.domain.syslog: SYSLOG user.notice, length: 284 14:39:07.418865 IP idsserver.internal.domain.35871 >