Developers guide
Chapter 7
Copyright © 2008-2013 Inverse inc.
Optional components 45
Optional components
Blocking malicious activities with violations
Policy violations allow you to restrict client system access based on violations of certain policies. For
example, if you do not allow P2P type traffic on your network, and you are running the appropriate
software to detect it and trigger a violation for a given client, PacketFence will give that client a "blocked"
page which can be customized to your wishes.
In order to be able to block malicious activities, you need to install and configure the SNORT or Suricata
IDS to talk with PacketFence.
Snort
Installation
The installation procedure is quite simple for SNORT. We maintain a working version on the PacketFence
repository. To install it, simply run the following command:
yum install snort
Configuration
PacketFence provides a basic snort.conf template that you may need to edit depending of the Snort
version. The file is located in /usr/local/pf/conf. It is rarely necessary to change anything in that file
to make Snort work and trap alerts. DO NOT edit the snort.conf located in /usr/local/pf/var/conf,
all the modification will be destroyed on each PacketFence restart.
Suricata
Installation
Since the suricata IDS is not packaged with the distros (except maybe Fedora, which we do not officially
support), you need to build it the "old" way.
The OISF provides a really well written how-to for that. It’s available here: https://
redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS5