I’m starting to see why it isn’t working. Packetfence is detecting the
violation on the external IP (which it can’t link back to a MAC on our network):
/usr/local/pf/logs/packetfence.log:
Feb 18 15:12:52 httpd.webservices(23962) INFO: [mac:unknown] violation on IP
195.154.150.203 with trigger suricata_event::ET TOR Known Tor Relay/Router (Not
Exit) Node Traffic group 296: violation not added, can't resolve IP to mac !
(pf::api::event_add)
Feb 18 15:12:52 httpd.webservices(23962) ERROR: [mac:unknown] Can't bind :
IO::Socket::INET: connect: Connection refused
(pf::iplog::_get_lease_from_omapi)
Why wouldn’t packetfence see that an internal host is communicating with the
external host? Is this a problem with the way Suricata (on SecurityOnion) is
reporting the event?
Thank you,
Michael R. Haag
Computer Services Technician
Department of Information Technology
Madison County, NY
(315) 366-2204
From: Derek Wuelfrath [mailto:[email protected]]
Sent: Thursday, February 18, 2016 3:07 PM
To: ML PF
Subject: Re: [PacketFence-users] No Violation Triggers Are Working
Any way you can send the PacketFence logs (packetfence.log) related to this
timestamp ?
Cheers!
dw.
—
Derek Wuelfrath
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x110)
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
On Feb 18, 2016, at 2:18 PM, Michael R. Haag
<[email protected]<mailto:[email protected]>>
wrote:
Derek,
I changed it, but still the trigger is not creating the violation. Perhaps
something is wrong with my syntax?
[1500009]
priority=1
desc=Testing PF TOR alert
template=darknet
trigger=detect::2523358
enabled=Y
actions=email_admin,reevaluate_access,log
From: Derek Wuelfrath [mailto:[email protected]]
Sent: Thursday, February 18, 2016 2:06 PM
To: ML PF
Subject: Re: [PacketFence-users] No Violation Triggers Are Working
Hello Michael,
I configure a violation with a trigger of Suricata Event 2523358, the violation
is not triggered
The “suricata_event” trigger type takes a string matching the rule name as a
trigger id, which, in your case, is “ET TOR”.
To trigger violation based on the detected alert ID, you should use the
“detect” trigger type rather than the “suricata_event” one.
Let me know
Cheers!
dw.
—
Derek Wuelfrath
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x110)
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and
PacketFence (www.packetfence.org<http://www.packetfence.org/>)
On Feb 18, 2016, at 1:21 PM, Ludovic Zammit
<[email protected]<mailto:[email protected]>> wrote:
Hello Michael,
Can you post the configuration of your violation from the conf/violations.conf
here ?
Thanks,
Ludovic Zammit
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca<http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>)
and PacketFence (http://packetfence.org<http://packetfence.org/>)
Le 18 févr. 2016 à 11:38, Michael R. Haag
<[email protected]<mailto:[email protected]>> a
écrit :
Hello,
I have Suricata on SecurityOnion sending events to a Packetfence 5.7.0 ZEN
server. The events do arrive on the Packetfence server and show in
/usr/local/pf/logs/pfdetect.log. For example:
Feb 18 11:32:09 pfdetect(13855) INFO: alert received: 'Feb 18 16:32:09
SecurityOnion sguil_alert: 16:32:08 pid(3772) Alert Received: 0 2 misc-attack
SecurityOnion-eth1 {2016-02-18 16:32:07} 2 24242 {ET TOR Known Tor Relay/Router
(Not Exit) Node Traffic group 680} 94.242.231.98 192.168.12.201 6 443 53764 1
2523358 2493 112 112
' (main::_run_detector)
If I configure a violation with a trigger of Suricata Event 2523358, the
violation is not triggered. I must be missing something. What should I check to
troubleshoot this issue?
Thank you,
Michael R. Haag
Computer Services Technician
Department of Information Technology
Madison County, NY
(315) 366-2204
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
