Re: [Packetfence-users] Packetfence & Nessus Configuration

Thu, 29 Sep 2011 13:09:27 -0700 

Hi Andy,
It looks like the grace config is not right. In your Antivirus violation, can you try setting auto_enable=N? That should kick out the grace. 


On 11-09-28 7:09 PM, andy nguyen wrote:

Nessus scan is still not working correctly. I registered a test 
laptop. Violation 1200001 and 1300003 (my nessus scan test signature) 
showed in Violation page. It showed in PacketFence that my laptop 
registered but i am still in Register vlan 600, that is fine. I 
attempted to re-enter network and scan again, both violation are clear 
and Packetfence put the laptop is now in Production Vlan 132. Should 
PacketFence promted for violation and leave the laptop at Registration 
vlan? By the way I am testing PacketFence 3.0,  Below is packetfence 
log and violations.conf

[defaults]
priority=4
max_enable=3
actions=email,log
auto_enable=Y
enabled=N
grace=120m
button_text=Enable Network
snort_rules=local.rules,emerging-attack_response.rules,emerging-botcc.rules,emerging-exploit.rules,emerging-malware.rules,emerging-p2p.rules,emerging-scan.rules,emerging-shellcode.rules,emerging-trojan.rules,emerging-virus.rules,emerging-worm.rules

# vlan: The vlan parameter allows you to define in what vlan a node 
with a violation will be put in.
# accepted values are the vlan names: isolationVlan, normalVlan, 
registrationVlan, macDetectionVlan, guestVlan,

# customVlan1, customVlan2, customVlan3, customVlan4, customVlan5
# (see switches.conf)
vlan=isolationVlan

# if you add a category here, nodes in these categories will be immune 
to the violation

whitelisted_categories=
[1300003]
desc=Check Antivirus Updates
priority=2
url=/remediation.php?template=viruscheck
actions=log,trap,email
trigger=Scan::55119
enabled=Y
vlan=registrationVlan
 
 
 
 
 

Sep 28 16:40:32 pfcmd(0) INFO: executing 
HOME=/usr/local/pf/conf/nessus/ /opt/nessus/bin/nessus -q -V -x 
--dot-nessus /usr/local/pf/conf/nessus/remotescan.nessus --policy-name 
RemoteScan 10.1.34.36 1241 admin <password> --target-file 
/tmp/pf_nessus_192.168.30.20_2011-09-28-16:40:32.txt 
/usr/local/pf/html/admin/scan/results/dump_192.168.30.20_2011-09-28-16:40:32.nbe 
(pf::scan::runScan)
Sep 28 16:40:43 pfcmd(0) INFO: pfcmd calling violation_delete for 30 
(main::command_param)
Sep 28 16:40:43 pfcmd(0) INFO: re-evaluating access for node 
00:21:70:90:4e:2f (violation_delete called) 
(pf::enforcement::reevaluate_access)
Sep 28 16:40:43 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog 
connected at 10.1.52.2 ifIndex 10105 in VLAN 600 
(pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:40:44 pfcmd(0) INFO: highest priority violation for 
00:21:70:90:4e:2f is 1200001. Target VLAN for violation: 
registrationVlan (600) (pf::vlan::getViolationVlan)
Sep 28 16:40:49 pfcmd(0) INFO: pfcmd calling violation_delete for 31 
(main::command_param)
Sep 28 16:40:49 pfcmd(0) INFO: re-evaluating access for node 
00:21:70:90:4e:2f (violation_delete called) 
(pf::enforcement::reevaluate_access)
Sep 28 16:40:49 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog 
connected at 10.1.52.2 ifIndex 10105 in VLAN 600 
(pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:40:49 pfcmd(0) INFO: highest priority violation for 
00:21:70:90:4e:2f is 1200001. Target VLAN for violation: 
registrationVlan (600) (pf::vlan::getViolationVlan)
Sep 28 16:41:37 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:41:37 redir.cgi(0) INFO: captive portal redirect to the scan 
in progress page 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:41:46 pfdhcplistener(9681) INFO: 00:21:70:90:4e:2f requested 
an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node 
with last_dhcp = 2011-09-28 16:41:46,computername = 
2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 
(main::listen_dhcp)
Sep 28 16:41:46 pfdhcplistener(9640) INFO: 00:21:70:90:4e:2f requested 
an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node 
with last_dhcp = 2011-09-28 16:41:46,computername = 
2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 
(main::listen_dhcp)
Sep 28 16:41:46 pfdhcplistener(9681) INFO: DHCPACK from 10.1.12.10 
(00:1d:09:6a:10:c2) to host 00:21:70:90:4e:2f (192.168.30.20) 
(main::listen_dhcp)
Sep 28 16:41:46 pfdhcplistener(9640) INFO: DHCPACK from 10.1.12.10 
(00:1d:09:6a:10:c2) to host 00:21:70:90:4e:2f (192.168.30.20) 
(main::listen_dhcp)
Sep 28 16:42:04 pfcmd(0) INFO: calling violation_trigger for ip: 
192.168.30.20, mac: 00:21:70:90:4e:2f, Nessus ScanID: 55119 
(pf::scan::runScan)
Sep 28 16:42:04 pfcmd(0) INFO: calling '/usr/local/pf/bin/pfcmd 
violation add vid=1300003,mac=00:21:70:90:4e:2f' (trigger scan::55119) 
(pf::violation::violation_trigger)
Sep 28 16:42:05 pfcmd(0) INFO: pfcmd calling violation_add for 
00:21:70:90:4e:2f (main::command_param)
Sep 28 16:42:05 pfcmd(0) INFO: grace expired on violation 1300003 for 
node 00:21:70:90:4e:2f (pf::violation::violation_add)
Sep 28 16:42:05 pfcmd(0) INFO: violation 1300003 added for 
00:21:70:90:4e:2f (pf::violation::violation_add)
Sep 28 16:42:05 pfcmd(0) INFO: executing action 'email' on class 
1300003 (pf::action::action_execute)
Sep 28 16:42:07 pfcmd(0) INFO: email regarding 'PF Alert: Check 
Antivirus Updates detection on 00:21:70:90:4e:2f' sent to test@local 
(pf::util::pfmailer)
Sep 28 16:42:07 pfcmd(0) INFO: executing action 'log' on class 1300003 
(pf::action::action_execute)

*

Sep 28 16:42:07 pfcmd(0) INFO: /usr/local/pf/logs/violation.log 
2011-09-28 16:42:07: Check Antivirus Updates (1300003) detected on 
node 00:21:70:90:4e:2f (192.168.30.20) (pf::action::action_log)

*

Sep 28 16:42:07 pfcmd(0) INFO: executing action 'trap' on class 
1300003 (pf::action::action_execute)
Sep 28 16:42:07 pfcmd(0) INFO: re-evaluating access for node 
00:21:70:90:4e:2f (violation_add called) 
(pf::enforcement::reevaluate_access)
Sep 28 16:42:07 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog 
connected at 10.1.52.2 ifIndex 10105 in VLAN 600 
(pf::enforcement::_should_we_reassign_vlan)

**

*Sep 28 16:42:07 pfcmd(0) INFO: highest priority violation for 
00:21:70:90:4e:2f is 1300003. Target VLAN for violation: 
registrationVlan (600) (*pf::vlan::getViolationVlan)
Sep 28 16:42:07 pfcmd(0) INFO: calling violation_trigger for ip: 
192.168.30.20, mac: 00:21:70:90:4e:2f, Nessus ScanID: 34220 
(pf::scan::runScan)
Sep 28 16:42:07 pfcmd(0) INFO: violation for mac 00:21:70:90:4e:2f vid 
1200001 modified (pf::violation::violation_modify)
Sep 28 16:42:46 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:46 redir.cgi(0) INFO: captive portal redirect on 
violation vid: 1300003, redirect url: 
/remediation.php?template=viruscheck 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:46 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:46 redir.cgi(0) INFO: captive portal redirect on 
violation vid: 1300003, redirect url: 
/remediation.php?template=viruscheck 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:52 release.pm(0) INFO: calling /usr/local/pf/bin/pfcmd 
manage vclose 00:21:70:90:4e:2f 1300003 (pf::web::release::handler)
Sep 28 16:42:52 pfcmd(0) INFO: violation 1300003 closed for 
00:21:70:90:4e:2f (pf::violation::violation_close)
Sep 28 16:42:52 pfcmd(0) INFO: re-evaluating access for node 
00:21:70:90:4e:2f (manage_vclose called) 
(pf::enforcement::reevaluate_access)
Sep 28 16:42:52 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog 
connected at 10.1.52.2 ifIndex 10105 in VLAN 600 
(pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:42:53 pfcmd(0) INFO: highest priority violation for 
00:21:70:90:4e:2f is 1200001. Target VLAN for violation: 
registrationVlan (600) (pf::vlan::getViolationVlan)
Sep 28 16:42:53 release.pm(0) INFO: pfcmd manage vclose 
00:21:70:90:4e:2f 1300003 returned 7200 (pf::web::release::handler)
Sep 28 16:42:53 release.pm(0) INFO: 00:21:70:90:4e:2f enabled for 7200 
minutes (pf::web::release::handler)
Sep 28 16:42:53 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:53 redir.cgi(0) INFO: captive portal redirect on 
violation vid: 1200001, redirect url: 
/remediation.php?template=system_scan 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:53 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:53 redir.cgi(0) INFO: captive portal redirect on 
violation vid: 1200001, redirect url: 
/remediation.php?template=system_scan 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:57 release.pm(0) INFO: scanning 192.168.30.20 by calling 
/usr/local/pf/bin/pfcmd schedule now 192.168.30.20 1>/dev/null 2>&1 
(pf::web::release::handler)
Sep 28 16:42:57 release.pm(0) INFO: violation for mac 
00:21:70:90:4e:2f vid 1200001 modified (pf::violation::violation_modify)
Sep 28 16:42:58 pfcmd(0) INFO: executing 
HOME=/usr/local/pf/conf/nessus/ /opt/nessus/bin/nessus -q -V -x 
--dot-nessus /usr/local/pf/conf/nessus/remotescan.nessus --policy-name 
RemoteScan 10.1.34.36 1241 admin <password> --target-file 
/tmp/pf_nessus_192.168.30.20_2011-09-28-16:42:58.txt 
/usr/local/pf/html/admin/scan/results/dump_192.168.30.20_2011-09-28-16:42:58.nbe 
(pf::scan::runScan)
Sep 28 16:44:03 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:44:03 redir.cgi(0) INFO: captive portal redirect to the scan 
in progress page 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:44:16 pfdhcplistener(9640) INFO: 00:21:70:90:4e:2f requested 
an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node 
with last_dhcp = 2011-09-28 16:44:16,computername = 
2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 
(main::listen_dhcp)
Sep 28 16:44:16 pfdhcplistener(9681) INFO: 00:21:70:90:4e:2f requested 
an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node 
with last_dhcp = 2011-09-28 16:44:16,computername = 
2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 
(main::listen_dhcp)
Sep 28 16:44:16 pfdhcplistener(9681) INFO: DHCPACK from 10.1.12.10 
(00:1d:09:6a:10:c2) to host 00:21:70:90:4e:2f (192.168.30.20) 
(main::listen_dhcp)
Sep 28 16:44:16 pfdhcplistener(9640) INFO: DHCPACK from 10.1.12.10 
(00:1d:09:6a:10:c2) to host 00:21:70:90:4e:2f (192.168.30.20) 
(main::listen_dhcp)
Sep 28 16:44:32 pfcmd(0) INFO: calling violation_trigger for ip: 
192.168.30.20, mac: 00:21:70:90:4e:2f, Nessus ScanID: 55119 
(pf::scan::runScan)

*

Sep 28 16:44:32 pfcmd(0) INFO: 7053 grace remaining on violation 
1300003 (trigger scan::55119) for node 00:21:70:90:4e:2f. Not adding 
violation. (pf::violation::violation_trigger)

*

Sep 28 16:44:32 pfcmd(0) INFO: calling violation_trigger for ip: 
192.168.30.20, mac: 00:21:70:90:4e:2f, Nessus ScanID: 34220 
(pf::scan::runScan)

*

Sep 28 16:44:32 pfcmd(0) INFO: Nessus scan did not detect any 
vulnerabilities on 192.168.30.20 (pf::scan::runScan)

*

Sep 28 16:44:32 pfcmd(0) INFO: calling /usr/local/pf/bin/pfcmd manage 
vclose 00:21:70:90:4e:2f 1200001 (pf::scan::runScan)
Sep 28 16:44:33 pfcmd(0) INFO: violation 1200001 closed for 
00:21:70:90:4e:2f (pf::violation::violation_close)
Sep 28 16:44:33 pfcmd(0) INFO: re-evaluating access for node 
00:21:70:90:4e:2f (manage_vclose called) 
(pf::enforcement::reevaluate_access)
Sep 28 16:44:33 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog 
connected at 10.1.52.2 ifIndex 10105 in VLAN 600 
(pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:44:33 pfcmd(0) INFO: MAC: 00:21:70:90:4e:2f, PID: usertest, 
Status: reg. Returned VLAN: 132 (pf::vlan::fetchVlanForNode)
Sep 28 16:44:33 pfcmd(0) INFO: calling /usr/local/pf/bin/pfcmd_vlan 
for node 00:21:70:90:4e:2f (current VLAN = 600 but should be in VLAN 
132) (pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:44:33 pfcmd_vlan(0) INFO: switch port for 00:21:70:90:4e:2f 
is 10.1.52.2 ifIndex 10105 connection type: Wired SNMP (main::)
Sep 28 16:44:34 pfcmd(0) WARN: Error trying to run command: 
/usr/local/pf/bin/pfcmd manage vclose 00:21:70:90:4e:2f 1200001 called 
from runScan. Child exited with non-zero value 1 (pf::util::pf_run)
Sep 28 16:44:37 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch 
10.1.52.2 (main::parseTrap)
Sep 28 16:44:37 pfsetvlan(1) INFO: nb of items in queue: 1; nb of 
threads running: 0 (main::startTrapHandlers)
Sep 28 16:44:37 pfsetvlan(1) INFO: reAssignVlan trap received on 
10.1.52.2 ifIndex 10105 (main::handleTrap)
Sep 28 16:44:37 pfsetvlan(1) INFO: security traps are configured on 
10.1.52.2 ifIndex 10105. Re-assigning VLAN for 00:21:70:90:4e:2f 
(main::handleTrap)
Sep 28 16:44:37 pfsetvlan(1) INFO: MAC: 00:21:70:90:4e:2f, PID: 
testuser, Status: reg. Returned VLAN: 132 (pf::vlan::fetchVlanForNode)

Sep 28 16:44:37 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
 
 
 


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1


_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users























					Reply via email to