Hello Everyone,
I have installed Suricata(1.4.6) on the existing pf(5.7) where hosted on
ESXi.
SPAN port everything has already defined in Cisco switch, port mirroring to
SPAN NIC(Second NIC) of ESXi.
*Problem No.1*
I simulate p2p on one of the PC, and
Initially, there is no any violation log indicated in packetfence.log,
until I run the command "tcpdump -nni eth2" on my PF machine.
*Problem No.2*
packetfence.log -- it shows "mac:unknown"
Feb 24 14:40:35 httpd.webservices(29656) INFO: [mac:unknown] violation: ET
P2P Vuze BT UDP Connection (5) - IP 10.184.118.44 (pf::api::event_add)
Feb 24 14:40:35 httpd.webservices(29656) INFO: [mac:unknown] violation:
2010144 - IP 10.184.118.44 (pf::api::event_add)
Feb 24 14:40:35 httpd.webservices(29656) INFO: [mac:unknown] calling
violation_add with vid=1100006 mac=d4:be:d9:39:37:c6 release_date=0
(trigger suricata_event::ET P2P Vuze BT UDP Connection (5))
(pf::violation::violation_trigger)
Feb 24 14:40:35 httpd.webservices(29656) INFO: [mac:unknown] grace expired
on violation 1100006 for node d4:be:d9:39:37:c6
(pf::violation::violation_add)
Feb 24 14:40:35 httpd.webservices(29656) INFO: [mac:unknown] violation
1100006 added for d4:be:d9:39:37:c6 (pf::violation::violation_add)
Feb 24 14:40:35 httpd.webservices(29656) INFO: [mac:unknown] executing
action 'unreg' on class 1100006 (pf::action::action_execute)
Feb 24 14:40:35 httpd.webservices(29656) INFO: [mac:unknown] Instantiate
profile AD-Users (pf::Portal::ProfileFactory::_from_profile)
Feb 24 14:40:35 httpd.webservices(29656) INFO: [mac:unknown] executing
action 'role' on class 1100006 (pf::action::action_execute)
Feb 24 14:40:35 httpd.webservices(29656) INFO: [mac:unknown] executing
action 'log' on class 1100006 (pf::action::action_execute)
Feb 24 14:40:35 httpd.webservices(29656) INFO: [mac:unknown]
/usr/local/pf/logs/violation.log 2016-02-24 14:40:35: P2P Isolation
(1100006) detected on node d4:be:d9:39:37:c6 (10.184.118.44)
(pf::action::action_log)
Feb 24 14:40:35 httpd.webservices(29656) INFO: [mac:unknown] executing
action 'email_admin' on class 1100006 (pf::action::action_execute)
Feb 24 14:40:35 httpd.webservices(29656) INFO: [mac:unknown] loading
Net::MAC::Vendor cache from /usr/local/pf/conf/oui.txt (pf::util::load_oui)
Feb 24 14:40:36 httpd.webservices(29656) INFO: [mac:unknown] violation: ET
P2P BitTorrent DHT ping request - IP 10.184.118.44 (pf::api::event_add)
Feb 24 14:40:36 httpd.webservices(29656) INFO: [mac:unknown] violation:
2008581 - IP 10.184.118.44 (pf::api::event_add)
Feb 24 14:40:36 httpd.webservices(29656) INFO: [mac:unknown] violation
1100006 (trigger suricata_event::ET P2P BitTorrent DHT ping request)
already exists for d4:be:d9:39:37:c6, not adding again
(pf::violation::violation_trigger)
Feb 24 14:40:37 httpd.webservices(29658) INFO: [mac:unknown] email
regarding 'PF Alert: P2P Isolation detection on d4:be:d9:39:37:c6' sent to
[email protected] (pf::config::util::pfmailer)
Feb 24 14:40:37 httpd.webservices(29658) INFO: [mac:unknown] this is a
non-reevaluate-access violation, closing violation entry now
(pf::action::action_execute)
Feb 24 14:40:37 httpd.webservices(29658) INFO: [mac:unknown] violation
1100006 force-closed for d4:be:d9:39:37:c6
(pf::violation::violation_force_close)
*violation.conf*
*[*1100006]
desc=P2P Isolation
template=p2p
trigger=suricata_event::ET P2P,suricata_event::ET P2P QVOD P2P
actions=unreg,email_admin,log,role
enabled=Y
vlan=gaming
target_category=gaming
*Problem No.3*
it does unreg the PC, but it doesn't put it into any other VLAN.
Please help! thank you.
--
Best Regards,
Reeyon Lim
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
