Manualshelf

Developers guide

ManualsBrandsRed Hat ManualsComputer equipmentNETWORK 4.1.0 -
41424344454647484950
Chapter 7
Copyright © 2008-2013 Inverse inc.
Optional components 46
Configuration
PacketFence will provide you with a basic suricata.yaml that you can modify to suit you own needs.
The file is located in /usr/local/pf/conf.
Violations
In order to make PacketFence react to the Snort alerts, you need to explicitly tell the software to do so.
Otherwise, the alerts will be discarded. This is quite simple to accomplish. In fact, you need to create a
violation and add the Snort alert SID in the trigger section of a Violation.
PacketFence policy violations are controlled using the /usr/local/pf/conf/violations.conf
configuration file. The violation format is as follows:
[1234]
desc=Your Violation Description
priority=8
url=/content/index.php?template=<template>
redirect_url=/proxies/tools/stinger.exe
enable=Y
trigger=Detect::2200032,Nessus::11808
actions=email,log,trap
vlan=isolationVlan
whitelisted_categories=
[1234]
The violation ID. Any integer except 1200000-120099 which is reserved for required
administration violations.
desc
single line description of violation
priority
Range 1-10, with 1 the higest priority and 10 the lowest. Higher priority violations will
be addressed first if a host has more than one.
template
Template name to use while in violation. It must match a HTML file name (without the
extension) of the violations templates directory.
redirect_url
The user is redirected to this URL after he re-enabled his network access on the
remediation page.
enable
If enable is set to N, this violation is disabled and no additional violations of this type
will be added.
trigger
Method to reference external detection methods. Trigger is formatted as follows
type::ID. The type can be Detect (Snort), Nessus, OpenVAS, OS (DHCP Fingerprint
Detection), UserAgent (Browser signature), VendorMAC (MAC address class), SoH
(Statement of Health filter), Accounting, etc. In the above example, 2000032 is the Snort
ID and 11808 is the Nessus plugin number. The Snort ID does NOT have to match the
violation ID.
actions
This is the list of actions that will be executed on a violation addition. The actions can be:
log Log a message to the file specified in [alerting].log
email Email the address specified in [alerting].emailaddr,
using [alerting].smtpserver. Multiple emailaddr can be
sperated by comma.