From: andy n. <and...@ya...> - 2011-08-26 20:04:20
|
Below is the log: Aug 26 07:30:16 register.cgi(0) INFO: 192.168.2.15 - 00:21:70:90:4e:2f (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_register_2ecgi::handler) Aug 26 07:30:16 register.cgi(0) INFO: calling /usr/local/pf/bin/pfcmd 'manage register 00:21:70:90:4e:2f "anguyen" pid="1",user_agent="Mozilla 4.0 compatible; MSIE 8.0; Windows NT 5.1; Trident 4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729 "' (pf::web::_sanitize_and_register) Aug 26 07:30:16 pfcmd(0) INFO: grace expired on violation 1200001 for node 00:21:70:90:4e:2f (pf::violation::violation_add) Aug 26 07:30:16 pfcmd(0) INFO: violation 1200001 added for 00:21:70:90:4e:2f (pf::violation::violation_add) Aug 26 07:30:16 pfcmd(0) INFO: executing action 'log' on class 1200001 (pf::action::action_execute)Aug 26 07:30:16 pfcmd(0) INFO: /usr/local/pf/logs/violation.log 2011-08-26 07:30:16: System Scan (1200001) detected on node 00:21:70:90:4e:2f (192.168.2.15) (pf::action::action_log) Aug 26 07:30:16 pfcmd(0) INFO: executing action 'trap' on class 1200001 (pf::action::action_execute) Aug 26 07:30:16 pfcmd(0) INFO: re-evaluating access for node 00:21:70:90:4e:2f (manage_register called) (pf::enforcement::reevaluate_access) Aug 26 07:30:16 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog connected at 10.0.10.2 ifIndex 10105 in VLAN 2 (pf::enforcement::_vlan_reevaluation) Aug 26 07:30:16 pfcmd(0) INFO: highest priority violation for 00:21:70:90:4e:2f is 1200001. Target VLAN for violation: registrationVlan (2) (pf::vlan::getViolationVlan) Aug 26 07:30:16 register.cgi(0) INFO: more violations yet to come for 00:21:70:90:4e:2f (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_register_2ecgi::handler) Aug 26 07:30:17 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Aug 26 07:30:17 redir.cgi(0) INFO: captive portal redirect on violation vid: 1200001, redirect url: /remediation.php?template=system_scan (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Aug 26 07:30:17 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Aug 26 07:30:17 redir.cgi(0) INFO: captive portal redirect on violation vid: 1200001, redirect url: /remediation.php?template=system_scan (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Aug 26 07:30:27 release.pm(0) INFO: scanning 192.168.2.15 by calling /usr/local/pf/bin/pfcmd schedule now 192.168.2.15 1>/dev/null 2>&1 (pf::web::release::handler) Aug 26 07:30:27 release.pm(0) INFO: violation for mac 00:21:70:90:4e:2f vid 1200001 modified (pf::violation::violation_modify)Aug 26 07:30:28 pfcmd(0) INFO: executing HOME=/usr/local/pf/conf/nessus/ /opt/nessus/bin/nessus -q -V -x --dot-nessus /usr/local/pf/conf/nessus/remotescan.nessus --policy-name RemoteScan 10.0.10.21 1241 admin <password> --target-file /tmp/pf_nessus_192.168.2.15_2011-08-26-07:30:28.txt /usr/local/pf/html/admin/scan/results/dump_192.168.2.15_2011-08-26-07:30:28.nbe (pf::scan::runScan) Aug 26 07:31:33 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Aug 26 07:31:33 redir.cgi(0) INFO: captive portal redirect to the scan in progress page (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Aug 26 07:32:13 pfdhcplistener(12427) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:32:13,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:32:13 pfdhcplistener(12427) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:32:13 pfdhcplistener(12426) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:32:13,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:32:13 pfdhcplistener(12426) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:32:13 pfdhcplistener(12426) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:34:43 pfdhcplistener(12426) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:34:43,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:34:43 pfdhcplistener(12426) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:34:43 pfdhcplistener(12427) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:34:43,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:34:43 pfdhcplistener(12427) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:37:13 pfdhcplistener(12426) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:37:13,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:37:13 pfdhcplistener(12427) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:37:13,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:37:13 pfdhcplistener(12427) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:37:13 pfdhcplistener(12426) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:38:34 pfmon(1) INFO: running expire check (main::cleanup) Aug 26 07:38:34 pfmon(1) INFO: checking registered nodes for expiration (main::cleanup) Aug 26 07:39:43 pfdhcplistener(12427) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:39:43,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:39:43 pfdhcplistener(12426) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:39:43,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:39:43 pfdhcplistener(12426) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:39:43 pfdhcplistener(12427) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:42:13 pfdhcplistener(12426) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:42:13,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:42:13 pfdhcplistener(12427) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:42:13,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:42:13 pfdhcplistener(12427) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:42:13 pfdhcplistener(12426) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:44:43 pfdhcplistener(12426) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:44:43,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:44:43 pfdhcplistener(12427) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:44:43,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:44:44 pfdhcplistener(12427) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:44:44 pfdhcplistener(12426) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:47:14 pfdhcplistener(12426) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:47:14,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:47:14 pfdhcplistener(12427) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:47:14,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:47:14 pfdhcplistener(12427) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:47:14 pfdhcplistener(12426) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:48:34 pfmon(1) INFO: running expire check (main::cleanup) Aug 26 07:48:34 pfmon(1) INFO: checking registered nodes for expiration (main::cleanup) Aug 26 07:49:44 pfdhcplistener(12426) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:49:44,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:49:44 pfdhcplistener(12426) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:49:44 pfdhcplistener(12427) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:49:44,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:49:44 pfdhcplistener(12427) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:52:14 pfdhcplistener(12426) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:52:14,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:52:14 pfdhcplistener(12426) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:52:14 pfdhcplistener(12427) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:52:14,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:52:14 pfdhcplistener(12427) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:52:56 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Aug 26 07:52:56 redir.cgi(0) INFO: Updating node 00:21:70:90:4e:2f user_agent with useragent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)' (pf::web::web_node_record_user_agent) Aug 26 07:52:56 redir.cgi(0) INFO: Static User-Agent lookup data initialized (pf::useragent::_init) Aug 26 07:52:56 redir.cgi(0) INFO: captive portal redirect to the scan in progress page (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Aug 26 07:54:44 pfdhcplistener(12426) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:54:44,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:54:44 pfdhcplistener(12426) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:54:44 pfdhcplistener(12427) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:54:44,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:54:44 pfdhcplistener(12427) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:57:14 pfdhcplistener(12426) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:57:14,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:58:34 pfmon(1) INFO: running expire check (main::cleanup) Aug 26 07:58:34 pfmon(1) INFO: checking registered nodes for expiration (main::cleanup) Aug 26 07:59:44 pfdhcplistener(12426) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:59:44,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:59:44 pfdhcplistener(12427) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-26 07:59:44,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) Aug 26 07:59:44 pfdhcplistener(12427) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) Aug 26 07:59:44 pfdhcplistener(12426) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp)Aug 26 08:00:59 pfcmd(0) INFO: Nessus scan did not detect any vulnerabilities on 192.168.2.15 (pf::scan::runScan) Aug 26 08:00:59 pfcmd(0) INFO: calling /usr/local/pf/bin/pfcmd manage vclose 00:21:70:90:4e:2f 1200001 (pf::scan::runScan) Aug 26 08:00:59 pfcmd(0) INFO: violation 1200001 closed for 00:21:70:90:4e:2f (pf::violation::violation_close) Aug 26 08:00:59 pfcmd(0) INFO: re-evaluating access for node 00:21:70:90:4e:2f (manage_vclose called) (pf::enforcement::reevaluate_access) Aug 26 08:00:59 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog connected at 10.0.10.2 ifIndex 10105 in VLAN 2 (pf::enforcement::_vlan_reevaluation) Aug 26 08:00:59 pfcmd(0) INFO: MAC: 00:21:70:90:4e:2f, PID: anguyen, Status: reg. Returned VLAN: 10 (pf::vlan::fetchVlanForNode) Aug 26 08:00:59 pfcmd(0) INFO: calling /usr/local/pf/bin/flip.pl for node 00:21:70:90:4e:2f (current VLAN = 2 but should be in VLAN 10) (pf::enforcement::_vlan_reevaluation) Aug 26 08:01:00 flip.pl(0) INFO: flip.pl called with 00:21:70:90:4e:2f (main::) Aug 26 08:01:00 flip.pl(0) INFO: switch port for 00:21:70:90:4e:2f is 10.0.10.2 ifIndex 10105 connection type: Wired SNMP (main::) Aug 26 08:01:00 pfcmd(0) WARN: Error trying to run command: /usr/local/pf/bin/pfcmd manage vclose 00:21:70:90:4e:2f 1200001 called from runScan. Child exited with non-zero value 1 (pf::util::pf_run) Aug 26 08:01:02 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch 10.0.10.2 (main::parseTrap) Aug 26 08:01:02 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) Aug 26 08:01:02 pfsetvlan(1) INFO: reAssignVlan trap received on 10.0.10.2 ifIndex 10105 (main::handleTrap) Aug 26 08:01:02 pfsetvlan(1) INFO: security traps are configured on 10.0.10.2 ifIndex 10105. Re-assigning VLAN for 00:21:70:90:4e:2f (main::handleTrap) Aug 26 08:01:02 pfsetvlan(1) WARN: couldn't get MAC at ifIndex 10105. This is a problem. (pf::SNMP::_getMacAtIfIndex) Thanks!! From: Francois Gaudreault <fga...@in...> To: pac...@li... Sent: Friday, August 26, 2011 6:17 AM Subject: Re: [Packetfence-users] Packetfence & Nessus Configuration Hmm, I see here that the Nessus process started : Aug 25 11:33:33 release.pm(0) INFO: scanning 192.168.2.15 by calling /usr/local/pf/bin/pfcmd schedule now 192.168.2.15 1>/dev/null 2>&1 (pf::web::release::handler) Aug 25 11:33:33 release.pm(0) INFO: violation for mac 00:21:70:90:4e:2f vid 1200001 modified (pf::violation::violation_modify) Aug 25 11:33:33 pfcmd(0) INFO: executing HOME=/usr/local/pf/conf/nessus/ /opt/nessus/bin/nessus -q -V -x --dot-nessus /usr/local/pf/conf/nessus/remotescan.nessus --policy-name RemoteScan 10.0.10.21 1241 admin <password> --target-file /tmp/pf_nessus_192.168.2.15_2011-08-25 11:33:33.txt /usr/local/pf/html/admin/scan/results/dump_192.168.2.15_2011-08-25-11:33:33.nbe (pf::scan::runScan) I need the logs after that.... On 11-08-25 6:01 PM, andy nguyen wrote: Francois, Thanks you very much for your help!!! I have dowloaded the latest trunk as you suggested & successfully installed (the pf 3.0 beta). I still have problem when test with Nessus. Again the command ( pfcmd schedule now ip) is run fine and I can see my test laptop being scan but not when I tried to register the the laptop through packetfence. I am not sure this if a bug on 3.0. Below is config file and packetfence log file. Any ideas to try??? >***packetfence violation tab*** I always see violation 1200001 > >27 00:21:70:90:4e:2f2009-8168-03 open System Scan 2011-08-25 11:33:28 > >****Violations.conf***** > >[1100011] >desc=Check Antivirus Updates >priority=5 >url=/remediation.php?template=system_scan >actions=log,trap >trigger=Scan::21725 >disable=N >vlan=registrationVlan ># ># 1200000 - 120099 Reserved for required administration violations ># >[1200001] >priority=9 >desc=System Scan ># someone should always be able to try to scan its system again >max_enable=0 >grace=1s >url=/remediation.php?template=system_scan >actions=trap,log >button_text=Scan >disable=Y ># Scan is taking place in the registration vlan don't change this value. >vlan=registrationVlan > >***Packetfence log ***** > >Aug 25 11:32:35 pfmon(1) INFO: Starting cleanup thread (main::cleanup) >Aug 25 11:32:35 pfmon(1) INFO: closing open iplogs (just in case) (main::cleanup) >Aug 25 11:32:35 pfmon(1) INFO: closing open iplogs (pf::iplog::iplog_shutdown) >Aug 25 11:33:01 pfdhcplistener(8302) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-25 11:33:01,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) >Aug 25 11:33:01 pfdhcplistener(8303) INFO: 00:21:70:90:4e:2f requested an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node with last_dhcp = 2011-08-25 11:33:01,computername = 2009-8168-03,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43 (main::listen_dhcp) >Aug 25 11:33:01 pfdhcplistener(8303) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) >Aug 25 11:33:01 pfdhcplistener(8303) INFO: could not resolve 192.168.2.15 to mac in ARP table (pf::iplog::ip2macinarp) >Aug 25 11:33:01 pfdhcplistener(8303) WARN: could not resolve 192.168.2.15 to mac (pf::iplog::ip2mac) >Aug 25 11:33:01 pfdhcplistener(8303) WARN: unable to resolve 00:21:70:90:4e:2f to ip (pf::iplog::mac2ip) >Aug 25 11:33:01 pfdhcplistener(8302) INFO: DHCPACK from 10.0.10.10 (00:0c:29:5a:c8:19) to host 00:21:70:90:4e:2f (192.168.2.15) (main::listen_dhcp) >Aug 25 11:33:16 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) >Aug 25 11:33:16 redir.cgi(0) INFO: Updating node 00:21:70:90:4e:2f user_agent with useragent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)' (pf::web::web_node_record_user_agent) >Aug 25 11:33:16 redir.cgi(0) INFO: Static User-Agent lookup data initialized (pf::useragent::_init) >Aug 25 11:33:16 redir.cgi(0) INFO: 00:21:70:90:4e:2f redirected to authentication page (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) >Aug 25 11:33:28 register.cgi(0) INFO: 192.168.2.15 - 00:21:70:90:4e:2f (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_register_2ecgi::handler) >Aug 25 11:33:28 register.cgi(0) INFO: calling /usr/local/pf/bin/pfcmd 'manage register 00:21:70:90:4e:2f "anguyen" pid="1",user_agent="Mozilla 4.0 compatible; MSIE 8.0; Windows NT 5.1; Trident 4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729 "' (pf::web::_sanitize_and_register) >Aug 25 11:33:28 pfcmd(0) INFO: grace expired on violation 1200001 for node 00:21:70:90:4e:2f (pf::violation::violation_add) >Aug 25 11:33:28 pfcmd(0) INFO: violation 1200001 added for 00:21:70:90:4e:2f (pf::violation::violation_add) >Aug 25 11:33:28 pfcmd(0) INFO: executing action 'log' on class 1200001 (pf::action::action_execute) >Aug 25 11:33:28 pfcmd(0) INFO: /usr/local/pf/logs/violation.log 2011-08-25 11:33:28: System Scan (1200001) detected on node 00:21:70:90:4e:2f (192.168.2.15) (pf::action::action_log) >Aug 25 11:33:28 pfcmd(0) INFO: executing action 'trap' on class 1200001 (pf::action::action_execute) >Aug 25 11:33:28 pfcmd(0) INFO: re-evaluating access for node 00:21:70:90:4e:2f (manage_register called) (pf::enforcement::reevaluate_access) >Aug 25 11:33:28 pfcmd(0) INFO: 00:21:70:90:4e:2f is currentlog connected at 10.0.10.2 ifIndex 10105 in VLAN 2 (pf::enforcement::_vlan_reevaluation) >Aug 25 11:33:29 pfcmd(0) INFO: highest priority violation for 00:21:70:90:4e:2f is 1200001. Target VLAN for violation: registrationVlan (2) (pf::vlan::getViolationVlan) >Aug 25 11:33:29 register.cgi(0) INFO: more violations yet to come for 00:21:70:90:4e:2f (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_register_2ecgi::handler) >Aug 25 11:33:29 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) >Aug 25 11:33:29 redir.cgi(0) INFO: captive portal redirect on violation vid: 1200001, redirect url: /remediation.php?template=system_scan (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) >Aug 25 11:33:29 redir.cgi(0) INFO: 00:21:70:90:4e:2f being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) >Aug 25 11:33:29 redir.cgi(0) INFO: captive portal redirect on violation vid: 1200001, redirect url: /remediation.php?template=system_scan (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) >Aug 25 11:33:33 release.pm(0) INFO: scanning 192.168.2.15 by calling /usr/local/pf/bin/pfcmd schedule now 192.168.2.15 1>/dev/null 2>&1 (pf::web::release::handler) >Aug 25 11:33:33 release.pm(0) INFO: violation for mac 00:21:70:90:4e:2f vid 1200001 modified (pf::violation::violation_modify) >Aug 25 11:33:33 pfcmd(0) INFO: executing HOME=/usr/local/pf/conf/nessus/ /opt/nessus/bin/nessus -q -V -x --dot-nessus /usr/local/pf/conf/nessus/remotescan.nessus --policy-name RemoteScan 10.0.10.21 1241 admin <password> --target-file /tmp/pf_nessus_192.168.2.15_2011-08-25 11:33:33.txt /usr/local/pf/html/admin/scan/results/dump_192.168.2.15_2011-08-25-11:33:33.nbe (pf::scan::runScan) > >****pf.conf***** >[general] ># ># general.domain ># ># Domain name of PacketFence system. >domain=packetfence.local ># ># general.hostname ># ># Hostname of PacketFence system. This is concatenated with the domain in Apache rewriting rules and therefore must be resolvable by clients. >hostname=pf >[network] ># mode=vlan >[trapping] ># ># trapping.testing ># ># Disables sending of ARPs - note that this has implications on node detection and timeouts. >testing=disabled ># ># trapping.range ># ># Comma-delimited list of address ranges/CIDR blocks that PacketFence will monitor/detect/trap on. Gateway, network, and ># broadcast addresses are ignored. >range=192.168.2.0/24,192.168.3.0/24,10.0.10.0/24 ># ># trapping.registration ># ># If enabled, nodes will be required to register on first network access. Further registration options are configured in the ># registration section. >registration=enabled ># ># trapping.detection ># ># Enables snort-based worm detection. If you don't have a span interface available, don't bother enabling it. If you do, ># you'll most definately want this on. >detection=enabled >[database] >pass=pfz3n > >[vlan] ># ># vlan.dhcpd ># ># Should DHCPd be started ? ># >dhcpd=enabled ># ># ># vlan.named ># ># Should named be started ? ># >named=enabled >[registration] >auth=local >[interface eth0] >mask=255.255.255.0 >type=dhcplistener,internal,management,detection,monitor >enforcement=vlan >gateway=10.0.10.1 >ip=10.0.10.10 >authorizedips= >[scan] >ssl=enabled >pass=password >user=admin >port=1241 >host=10.0.10.21 >registration=enabled >nessusclient_file=remotescan.nessus >nessusclient_policy=RemoteScan >live_tids=21725 >[captive_portal] >network_detection_ip=10.0.10.10,10.0.10.0/24,192.168.2.0/24,192.168.3.0/24 > > > > > > > ------------------------------------------------------------------------------ EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev > _______________________________________________ Packetfence-users mailing list Pac...@li... https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Francois Gaudreault, ing. jr fga...@in... :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev _______________________________________________ Packetfence-users mailing list Pac...@li... https://lists.sourceforge.net/lists/listinfo/packetfence-users |