Ok so this must be fixed before trying to make pfdetect work with snort. It should work but can you try to remove the alert file and restart snort and check with cat what appear inside (you probably have to wait until a detection occur). If the alert file is not there then touch alert (or mkfifo alert) and restart snort.
Regards Fabrice Le 2015-02-19 10:00, Rosario Ippolito a écrit : > No, I can't see anything.. > > 2015-02-19 15:52 GMT+01:00 Fabrice DURAND <[email protected] > <mailto:[email protected]>>: > > Ok, i can remember exactly but if you do a cat on this file: > > cat /usr/local/pf/var/alert > > do you see something ? > > Regards > Fabrice > > Le 2015-02-19 09:47, Rosario Ippolito a écrit : > > Hello Fabrice, > > thanks for the quick response! I had already tried to see that file, > > sorry, but I can not open it. May I delete it and create a new one? > > (Maybe the file is corrupted) > > > > > > > > > > 2015-02-19 15:35 GMT+01:00 Fabrice DURAND <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>: > > > > Hello Rosario, > > > > snort is suppose to send the alert in this file /usr/local/pf > > /var/alert > > , does it contain something ? > > > > Regards > > Fabrice > > > > Le 2015-02-19 07:47, Rosario Ippolito a écrit : > > > Hello everybody PacketFence's users, > > > I have to ask some questions about Snort (Version 2.9.1.2) in > > > PacketFence 4.6, deployed in out-of-band (Vlan > Enforcement) mode. I > > > have followed the Guide step by step, so: > > > > > > 1- I have enabled detection and select Snort as detection > engine. > > > > > > 2- I have configured the eth1 interface in my PacketFence > server in > > > monitor type. This interface is connected to a cisco > switch where > > > PacketFence is also connected, and all traffic pass > through this > > switch. > > > > > > [interface eth1] > > > type=monitor > > > > > > 3- I have loaded these rules in /usr/local/pf/conf/snort > > > > > > classification.config.example > > > emerging-exploit.rules > > > emerging-scan.rules > > > emerging-worm.rules > > > reference.config > > > emerging-attack_response.rules > > > emerging-malware.rules > > > emerging-shellcode.rules > > > local.rules > > > reference.config.example > > > classification.config > > > emerging-botcc.rules > > > emerging-p2p.rules > > > emerging-trojan.rules > > > local.rules.example > > > > > > 4- I have this snort.conf file > > > > > > # Snort configuration > > > # This file is manipulated on PacketFence's startup before > being > > given > > > to snort > > > var HOME_NET [%%trapping-range%%] > > > var EXTERNAL_NET !$HOME_NET > > > var DHCP_SERVERS [%%dhcp_servers%%] > > > var DNS_SERVERS [%%dns_servers%%] > > > var HTTP_PORTS 80 > > > var SSH_PORTS 22 > > > var ORACLE_PORTS 1521 > > > var SHELLCODE_PORTS any > > > var HTTP_SERVERS $HOME_NET > > > var SQL_SERVERS $HOME_NET > > > var SMTP_SERVERS $HOME_NET > > > var TELNET_SERVERS $HOME_NET > > > > > > var VALIDDHCP [$DHCP_SERVERS] > > > var RULE_PATH %%install_dir%%/conf/snort > > > output alert_fast: %%install_dir%%/var/alert > > > # updated several preprocessor for snort 2.8.5 (values > taken from > > > /etc/snort/snort.conf) > > > preprocessor stream5_global: max_tcp 8192, track_tcp yes, \ > > > track_udp no > > > preprocessor stream5_tcp: policy first, > use_static_footprint_sizes > > > preprocessor http_inspect: global iis_unicode_map > > > /etc/snort/unicode.map 1252 > > > preprocessor http_inspect_server: server default \ > > > profile all ports { 80 8080 8180 } oversize_dir_length 500 > > > #preprocessor conversation: timeout 120, max_conversations > 65335 > > > #preprocessor portscan2: scanners_max 10000, targets_max > 10000, > > > target_limit 400, port_limit 400, timeout 60, log /dev/null > > > #preprocessor portscan2-ignorehosts: $EXTERNAL_NET > > > preprocessor perfmonitor: time 600 flow max file > > > %%install_dir%%/logs/snortstat pktcnt 90000 > > > output alert_syslog: LOG_AUTH LOG_ALERT > > > > > > config flowbits_size: 256 > > > config disable_decode_alerts > > > config disable_tcpopt_experimental_alerts > > > config disable_tcpopt_obsolete_alerts > > > config disable_tcpopt_ttcp_alerts > > > config disable_ttcp_alerts > > > config disable_tcpopt_alerts > > > config disable_ipopt_alerts > > > > > > include $RULE_PATH/classification.config > > > include $RULE_PATH/reference.config > > > %%snort_rules%% > > > > > > 5- Snort starts with PacketFence and it works, so I try to > > "snort" the > > > traffic, with the "snort -i eth1" command, and, really, I > see some > > > traffic from the vlans that I have configured in my > network. The > > > problem is that even though I have configured the > violation.conf > > file > > > to respond to alert snort.... snort does not give me any > alert. > > I have > > > no log in pfdetect.log, is this normal? > > > > > > > > > For test snort, I have added in local.rules the statement: > > > > > > "alert tcp any any <> any 80 (msg: "Test rule"; sid: > 1000001;)" > > > > > > and I have just added in violations.conf file this other > statement: > > > > > > [1000001] > > > desc=Test web > > > priority=10 > > > template=banned_devices > > > enabled=Y > > > actions=trap,log > > > trigger=Detect::1000001 > > > > > > > > > But there is no raised alert from PacketFence..Should I > enable all > > > alert in the violations.conf file? > > > > > > > > > Sorry for all these questions..I hope somebody can help me. > > Thanks you > > > very much in advance!! > > > > > > > > > Best regards, > > > Rosario Ippolito > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT > Server > > > from Actuate! Instantly Supercharge Your Business Reports and > > Dashboards > > > with Interactivity, Sharing, Native Excel Exports, App > > Integration & more > > > Get technology previously reserved for billion-dollar > > corporations, FREE > > > > > > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > > > > > > > > _______________________________________________ > > > PacketFence-users mailing list > > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > -- > > Fabrice Durand > > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> :: > +1.514.447.4918 <tel:%2B1.514.447.4918> > > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca > <http://www.inverse.ca> > > <http://www.inverse.ca> > > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > > PacketFence (http://packetfence.org) > > > > > > > > ------------------------------------------------------------------------------ > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT > Server > > from Actuate! Instantly Supercharge Your Business Reports and > > Dashboards > > with Interactivity, Sharing, Native Excel Exports, App > Integration > > & more > > Get technology previously reserved for billion-dollar > > corporations, FREE > > > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > _______________________________________________ > > PacketFence-users mailing list > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > > > > > > > ------------------------------------------------------------------------------ > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > > from Actuate! Instantly Supercharge Your Business Reports and > Dashboards > > with Interactivity, Sharing, Native Excel Exports, App > Integration & more > > Get technology previously reserved for billion-dollar > corporations, FREE > > > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > > > > > _______________________________________________ > > PacketFence-users mailing list > > [email protected] > <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > -- > Fabrice Durand > [email protected] <mailto:[email protected]> :: +1.514.447.4918 > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca > <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > PacketFence (http://packetfence.org) > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and > Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration > & more > Get technology previously reserved for billion-dollar > corporations, FREE > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
