PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000956PacketFenceIDSpublic2010-04-14 09:402012-08-07 09:52
Reporterobilodeau 
Assigned Tofgaudreault 
PrioritynormalSeverityminorReproducibilityN/A
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Version3.5.0Fixed in Version3.5.0 
Summary0000956: confusion between trapping.range, pf.conf's interfaces and networks.conf
DescriptionTim wanted to have snort listen to internal traffic on a routed environment.

Trying to do so, he configured trapping.range to include the additional network he wanted to trap. This didn't work.

He only needs one interface in pf.conf since he's in a routed environment.

It turns out that snort's %%internal-nets%% is populated by the interfaces in pf.conf that are of type internal. This doesn't make any sense in a routed environment.

This pushes more on the fact that interfaces in pf.conf are less than ideal.
TagsCode Review
fixed in git revision
fixed in mtn revision
Attached Filespatch file icon snort_trapping-range.patch [^] (6,137 bytes) 2011-10-11 16:03 [Show Content]

- Relationships
related to 0000929closedobilodeau Proper routed VLAN support 
related to 0000957closedobilodeau snort should have a flag in networks.conf 
related to 0001141closedobilodeau Support for surricata IDS 

-  Notes
(0002333)
fgaudreault (viewer)
2011-10-11 16:02

Proposing a patch here :
- Have a services/snort.pm file to handle snort startup.
- Usage of trapping.range instead of internal-nets
(0002336)
fgaudreault (viewer)
2011-10-11 17:20

I will also include that into the org.packetfence.feature.suricata branch.
(0002347)
obilodeau (reporter)
2011-10-14 09:17

minor glitches

in conf/pf.conf.defaults:
# services.suricata -> # services.suricata_binary

pfdetect_remote still talks about snort and refers to the snort's log location (/var/log/snort/alert) it's in init.d file. We should replace snort with IDS or maybe snort-compatible IDS ?

The tests were not modified to test the new services files.

I'm pretty sure that the ids() checkup test is not useful because documentation.conf already specifies allowed values and it'll be validated.

All the ids_snort() tests could be generalized to ids() or copied into ids_suricata(). They all apply to suricata as well: binary exists, pipe file and monitor interface. binary in ids_suricata() and two others in generalized in ids(). global $snortpipe should be renamed $alertpipe for consistency.


Once these minor things done we will merge in a feature cycle. Pretty sure it'll be in 3.1.0. Good work!
(0002353)
fgaudreault (viewer)
2011-10-14 10:12

Updated the branch.

- services.suricata to services.suricata_binary
- pfdetect_remote now refers to /var/log/snort-compat/alert
- Tests has been modified to test the new services files.
- IDS tests have been generalized in ids() in pfcmd/checkup.pm

- Issue History
Date Modified Username Field Change
2010-04-14 09:40 obilodeau New Issue
2010-04-14 09:40 obilodeau Status new => assigned
2010-04-14 09:40 obilodeau Assigned To => obilodeau
2010-04-14 09:42 obilodeau Relationship added related to 0000929
2010-04-14 09:58 obilodeau Relationship added related to 0000957
2010-04-29 13:39 obilodeau Target Version 1.8.8 => 1.9.0
2010-05-03 14:50 obilodeau Target Version 1.9.0 => 1.9.1
2010-09-15 13:27 obilodeau Target Version 1.9.1 => 1.9.2
2010-09-22 16:02 obilodeau Target Version 1.9.2 => 1.9.3
2011-09-07 17:27 obilodeau Target Version 1.9.3 => +1
2011-10-11 16:02 fgaudreault Note Added: 0002333
2011-10-11 16:03 fgaudreault File Added: snort_trapping-range.patch
2011-10-11 16:04 fgaudreault Tag Attached: Code Review
2011-10-11 17:20 fgaudreault Note Added: 0002336
2011-10-14 09:17 obilodeau Note Added: 0002347
2011-10-14 09:19 obilodeau Relationship added related to 0001141
2011-10-14 09:19 obilodeau Assigned To obilodeau => fgaudreault
2011-10-14 09:19 obilodeau Category doc => IDS
2011-10-14 10:13 fgaudreault Note Added: 0002353
2012-08-01 14:08 fgaudreault Status assigned => closed
2012-08-01 14:08 fgaudreault Resolution open => fixed
2012-08-01 14:08 fgaudreault Fixed in Version => 3.5.0
2012-08-07 09:52 obilodeau Target Version +1 => 3.5.0


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker