To give some more info and hopefully get some help I did some more digging.
I ran everything in debug mode and once again tailed all the logs. For a
while pfconfig.log was complaining
May 11 11:09:28 pfconfig(3412) ERROR: Couldn't select from table. Error :
DBD::mysql::st execute failed: MySQL server has gone away at
/usr/local/pf/lib/pfconfig/backend/mysql.pm line 84, <$socket> line 1.
May 11 11:09:28 pfconfig(3412) ERROR: DBD::mysql::db do failed: MySQL
server has gone away at /usr/local/pf/lib/pfconfig/backend/mysql.pm line
114.
May 11 11:09:28 pfconfig(3412) ERROR: Couldn't insert in table. Error :
DBD::mysql::db do failed: MySQL server has gone away at
/usr/local/pf/lib/pfconfig/backend/mysql.pm line 114.
May 11 11:09:28 pfconfig(3412) ERROR: Could not write namespace
FilterEngine::RadiusScopes to L2 cache ! This is bad.
May 11 11:09:28 pfconfig(3412) ERROR: Could not write namespace
FilterEngine::RadiusScopes to L2 cache ! This is bad.
So I updated a few settings in mysql/my.cnf for longer wait_timeout and
restarted mysql.
I guess that fixed it because I no longer see these errors.
Anyways.
I ran mysql debug as well and I see the mysql database being updated when
an alert comes in at the same time its being reported in pfdetect.log
However whenever I got and try to view the database table "triggers" I
receive this error.
mysql> select * from trigger;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to use
near 'trigger' at line 1
I'm not sure if this is related, I see the violations I created in action
table.
I'm still a little puzzled as to why violations are happening but triggers
are not being activated, I tried searching for vid within the database but
I'm not sure how the snort sids are matched to the action profiles I found
in the class table.
On Mon, May 9, 2016 at 7:31 AM, Mr C <[email protected]> wrote:
> Hi,
>
> Since upgrading to the new version I've been having an issue with snort.
> I've maintained the same violations. Here is an Example:
>
> [30000051]
> priority=1
>
> trigger=detect::2000334,detect::2000369,detect::2011699,detect::2010144,detect::2006375,detect::2008582
> actions=email_user,email_admin
> desc=P2P BitTorrent
> enabled=Y
> template=roguedhcp
> auto_enable=N
>
> I see the alerts in the alert file so snort sees the traffic and logs it,
> I then see it in the pfdetect logs.
>
> May 06 14:51:30 pfdetect(4904) INFO: alert received:
> '05/06-14:51:30.174521 [**] [1:2011699:5] ET P2P Bittorrent P2P Client
> User-Agent (Transmission/1.x) [**] [Classification: Potential Corporate
> Privacy Violation] [Priority: 1] {TCP} X.X.X.XX:43556 -> 91.189.94.40:80
> ' (main::_run_detector)
> May 06 14:51:30 pfdetect(4904) INFO: alert received:
> '05/06-14:51:30.339731 [**] [1:2011699:5] ET P2P Bittorrent P2P Client
> User-Agent (Transmission/1.x) [**] [Classification: Potential Corporate
> Privacy Violation] [Priority: 1] {TCP} X.X.X.XX:39709 -> 91.189.89.110:80
>
> So It should work as it did before but this violation is just not being
> triggered. I verified that the email addresses are setup. I even did a test
> of a custom alert in snort for ICMP then issued a bunch of pings, again it
> gets picked up by snort and pfdetect.
>
> May 06 12:10:37 pfdetect(26902) INFO: alert received:
> '05/06-12:10:37.745138 [**] [1:1:0] ICMP Packet Detected [**] [Priority:
> 0] {ICMP} xx.x.x.x -> x.x.x.x
>
> However even with my violation set nothing happens.
>
> (Don't have the vionlation.conf for this anymore, I deleted the conf file
> and started fresh during testing)
>
> There is nothing in the packetfence log.
>
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
