Hi Andy,
It looks like the grace config is not right. In your Antivirus
violation, can you try setting auto_enable=N? That should kick out the
grace.
On 11-09-28 7:09 PM, andy nguyen wrote:
Nessus scan is still not working correctly. I registered a test
laptop. Violation 1200001 and 1300003 (my nessus scan test signature)
showed in Violation page. It showed in PacketFence that my laptop
registered but i am still in Register vlan 600, that is fine. I
attempted to re-enter network and scan again, both violation are clear
and Packetfence put the laptop is now in Production Vlan 132. Should
PacketFence promted for violation and leave the laptop at Registration
vlan? By the way I am testing PacketFence 3.0, Below is packetfence
log and violations.conf
[defaults]
priority=4
max_enable=3
actions=email,log
auto_enable=Y
enabled=N
grace=120m
button_text=Enable Network
snort_rules=local.rules,emerging-attack_response.rules,emerging-botcc.rules,emerging-exploit.rules,emerging-malware.rules,emerging-p2p.rules,emerging-scan.rules,emerging-shellcode.rules,emerging-trojan.rules,emerging-virus.rules,emerging-worm.rules
# vlan: The vlan parameter allows you to define in what vlan a node
with a violation will be put in.
# accepted values are the vlan names: isolationVlan, normalVlan,
registrationVlan, macDetectionVlan, guestVlan,
# customVlan1, customVlan2, customVlan3, customVlan4, customVlan5
# (see switches.conf)
vlan=isolationVlan
# if you add a category here, nodes in these categories will be immune
to the violation
whitelisted_categories=
[1300003]
desc=Check Antivirus Updates
priority=2
url=/remediation.php?template=viruscheck
actions=log,trap,email
trigger=Scan::55119
enabled=Y
vlan=registrationVlan
Sep 28 16:40:32 pfcmd(0) INFO: executing
HOME=/usr/local/pf/conf/nessus/ /opt/nessus/bin/nessus -q -V -x
--dot-nessus /usr/local/pf/conf/nessus/remotescan.nessus --policy-name
RemoteScan 10.1.34.36 1241 admin <password> --target-file
/tmp/pf_nessus_192.168.30.20_2011-09-28-16:40:32.txt
/usr/local/pf/html/admin/scan/results/dump_192.168.30.20_2011-09-28-16:40:32.nbe
(pf::scan::runScan)
Sep 28 16:40:43 pfcmd(0) INFO: pfcmd calling violation_delete for 30
(main::command_param)
Sep 28 16:40:43 pfcmd(0) INFO: re-evaluating access for node
00:21:70:90:4e:2f (violation_delete called)
(pf::enforcement::reevaluate_access)
Sep 28 16:40:43 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog
connected at 10.1.52.2 ifIndex 10105 in VLAN 600
(pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:40:44 pfcmd(0) INFO: highest priority violation for
00:21:70:90:4e:2f is 1200001. Target VLAN for violation:
registrationVlan (600) (pf::vlan::getViolationVlan)
Sep 28 16:40:49 pfcmd(0) INFO: pfcmd calling violation_delete for 31
(main::command_param)
Sep 28 16:40:49 pfcmd(0) INFO: re-evaluating access for node
00:21:70:90:4e:2f (violation_delete called)
(pf::enforcement::reevaluate_access)
Sep 28 16:40:49 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog
connected at 10.1.52.2 ifIndex 10105 in VLAN 600
(pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:40:49 pfcmd(0) INFO: highest priority violation for
00:21:70:90:4e:2f is 1200001. Target VLAN for violation:
registrationVlan (600) (pf::vlan::getViolationVlan)
Sep 28 16:41:37 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:41:37 redir.cgi(0) INFO: captive portal redirect to the scan
in progress page
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:41:46 pfdhcplistener(9681) INFO: 00:21:70:90:4e:2f requested
an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node
with last_dhcp = 2011-09-28 16:41:46,computername =
2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43
(main::listen_dhcp)
Sep 28 16:41:46 pfdhcplistener(9640) INFO: 00:21:70:90:4e:2f requested
an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node
with last_dhcp = 2011-09-28 16:41:46,computername =
2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43
(main::listen_dhcp)
Sep 28 16:41:46 pfdhcplistener(9681) INFO: DHCPACK from 10.1.12.10
(00:1d:09:6a:10:c2) to host 00:21:70:90:4e:2f (192.168.30.20)
(main::listen_dhcp)
Sep 28 16:41:46 pfdhcplistener(9640) INFO: DHCPACK from 10.1.12.10
(00:1d:09:6a:10:c2) to host 00:21:70:90:4e:2f (192.168.30.20)
(main::listen_dhcp)
Sep 28 16:42:04 pfcmd(0) INFO: calling violation_trigger for ip:
192.168.30.20, mac: 00:21:70:90:4e:2f, Nessus ScanID: 55119
(pf::scan::runScan)
Sep 28 16:42:04 pfcmd(0) INFO: calling '/usr/local/pf/bin/pfcmd
violation add vid=1300003,mac=00:21:70:90:4e:2f' (trigger scan::55119)
(pf::violation::violation_trigger)
Sep 28 16:42:05 pfcmd(0) INFO: pfcmd calling violation_add for
00:21:70:90:4e:2f (main::command_param)
Sep 28 16:42:05 pfcmd(0) INFO: grace expired on violation 1300003 for
node 00:21:70:90:4e:2f (pf::violation::violation_add)
Sep 28 16:42:05 pfcmd(0) INFO: violation 1300003 added for
00:21:70:90:4e:2f (pf::violation::violation_add)
Sep 28 16:42:05 pfcmd(0) INFO: executing action 'email' on class
1300003 (pf::action::action_execute)
Sep 28 16:42:07 pfcmd(0) INFO: email regarding 'PF Alert: Check
Antivirus Updates detection on 00:21:70:90:4e:2f' sent to test@local
(pf::util::pfmailer)
Sep 28 16:42:07 pfcmd(0) INFO: executing action 'log' on class 1300003
(pf::action::action_execute)
*
Sep 28 16:42:07 pfcmd(0) INFO: /usr/local/pf/logs/violation.log
2011-09-28 16:42:07: Check Antivirus Updates (1300003) detected on
node 00:21:70:90:4e:2f (192.168.30.20) (pf::action::action_log)
*
Sep 28 16:42:07 pfcmd(0) INFO: executing action 'trap' on class
1300003 (pf::action::action_execute)
Sep 28 16:42:07 pfcmd(0) INFO: re-evaluating access for node
00:21:70:90:4e:2f (violation_add called)
(pf::enforcement::reevaluate_access)
Sep 28 16:42:07 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog
connected at 10.1.52.2 ifIndex 10105 in VLAN 600
(pf::enforcement::_should_we_reassign_vlan)
**
*Sep 28 16:42:07 pfcmd(0) INFO: highest priority violation for
00:21:70:90:4e:2f is 1300003. Target VLAN for violation:
registrationVlan (600) (*pf::vlan::getViolationVlan)
Sep 28 16:42:07 pfcmd(0) INFO: calling violation_trigger for ip:
192.168.30.20, mac: 00:21:70:90:4e:2f, Nessus ScanID: 34220
(pf::scan::runScan)
Sep 28 16:42:07 pfcmd(0) INFO: violation for mac 00:21:70:90:4e:2f vid
1200001 modified (pf::violation::violation_modify)
Sep 28 16:42:46 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:46 redir.cgi(0) INFO: captive portal redirect on
violation vid: 1300003, redirect url:
/remediation.php?template=viruscheck
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:46 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:46 redir.cgi(0) INFO: captive portal redirect on
violation vid: 1300003, redirect url:
/remediation.php?template=viruscheck
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:52 release.pm(0) INFO: calling /usr/local/pf/bin/pfcmd
manage vclose 00:21:70:90:4e:2f 1300003 (pf::web::release::handler)
Sep 28 16:42:52 pfcmd(0) INFO: violation 1300003 closed for
00:21:70:90:4e:2f (pf::violation::violation_close)
Sep 28 16:42:52 pfcmd(0) INFO: re-evaluating access for node
00:21:70:90:4e:2f (manage_vclose called)
(pf::enforcement::reevaluate_access)
Sep 28 16:42:52 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog
connected at 10.1.52.2 ifIndex 10105 in VLAN 600
(pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:42:53 pfcmd(0) INFO: highest priority violation for
00:21:70:90:4e:2f is 1200001. Target VLAN for violation:
registrationVlan (600) (pf::vlan::getViolationVlan)
Sep 28 16:42:53 release.pm(0) INFO: pfcmd manage vclose
00:21:70:90:4e:2f 1300003 returned 7200 (pf::web::release::handler)
Sep 28 16:42:53 release.pm(0) INFO: 00:21:70:90:4e:2f enabled for 7200
minutes (pf::web::release::handler)
Sep 28 16:42:53 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:53 redir.cgi(0) INFO: captive portal redirect on
violation vid: 1200001, redirect url:
/remediation.php?template=system_scan
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:53 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:53 redir.cgi(0) INFO: captive portal redirect on
violation vid: 1200001, redirect url:
/remediation.php?template=system_scan
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:42:57 release.pm(0) INFO: scanning 192.168.30.20 by calling
/usr/local/pf/bin/pfcmd schedule now 192.168.30.20 1>/dev/null 2>&1
(pf::web::release::handler)
Sep 28 16:42:57 release.pm(0) INFO: violation for mac
00:21:70:90:4e:2f vid 1200001 modified (pf::violation::violation_modify)
Sep 28 16:42:58 pfcmd(0) INFO: executing
HOME=/usr/local/pf/conf/nessus/ /opt/nessus/bin/nessus -q -V -x
--dot-nessus /usr/local/pf/conf/nessus/remotescan.nessus --policy-name
RemoteScan 10.1.34.36 1241 admin <password> --target-file
/tmp/pf_nessus_192.168.30.20_2011-09-28-16:42:58.txt
/usr/local/pf/html/admin/scan/results/dump_192.168.30.20_2011-09-28-16:42:58.nbe
(pf::scan::runScan)
Sep 28 16:44:03 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:44:03 redir.cgi(0) INFO: captive portal redirect to the scan
in progress page
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Sep 28 16:44:16 pfdhcplistener(9640) INFO: 00:21:70:90:4e:2f requested
an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node
with last_dhcp = 2011-09-28 16:44:16,computername =
2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43
(main::listen_dhcp)
Sep 28 16:44:16 pfdhcplistener(9681) INFO: 00:21:70:90:4e:2f requested
an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node
with last_dhcp = 2011-09-28 16:44:16,computername =
2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43
(main::listen_dhcp)
Sep 28 16:44:16 pfdhcplistener(9681) INFO: DHCPACK from 10.1.12.10
(00:1d:09:6a:10:c2) to host 00:21:70:90:4e:2f (192.168.30.20)
(main::listen_dhcp)
Sep 28 16:44:16 pfdhcplistener(9640) INFO: DHCPACK from 10.1.12.10
(00:1d:09:6a:10:c2) to host 00:21:70:90:4e:2f (192.168.30.20)
(main::listen_dhcp)
Sep 28 16:44:32 pfcmd(0) INFO: calling violation_trigger for ip:
192.168.30.20, mac: 00:21:70:90:4e:2f, Nessus ScanID: 55119
(pf::scan::runScan)
*
Sep 28 16:44:32 pfcmd(0) INFO: 7053 grace remaining on violation
1300003 (trigger scan::55119) for node 00:21:70:90:4e:2f. Not adding
violation. (pf::violation::violation_trigger)
*
Sep 28 16:44:32 pfcmd(0) INFO: calling violation_trigger for ip:
192.168.30.20, mac: 00:21:70:90:4e:2f, Nessus ScanID: 34220
(pf::scan::runScan)
*
Sep 28 16:44:32 pfcmd(0) INFO: Nessus scan did not detect any
vulnerabilities on 192.168.30.20 (pf::scan::runScan)
*
Sep 28 16:44:32 pfcmd(0) INFO: calling /usr/local/pf/bin/pfcmd manage
vclose 00:21:70:90:4e:2f 1200001 (pf::scan::runScan)
Sep 28 16:44:33 pfcmd(0) INFO: violation 1200001 closed for
00:21:70:90:4e:2f (pf::violation::violation_close)
Sep 28 16:44:33 pfcmd(0) INFO: re-evaluating access for node
00:21:70:90:4e:2f (manage_vclose called)
(pf::enforcement::reevaluate_access)
Sep 28 16:44:33 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog
connected at 10.1.52.2 ifIndex 10105 in VLAN 600
(pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:44:33 pfcmd(0) INFO: MAC: 00:21:70:90:4e:2f, PID: usertest,
Status: reg. Returned VLAN: 132 (pf::vlan::fetchVlanForNode)
Sep 28 16:44:33 pfcmd(0) INFO: calling /usr/local/pf/bin/pfcmd_vlan
for node 00:21:70:90:4e:2f (current VLAN = 600 but should be in VLAN
132) (pf::enforcement::_should_we_reassign_vlan)
Sep 28 16:44:33 pfcmd_vlan(0) INFO: switch port for 00:21:70:90:4e:2f
is 10.1.52.2 ifIndex 10105 connection type: Wired SNMP (main::)
Sep 28 16:44:34 pfcmd(0) WARN: Error trying to run command:
/usr/local/pf/bin/pfcmd manage vclose 00:21:70:90:4e:2f 1200001 called
from runScan. Child exited with non-zero value 1 (pf::util::pf_run)
Sep 28 16:44:37 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch
10.1.52.2 (main::parseTrap)
Sep 28 16:44:37 pfsetvlan(1) INFO: nb of items in queue: 1; nb of
threads running: 0 (main::startTrapHandlers)
Sep 28 16:44:37 pfsetvlan(1) INFO: reAssignVlan trap received on
10.1.52.2 ifIndex 10105 (main::handleTrap)
Sep 28 16:44:37 pfsetvlan(1) INFO: security traps are configured on
10.1.52.2 ifIndex 10105. Re-assigning VLAN for 00:21:70:90:4e:2f
(main::handleTrap)
Sep 28 16:44:37 pfsetvlan(1) INFO: MAC: 00:21:70:90:4e:2f, PID:
testuser, Status: reg. Returned VLAN: 132 (pf::vlan::fetchVlanForNode)
Sep 28 16:44:37 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users