Re: [Packetfence-users] Packetfence & Nessus Configuration

andy nguyen Wed, 28 Sep 2011 16:18:04 -0700

Nessus scan is still not working correctly. I registered a test laptop. 
Violation 1200001 and 1300003 (my nessus scan test signature) showed in 
Violation page. It showed in PacketFence that my laptop registered but i am 
still in Register vlan 600, that is fine. I attempted to re-enter network and 
scan again, both violation are clear and Packetfence put the laptop is now in 
Production Vlan 132. Should PacketFence promted for violation and leave the 
laptop at Registration vlan? By the way I am testing PacketFence 3.0,  Below is 
packetfence log and violations.conf
[defaults]
priority=4
max_enable=3
actions=email,log
auto_enable=Y
enabled=N
grace=120m
button_text=Enable Network
snort_rules=local.rules,emerging-attack_response.rules,emerging-botcc.rules,emerging-exploit.rules,emerging-malware.rules,emerging-p2p.rules,emerging-scan.rules,emerging-shellcode.rules,emerging-trojan.rules,emerging-virus.rules,emerging-worm.rules
# vlan: The vlan parameter allows you to define in what vlan a node with a 
violation will be put in.
# accepted values are the vlan names: isolationVlan, normalVlan, 
registrationVlan, macDetectionVlan, guestVlan,
# customVlan1, customVlan2, customVlan3, customVlan4, customVlan5
# (see switches.conf)
vlan=isolationVlan
# if you add a category here, nodes in these categories will be immune to the 
violation
whitelisted_categories=
[1300003]
desc=Check Antivirus Updates
priority=2
url=/remediation.php?template=viruscheck
actions=log,trap,email
trigger=Scan::55119
enabled=Y
vlan=registrationVlan
　
　
　
　
　
Sep 28 16:40:32 pfcmd(0) INFO: executing HOME=/usr/local/pf/conf/nessus/ 
/opt/nessus/bin/nessus -q -V -x --dot-nessus 
/usr/local/pf/conf/nessus/remotescan.nessus --policy-name RemoteScan 10.1.34.36 
1241 admin <password> --target-file 
/tmp/pf_nessus_192.168.30.20_2011-09-28-16:40:32.txt 
/usr/local/pf/html/admin/scan/results/dump_192.168.30.20_2011-09-28-16:40:32.nbe
 (pf::scan::runScan)
Sep 28 16:40:43 pfcmd(0) INFO: pfcmd calling violation_delete for 30 
(main::command_param)
Sep 28 16:40:43 pfcmd(0) INFO: re-evaluating access for node 00:21:70:90:4e:2f 
(violation_delete called) (pf::enforcement::reevaluate_access)
Sep 28 16:40:43 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog connected at 
10.1.52.2 ifIndex 10105 in VLAN 600 (pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:40:44 pfcmd(0) INFO: highest priority violation for 00:21:70:90:4e:2f 
is 1200001. Target VLAN for violation: registrationVlan (600) 
(pf::vlan::getViolationVlan)
Sep 28 16:40:49 pfcmd(0) INFO: pfcmd calling violation_delete for 31 
(main::command_param)
Sep 28 16:40:49 pfcmd(0) INFO: re-evaluating access for node 00:21:70:90:4e:2f 
(violation_delete called) (pf::enforcement::reevaluate_access)
Sep 28 16:40:49 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog connected at 
10.1.52.2 ifIndex 10105 in VLAN 600 (pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:40:49 pfcmd(0) INFO: highest priority violation for 00:21:70:90:4e:2f 
is 1200001. Target VLAN for violation: registrationVlan (600) 
(pf::vlan::getViolationVlan)
Sep 28 16:41:37 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:41:37 redir.cgi(0) INFO: captive portal redirect to the scan in 
progress page 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:41:46 pfdhcplistener(9681) INFO: 00:21:70:90:4e:2f requested an IP. 
DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp 
= 2011-09-28 16:41:46,computername = 2009-8168-03,dhcp_fingerprint = 
1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp)
Sep 28 16:41:46 pfdhcplistener(9640) INFO: 00:21:70:90:4e:2f requested an IP. 
DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp 
= 2011-09-28 16:41:46,computername = 2009-8168-03,dhcp_fingerprint = 
1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp)
Sep 28 16:41:46 pfdhcplistener(9681) INFO: DHCPACK from 10.1.12.10 
(00:1d:09:6a:10:c2) to host 00:21:70:90:4e:2f (192.168.30.20) 
(main::listen_dhcp)
Sep 28 16:41:46 pfdhcplistener(9640) INFO: DHCPACK from 10.1.12.10 
(00:1d:09:6a:10:c2) to host 00:21:70:90:4e:2f (192.168.30.20) 
(main::listen_dhcp)
Sep 28 16:42:04 pfcmd(0) INFO: calling violation_trigger for ip: 192.168.30.20, 
mac: 00:21:70:90:4e:2f, Nessus ScanID: 55119 (pf::scan::runScan)
Sep 28 16:42:04 pfcmd(0) INFO: calling '/usr/local/pf/bin/pfcmd violation add 
vid=1300003,mac=00:21:70:90:4e:2f' (trigger scan::55119) 
(pf::violation::violation_trigger)
Sep 28 16:42:05 pfcmd(0) INFO: pfcmd calling violation_add for 
00:21:70:90:4e:2f (main::command_param)
Sep 28 16:42:05 pfcmd(0) INFO: grace expired on violation 1300003 for node 
00:21:70:90:4e:2f (pf::violation::violation_add)
Sep 28 16:42:05 pfcmd(0) INFO: violation 1300003 added for 00:21:70:90:4e:2f 
(pf::violation::violation_add)
Sep 28 16:42:05 pfcmd(0) INFO: executing action 'email' on class 1300003 
(pf::action::action_execute)
Sep 28 16:42:07 pfcmd(0) INFO: email regarding 'PF Alert: Check Antivirus 
Updates detection on 00:21:70:90:4e:2f' sent to test@local (pf::util::pfmailer)
Sep 28 16:42:07 pfcmd(0) INFO: executing action 'log' on class 1300003 
(pf::action::action_execute)Sep 28 16:42:07 pfcmd(0) INFO: 
/usr/local/pf/logs/violation.log 2011-09-28 16:42:07: Check Antivirus Updates 
(1300003) detected on node 00:21:70:90:4e:2f (192.168.30.20) 
(pf::action::action_log)
Sep 28 16:42:07 pfcmd(0) INFO: executing action 'trap' on class 1300003 
(pf::action::action_execute)
Sep 28 16:42:07 pfcmd(0) INFO: re-evaluating access for node 00:21:70:90:4e:2f 
(violation_add called) (pf::enforcement::reevaluate_access)
Sep 28 16:42:07 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog connected at 
10.1.52.2 ifIndex 10105 in VLAN 600 
(pf::enforcement::_should_we_reassign_vlan)Sep 28 16:42:07 pfcmd(0) INFO: 
highest priority violation for 00:21:70:90:4e:2f is 1300003. Target VLAN for 
violation: registrationVlan (600) (
Sep 28 16:42:07 pfcmd(0) INFO: calling violation_trigger for ip: 192.168.30.20, 
mac: 00:21:70:90:4e:2f, Nessus ScanID: 34220 (pf::scan::runScan)
Sep 28 16:42:07 pfcmd(0) INFO: violation for mac 00:21:70:90:4e:2f vid 1200001 
modified (pf::violation::violation_modify)
Sep 28 16:42:46 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:46 redir.cgi(0) INFO: captive portal redirect on violation vid: 
1300003, redirect url: /remediation.php?template=viruscheck 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:46 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:46 redir.cgi(0) INFO: captive portal redirect on violation vid: 
1300003, redirect url: /remediation.php?template=viruscheck 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:52 release.pm(0) INFO: calling /usr/local/pf/bin/pfcmd manage 
vclose 00:21:70:90:4e:2f 1300003 (pf::web::release::handler)
Sep 28 16:42:52 pfcmd(0) INFO: violation 1300003 closed for 00:21:70:90:4e:2f 
(pf::violation::violation_close)
Sep 28 16:42:52 pfcmd(0) INFO: re-evaluating access for node 00:21:70:90:4e:2f 
(manage_vclose called) (pf::enforcement::reevaluate_access)
Sep 28 16:42:52 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog connected at 
10.1.52.2 ifIndex 10105 in VLAN 600 (pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:42:53 pfcmd(0) INFO: highest priority violation for 00:21:70:90:4e:2f 
is 1200001. Target VLAN for violation: registrationVlan (600) 
(pf::vlan::getViolationVlan)
Sep 28 16:42:53 release.pm(0) INFO: pfcmd manage vclose 00:21:70:90:4e:2f 
1300003 returned 7200 (pf::web::release::handler)
Sep 28 16:42:53 release.pm(0) INFO: 00:21:70:90:4e:2f enabled for 7200 minutes 
(pf::web::release::handler)
Sep 28 16:42:53 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:53 redir.cgi(0) INFO: captive portal redirect on violation vid: 
1200001, redirect url: /remediation.php?template=system_scan 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:53 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:53 redir.cgi(0) INFO: captive portal redirect on violation vid: 
1200001, redirect url: /remediation.php?template=system_scan 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:57 release.pm(0) INFO: scanning 192.168.30.20 by calling 
/usr/local/pf/bin/pfcmd schedule now 192.168.30.20 1>/dev/null 2>&1 
(pf::web::release::handler)
Sep 28 16:42:57 release.pm(0) INFO: violation for mac 00:21:70:90:4e:2f vid 
1200001 modified (pf::violation::violation_modify)
Sep 28 16:42:58 pfcmd(0) INFO: executing HOME=/usr/local/pf/conf/nessus/ 
/opt/nessus/bin/nessus -q -V -x --dot-nessus 
/usr/local/pf/conf/nessus/remotescan.nessus --policy-name RemoteScan 10.1.34.36 
1241 admin <password> --target-file 
/tmp/pf_nessus_192.168.30.20_2011-09-28-16:42:58.txt 
/usr/local/pf/html/admin/scan/results/dump_192.168.30.20_2011-09-28-16:42:58.nbe
 (pf::scan::runScan)
Sep 28 16:44:03 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:44:03 redir.cgi(0) INFO: captive portal redirect to the scan in 
progress page 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:44:16 pfdhcplistener(9640) INFO: 00:21:70:90:4e:2f requested an IP. 
DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp 
= 2011-09-28 16:44:16,computername = 2009-8168-03,dhcp_fingerprint = 
1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp)
Sep 28 16:44:16 pfdhcplistener(9681) INFO: 00:21:70:90:4e:2f requested an IP. 
DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp 
= 2011-09-28 16:44:16,computername = 2009-8168-03,dhcp_fingerprint = 
1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp)
Sep 28 16:44:16 pfdhcplistener(9681) INFO: DHCPACK from 10.1.12.10 
(00:1d:09:6a:10:c2) to host 00:21:70:90:4e:2f (192.168.30.20) 
(main::listen_dhcp)
Sep 28 16:44:16 pfdhcplistener(9640) INFO: DHCPACK from 10.1.12.10 
(00:1d:09:6a:10:c2) to host 00:21:70:90:4e:2f (192.168.30.20) 
(main::listen_dhcp)
Sep 28 16:44:32 pfcmd(0) INFO: calling violation_trigger for ip: 192.168.30.20, 
mac: 00:21:70:90:4e:2f, Nessus ScanID: 55119 (pf::scan::runScan)Sep 28 16:44:32 
pfcmd(0) INFO: 7053 grace remaining on violation 1300003 (trigger scan::55119) 
for node 00:21:70:90:4e:2f. Not adding violation. 
(pf::violation::violation_trigger)
Sep 28 16:44:32 pfcmd(0) INFO: calling violation_trigger for ip: 192.168.30.20, 
mac: 00:21:70:90:4e:2f, Nessus ScanID: 34220 (pf::scan::runScan)Sep 28 16:44:32 
pfcmd(0) INFO: Nessus scan did not detect any vulnerabilities on 192.168.30.20 
(pf::scan::runScan)
Sep 28 16:44:32 pfcmd(0) INFO: calling /usr/local/pf/bin/pfcmd manage vclose 
00:21:70:90:4e:2f 1200001 (pf::scan::runScan)
Sep 28 16:44:33 pfcmd(0) INFO: violation 1200001 closed for 00:21:70:90:4e:2f 
(pf::violation::violation_close)
Sep 28 16:44:33 pfcmd(0) INFO: re-evaluating access for node 00:21:70:90:4e:2f 
(manage_vclose called) (pf::enforcement::reevaluate_access)
Sep 28 16:44:33 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog connected at 
10.1.52.2 ifIndex 10105 in VLAN 600 (pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:44:33 pfcmd(0) INFO: MAC: 00:21:70:90:4e:2f, PID: usertest, Status: 
reg. Returned VLAN: 132 (pf::vlan::fetchVlanForNode)
Sep 28 16:44:33 pfcmd(0) INFO: calling /usr/local/pf/bin/pfcmd_vlan for node 
00:21:70:90:4e:2f (current VLAN = 600 but should be in VLAN 132) 
(pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:44:33 pfcmd_vlan(0) INFO: switch port for 00:21:70:90:4e:2f is 
10.1.52.2 ifIndex 10105 connection type: Wired SNMP (main::)
Sep 28 16:44:34 pfcmd(0) WARN: Error trying to run command: 
/usr/local/pf/bin/pfcmd manage vclose 00:21:70:90:4e:2f 1200001 called from 
runScan. Child exited with non-zero value 1 (pf::util::pf_run)
Sep 28 16:44:37 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch 10.1.52.2 
(main::parseTrap)
Sep 28 16:44:37 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads 
running: 0 (main::startTrapHandlers)
Sep 28 16:44:37 pfsetvlan(1) INFO: reAssignVlan trap received on 10.1.52.2 
ifIndex 10105 (main::handleTrap)
Sep 28 16:44:37 pfsetvlan(1) INFO: security traps are configured on 10.1.52.2 
ifIndex 10105. Re-assigning VLAN for 00:21:70:90:4e:2f (main::handleTrap)
Sep 28 16:44:37 pfsetvlan(1) INFO: MAC: 00:21:70:90:4e:2f, PID: testuser, 
Status: reg. Returned VLAN: 132 (pf::vlan::fetchVlanForNode)
Sep 28 16:44:37 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
　
　
　pf::vlan::getViolationVlan)

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [Packetfence-users] Packetfence & Nessus Configuration

Reply via email to