Hello Michael,
> Packetfence is detecting the violation on the external IP
> Why wouldn’t packetfence see that an internal host is communicating with the
> external host? Is this a problem with the way Suricata (on SecurityOnion) is
> reporting the event?
Suricata (on Security Onion) is inspecting the trafic the two ways :) What is
going out of your network and what is going back in.
It will trigger alerts on both ways and the one that you are sending us seems
to be torrent trafic going from the Internet to the endpoint
downloading/seeding.
You should see somewhere the one for the trafic going out of your network and
that would be the interesting one to see.
Cheers!
dw.
—
Derek Wuelfrath
[email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Feb 18, 2016, at 4:03 PM, Michael R. Haag
> <[email protected]> wrote:
>
>
> I’m starting to see why it isn’t working. Packetfence is detecting the
> violation on the external IP (which it can’t link back to a MAC on our
> network):
>
> /usr/local/pf/logs/packetfence.log:
>
> Feb 18 15:12:52 httpd.webservices(23962) INFO: [mac:unknown] violation on IP
> 195.154.150.203 with trigger suricata_event::ET TOR Known Tor Relay/Router
> (Not Exit) Node Traffic group 296: violation not added, can't resolve IP to
> mac ! (pf::api::event_add)
> Feb 18 15:12:52 httpd.webservices(23962) ERROR: [mac:unknown] Can't bind :
> IO::Socket::INET: connect: Connection refused
> (pf::iplog::_get_lease_from_omapi)
>
> Why wouldn’t packetfence see that an internal host is communicating with the
> external host? Is this a problem with the way Suricata (on SecurityOnion) is
> reporting the event?
>
>
> Thank you,
>
> Michael R. Haag
> Computer Services Technician
> Department of Information Technology
> Madison County, NY
> (315) 366-2204
>
> From: Derek Wuelfrath [mailto:[email protected]
> <mailto:[email protected]>]
> Sent: Thursday, February 18, 2016 3:07 PM
> To: ML PF
> Subject: Re: [PacketFence-users] No Violation Triggers Are Working
>
> Any way you can send the PacketFence logs (packetfence.log) related to this
> timestamp ?
>
> Cheers!
> dw.
>
> —
> Derek Wuelfrath
> [email protected] <mailto:[email protected]> :: +1.514.447.4918
> (x110) :: +1.866.353.6153 (x110)
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and
> PacketFence (www.packetfence.org <http://www.packetfence.org/>)
>
> On Feb 18, 2016, at 2:18 PM, Michael R. Haag
> <[email protected]
> <mailto:[email protected]>> wrote:
>
> Derek,
>
> I changed it, but still the trigger is not creating the violation. Perhaps
> something is wrong with my syntax?
>
> [1500009]
> priority=1
> desc=Testing PF TOR alert
> template=darknet
> trigger=detect::2523358
> enabled=Y
> actions=email_admin,reevaluate_access,log
>
>
> From: Derek Wuelfrath [mailto:[email protected]
> <mailto:[email protected]>]
> Sent: Thursday, February 18, 2016 2:06 PM
> To: ML PF
> Subject: Re: [PacketFence-users] No Violation Triggers Are Working
>
> Hello Michael,
>
> I configure a violation with a trigger of Suricata Event 2523358, the
> violation is not triggered
>
> The “suricata_event” trigger type takes a string matching the rule name as a
> trigger id, which, in your case, is “ET TOR”.
> To trigger violation based on the detected alert ID, you should use the
> “detect” trigger type rather than the “suricata_event” one.
>
> Let me know
>
> Cheers!
> dw.
>
> —
> Derek Wuelfrath
> [email protected] <mailto:[email protected]> :: +1.514.447.4918
> (x110) :: +1.866.353.6153 (x110)
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and
> PacketFence (www.packetfence.org <http://www.packetfence.org/>)
>
> On Feb 18, 2016, at 1:21 PM, Ludovic Zammit <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hello Michael,
>
> Can you post the configuration of your violation from the
> conf/violations.conf here ?
>
> Thanks,
> Ludovic Zammit
> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) ::
> www.inverse.ca <http://www.inverse.ca/>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu
> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org
> <http://packetfence.org/>)
>
>
>
>
>
> Le 18 févr. 2016 à 11:38, Michael R. Haag <[email protected]
> <mailto:[email protected]>> a écrit :
>
> Hello,
>
> I have Suricata on SecurityOnion sending events to a Packetfence 5.7.0 ZEN
> server. The events do arrive on the Packetfence server and show in
> /usr/local/pf/logs/pfdetect.log. For example:
>
> Feb 18 11:32:09 pfdetect(13855) INFO: alert received: 'Feb 18 16:32:09
> SecurityOnion sguil_alert: 16:32:08 pid(3772) Alert Received: 0 2
> misc-attack SecurityOnion-eth1 {2016-02-18 16:32:07} 2 24242 {ET TOR Known
> Tor Relay/Router (Not Exit) Node Traffic group 680} 94.242.231.98
> 192.168.12.201 6 443 53764 1 2523358 2493 112 112
> ' (main::_run_detector)
>
>
> If I configure a violation with a trigger of Suricata Event 2523358, the
> violation is not triggered. I must be missing something. What should I check
> to troubleshoot this issue?
>
>
> Thank you,
>
> Michael R. Haag
> Computer Services Technician
> Department of Information Technology
> Madison County, NY
> (315) 366-2204
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
>
> <http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________>
> PacketFence-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
>
> <http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________>
> PacketFence-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
>
> <http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________>
> PacketFence-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
