Re: [Packetfence-users] Packetfence & Remote Snort Sensor

[Olivier Bilodeau]

Hi,

On 06/09/11 7:10 PM, andy nguyen wrote:
> Hi,
> Anyone knows how pfdetect-remote snort sensor work? I have installed
> packetfence-remote-snort sensor 2.2.1-1 on my snort sensor 2.9.0.4
> (OpenBSD 4.8). I have created a test rule on snort to alert on icmp
> packet. I have configured server, user & and password on the pfdetec.cfg
> file. I can see pfdetect_remote found alerts but didn't send the alert
> to packetfence server. Any ideas???
> 　
> /var/log/messages
[...]
> Sep 6 14:56:43 snort_ctp pfdetect_remote: alert received: Sep 6 14:56:41
> snort_ctp snort: [1:2000001:1] Got an ICMP Packet [Classification: Not
> Suspicious Traffic] [Priority: 3] {ICMP} 10.0.10.21 -> 10.0.10.11
> Sep 6 14:56:43 snort_ctp pfdetect_remote: unknown input: Sep 6 14:56:41
> snort_ctp snort: [1:2000001:1] Got an ICMP Packet [Classification: Not
> Suspicious Traffic] [Priority: 3] {ICMP} 10.0.10.21 -> 10.0.10.11
> 　
> This is my pfdetect_remote.conf
> user = admin
> password =****
> host = 10.0.10.10:1443
> 

I think snort changed their alert syntax with 2.9.x because looking at
the code I see that it's not parsed properly by our parser:

  syslog("info", "alert received: $currentLine");
  if ($currentLine =~
/^(.+?)\s+\[\*\*\]\s+\[\d+:(\d+):\d+\]\s+(.+?)\s+.+?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:\d+){0,1}\s+\-\>\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:\d+){0,1}/)
{
    $date  = $1;
    $sid   = $2;
    $descr = $3;
    $srcip = $4;
    $dstip = $6;
[...]
  } else {
    syslog("warning", "unknown input: $currentLine ");
    next;
  }

See? alert received, then unknown input, just like in your logs.

If your regexp fu is strong, you can fix and give us the patch :)

In any case you should file a ticket in the issue tracker:
packetfence.org/bugs

-- 
Olivier Bilodeau
obilod...@inverse.ca  ::  +1.514.447.4918 *115  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)

------------------------------------------------------------------------------
Using storage to extend the benefits of virtualization and iSCSI
Virtualization increases hardware utilization and delivers a new level of
agility. Learn what those decisions are and how to modernize your storage 
and backup environments for virtualization.
http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users