Derek,
Thank you for the suggestion. The problem I’m having in Suricata is that I do
not see the events for traffic going out of the network. It might be due to a
few filters I applied to prevent many false positives (using pulledpork,
threshold.conf, and “rule-update” command).
I will try removing all filters, then re-testing. I’ll let you know how it goes.
Thank you,
Michael R. Haag
Computer Services Technician
Department of Information Technology
Madison County, NY
(315) 366-2204
From: Derek Wuelfrath [mailto:[email protected]]
Sent: Friday, February 19, 2016 9:43 AM
To: ML PF
Subject: Re: [PacketFence-users] No Violation Triggers Are Working
Hello Michael,
Packetfence is detecting the violation on the external IP
Why wouldn’t packetfence see that an internal host is communicating with the
external host? Is this a problem with the way Suricata (on SecurityOnion) is
reporting the event?
Suricata (on Security Onion) is inspecting the trafic the two ways :) What is
going out of your network and what is going back in.
It will trigger alerts on both ways and the one that you are sending us seems
to be torrent trafic going from the Internet to the endpoint
downloading/seeding.
You should see somewhere the one for the trafic going out of your network and
that would be the interesting one to see.
Cheers!
dw.
—
Derek Wuelfrath
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x110)
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
On Feb 18, 2016, at 4:03 PM, Michael R. Haag
<[email protected]<mailto:[email protected]>>
wrote:
I’m starting to see why it isn’t working. Packetfence is detecting the
violation on the external IP (which it can’t link back to a MAC on our network):
/usr/local/pf/logs/packetfence.log:
Feb 18 15:12:52 httpd.webservices(23962) INFO: [mac:unknown] violation on IP
195.154.150.203 with trigger suricata_event::ET TOR Known Tor Relay/Router (Not
Exit) Node Traffic group 296: violation not added, can't resolve IP to mac !
(pf::api::event_add)
Feb 18 15:12:52 httpd.webservices(23962) ERROR: [mac:unknown] Can't bind :
IO::Socket::INET: connect: Connection refused
(pf::iplog::_get_lease_from_omapi)
Why wouldn’t packetfence see that an internal host is communicating with the
external host? Is this a problem with the way Suricata (on SecurityOnion) is
reporting the event?
Thank you,
Michael R. Haag
Computer Services Technician
Department of Information Technology
Madison County, NY
(315) 366-2204
From: Derek Wuelfrath [mailto:[email protected]]
Sent: Thursday, February 18, 2016 3:07 PM
To: ML PF
Subject: Re: [PacketFence-users] No Violation Triggers Are Working
Any way you can send the PacketFence logs (packetfence.log) related to this
timestamp ?
Cheers!
dw.
—
Derek Wuelfrath
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x110)
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and
PacketFence (www.packetfence.org<http://www.packetfence.org/>)
On Feb 18, 2016, at 2:18 PM, Michael R. Haag
<[email protected]<mailto:[email protected]>>
wrote:
Derek,
I changed it, but still the trigger is not creating the violation. Perhaps
something is wrong with my syntax?
[1500009]
priority=1
desc=Testing PF TOR alert
template=darknet
trigger=detect::2523358
enabled=Y
actions=email_admin,reevaluate_access,log
From: Derek Wuelfrath [mailto:[email protected]]
Sent: Thursday, February 18, 2016 2:06 PM
To: ML PF
Subject: Re: [PacketFence-users] No Violation Triggers Are Working
Hello Michael,
I configure a violation with a trigger of Suricata Event 2523358, the violation
is not triggered
The “suricata_event” trigger type takes a string matching the rule name as a
trigger id, which, in your case, is “ET TOR”.
To trigger violation based on the detected alert ID, you should use the
“detect” trigger type rather than the “suricata_event” one.
Let me know
Cheers!
dw.
—
Derek Wuelfrath
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x110)
:: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and
PacketFence (www.packetfence.org<http://www.packetfence.org/>)
On Feb 18, 2016, at 1:21 PM, Ludovic Zammit
<[email protected]<mailto:[email protected]>> wrote:
Hello Michael,
Can you post the configuration of your violation from the conf/violations.conf
here ?
Thanks,
Ludovic Zammit
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca<http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<http://www.sogo.nu/>)
and PacketFence (http://packetfence.org<http://packetfence.org/>)
Le 18 févr. 2016 à 11:38, Michael R. Haag
<[email protected]<mailto:[email protected]>> a
écrit :
Hello,
I have Suricata on SecurityOnion sending events to a Packetfence 5.7.0 ZEN
server. The events do arrive on the Packetfence server and show in
/usr/local/pf/logs/pfdetect.log. For example:
Feb 18 11:32:09 pfdetect(13855) INFO: alert received: 'Feb 18 16:32:09
SecurityOnion sguil_alert: 16:32:08 pid(3772) Alert Received: 0 2 misc-attack
SecurityOnion-eth1 {2016-02-18 16:32:07} 2 24242 {ET TOR Known Tor Relay/Router
(Not Exit) Node Traffic group 680} 94.242.231.98 192.168.12.201 6 443 53764 1
2523358 2493 112 112
' (main::_run_detector)
If I configure a violation with a trigger of Suricata Event 2523358, the
violation is not triggered. I must be missing something. What should I check to
troubleshoot this issue?
Thank you,
Michael R. Haag
Computer Services Technician
Department of Information Technology
Madison County, NY
(315) 366-2204
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
