PacketFence - BTS - PacketFence |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0000956 | PacketFence | IDS | public | 2010-04-14 09:40 | 2012-08-07 09:52 |
|
| Reporter | obilodeau | |
| Assigned To | fgaudreault | |
| Priority | normal | Severity | minor | Reproducibility | N/A |
| Status | closed | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | | |
| Target Version | 3.5.0 | Fixed in Version | 3.5.0 | |
| fixed in git revision | |
| fixed in mtn revision | |
|
| Summary | 0000956: confusion between trapping.range, pf.conf's interfaces and networks.conf |
| Description | Tim wanted to have snort listen to internal traffic on a routed environment.
Trying to do so, he configured trapping.range to include the additional network he wanted to trap. This didn't work.
He only needs one interface in pf.conf since he's in a routed environment.
It turns out that snort's %%internal-nets%% is populated by the interfaces in pf.conf that are of type internal. This doesn't make any sense in a routed environment.
This pushes more on the fact that interfaces in pf.conf are less than ideal. |
| Steps To Reproduce | |
| Additional Information | |
| Tags | Code Review |
| Relationships | | related to | 0000929 | closed | obilodeau | Proper routed VLAN support | | related to | 0000957 | closed | obilodeau | snort should have a flag in networks.conf | | related to | 0001141 | closed | obilodeau | Support for surricata IDS |
|
| Attached Files |  snort_trapping-range.patch (6,137) 2011-10-11 16:03
https://www.packetfence.org/bugs/file_download.php?file_id=108&type=bug |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2010-04-14 09:40 | obilodeau | New Issue | |
| 2010-04-14 09:40 | obilodeau | Status | new => assigned |
| 2010-04-14 09:40 | obilodeau | Assigned To | => obilodeau |
| 2010-04-14 09:42 | obilodeau | Relationship added | related to 0000929 |
| 2010-04-14 09:58 | obilodeau | Relationship added | related to 0000957 |
| 2010-04-29 13:39 | obilodeau | Target Version | 1.8.8 => 1.9.0 |
| 2010-05-03 14:50 | obilodeau | Target Version | 1.9.0 => 1.9.1 |
| 2010-09-15 13:27 | obilodeau | Target Version | 1.9.1 => 1.9.2 |
| 2010-09-22 16:02 | obilodeau | Target Version | 1.9.2 => 1.9.3 |
| 2011-09-07 17:27 | obilodeau | Target Version | 1.9.3 => +1 |
| 2011-10-11 16:02 | fgaudreault | Note Added: 0002333 | |
| 2011-10-11 16:03 | fgaudreault | File Added: snort_trapping-range.patch | |
| 2011-10-11 16:04 | fgaudreault | Tag Attached: Code Review | |
| 2011-10-11 17:20 | fgaudreault | Note Added: 0002336 | |
| 2011-10-14 09:17 | obilodeau | Note Added: 0002347 | |
| 2011-10-14 09:19 | obilodeau | Relationship added | related to 0001141 |
| 2011-10-14 09:19 | obilodeau | Assigned To | obilodeau => fgaudreault |
| 2011-10-14 09:19 | obilodeau | Category | doc => IDS |
| 2011-10-14 10:13 | fgaudreault | Note Added: 0002353 | |
| 2012-08-01 14:08 | fgaudreault | Status | assigned => closed |
| 2012-08-01 14:08 | fgaudreault | Resolution | open => fixed |
| 2012-08-01 14:08 | fgaudreault | Fixed in Version | => 3.5.0 |
| 2012-08-07 09:52 | obilodeau | Target Version | +1 => 3.5.0 |
|
Notes |
|
|
(0002333)
|
|
fgaudreault
|
|
2011-10-11 16:02
|
|
Proposing a patch here :
- Have a services/snort.pm file to handle snort startup.
- Usage of trapping.range instead of internal-nets |
|
|
|
(0002336)
|
|
fgaudreault
|
|
2011-10-11 17:20
|
|
|
I will also include that into the org.packetfence.feature.suricata branch. |
|
|
|
|
minor glitches
in conf/pf.conf.defaults:
# services.suricata -> # services.suricata_binary
pfdetect_remote still talks about snort and refers to the snort's log location (/var/log/snort/alert) it's in init.d file. We should replace snort with IDS or maybe snort-compatible IDS ?
The tests were not modified to test the new services files.
I'm pretty sure that the ids() checkup test is not useful because documentation.conf already specifies allowed values and it'll be validated.
All the ids_snort() tests could be generalized to ids() or copied into ids_suricata(). They all apply to suricata as well: binary exists, pipe file and monitor interface. binary in ids_suricata() and two others in generalized in ids(). global $snortpipe should be renamed $alertpipe for consistency.
Once these minor things done we will merge in a feature cycle. Pretty sure it'll be in 3.1.0. Good work! |
|
|
|
(0002353)
|
|
fgaudreault
|
|
2011-10-14 10:12
|
|
Updated the branch.
- services.suricata to services.suricata_binary
- pfdetect_remote now refers to /var/log/snort-compat/alert
- Tests has been modified to test the new services files.
- IDS tests have been generalized in ids() in pfcmd/checkup.pm |
|