Thanks for looking at it Ludovic. Here’s the rule:
[1500009]
priority=1
desc=Testing PF TOR alert
template=darknet
trigger=suricata_event::2523358
enabled=Y
actions=email_admin,reevaluate_access,log
From: Ludovic Zammit [mailto:[email protected]]
Sent: Thursday, February 18, 2016 1:27 PM
To: [email protected]
Subject: Re: [PacketFence-users] No Violation Triggers Are Working
Hello Michael,
Can you post the configuration of your violation from the conf/violations.conf
here ?
Thanks,
Ludovic Zammit
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
Le 18 févr. 2016 à 11:38, Michael R. Haag
<[email protected]<mailto:[email protected]>> a
écrit :
Hello,
I have Suricata on SecurityOnion sending events to a Packetfence 5.7.0 ZEN
server. The events do arrive on the Packetfence server and show in
/usr/local/pf/logs/pfdetect.log. For example:
Feb 18 11:32:09 pfdetect(13855) INFO: alert received: 'Feb 18 16:32:09
SecurityOnion sguil_alert: 16:32:08 pid(3772) Alert Received: 0 2 misc-attack
SecurityOnion-eth1 {2016-02-18 16:32:07} 2 24242 {ET TOR Known Tor Relay/Router
(Not Exit) Node Traffic group 680} 94.242.231.98 192.168.12.201 6 443 53764 1
2523358 2493 112 112
' (main::_run_detector)
If I configure a violation with a trigger of Suricata Event 2523358, the
violation is not triggered. I must be missing something. What should I check to
troubleshoot this issue?
Thank you,
Michael R. Haag
Computer Services Technician
Department of Information Technology
Madison County, NY
(315) 366-2204
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
