SNORT PROBLEM

Hi Andrew,
Don't forget to add the trigger section into your violation definition
with the proper Detect::[SNORT_SID] statement. Otherwise, PacketFence
will not take any actions.
I took the opportunity to update the Administration Guide to reflect
that. See the page 88 of the attached pdf.
Have a good one!
On 10-10-15 10:05 AM, Andrew Niemantsverdriet wrote:
> I have enabled snort and looking at the pf.log file I can see
> violations that are happening how ever packetfence takes no action
> (like moving the offender into the isolation vlan). Why is this, and
> how can I fix it?
--------------------------------------------------------------------------------
-----
If I understand you correctly, then port 24 will be your 'uplink' port
in 'switches.conf', although 'uplink = dynamic' may work as well.
--------------------------------------------------------------------------------
----
And for webpages, this is simple, you don't need PF to do this, you
only need good Squid/web proxy acls rules to ban FB access etc. I use
it, with a special perl extension/script to deny all SSL connections by
default, and whitelist only those https URLs which are really needed.
This rules out tunneling through SSL techniques.
--------------------------------------------------------------------------------
----
dhcpd.conf,
named.conf,
named/named-isolation.ca, named/named-registration.ca, networks.conf,
pf.conf & switches.conf so we can have a look at them.
Best,
Chris

--------------------------------------------------------------------------------
---
rafal
Change PF's configuration etc tem que alterar todos os campos?
custom.pm se usar o seu vai funcionar no meu aqui? o que posso mudar nele ?
test com errors
If test is successful, the switch is returning configuration
information, like this:
root@niach:/usr/local/pf# ./test/connect_and_read.pl
192.168.251.34
- sysUptime: 48 days, 15:29:40.61
- nb Vlans : 13
- Uplinks: 24, 25, 26, 27
------------------------------------------------------------
Switch-A#sh run | incl snmp
snmp-server community readwritepw RW
snmp-server community readonlypw RO
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 1
snmp-server host 10.0.0.4 version 2c trappw
Line 1: set SNMP access password for read and write, so PF can read and
write data.
Line 2: set SNMP access password for read only, so PF can read data.
Line 3: send SNMP traps on port security violation only.
Line 4: send only one violation per something [minute?]. Can't
remember, but it works.
Line 5: Set host 10.0.0.4 to take traps using version "2c" SNMP
protocol, authorising the access by trappw password.
--------------------------------------------------------------------------------
----------
b) PF manages switch using telnet and SNMP. This access is defined in
PF's switches.conf file:
[192.168.0.37]
type=Cisco::Catalyst_2960
uplink=10101,10102,10103,10104,10501
SNMPVersionTrap=2c
SNMPCommunityTrap=trappw
cliTransport=Telnet
cliUser=admin
cliPwd=1234
cliEnablePwd=5678
mode=production
This defines switch at 192.168.0.37 as Cisco 2960 with fiber and aux
ports excluded [uplinks -- in your case there should be also 10024
there, since you use Fa0/24 as an uplink].
SNMP* lines define the SNMP access, using version "2c" protocol and
"trappw" as a SNMP trap password [should be the same as in "Line 5"].
cli* defines a physical access to switch. This should be set to your
telnet login, password and "enable" password.
Setting "mode" to production actually enables the switch in PF
configuration [you can use "testing" to monitor what PF will do without
actually doing it].
When you configure cli* and check if "telnet <your switch IP>" works
from PF server, you'd be able to run "connect_and_read.pl" without any
problems.
> In your configuration file you have like 10vlans where is your vlans
> from PF like normal / registration /violation /isolation ??
I don't use reg/viol/iso VLANs. These functionalities are not implented
since I don't need it. But I have 8 VLANs and I did have to define them
in switches.conf, in [default] part:
[default]
vlans=2,4,3,5,6,7,8,9
normalVlan=2
registrationVlan=7
isolationVlan=7
guestVlan=7
Then, using my "custom.pm" switch, I just assign a node to a category
named "VLAN7 - frontend" and this binds particular MAC to VLAN 7 because
whenever "custom.pm" is run, it gets the correct VLAN from category
name.
-