PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0000541PacketFenceIDSpublic2009-01-21 11:542012-06-14 12:23
Reporteraarchi10 
Assigned Tofgaudreault 
PrioritynormalSeverityfeatureReproducibilityalways
StatusclosedResolutionwon't fix 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
fixed in git revision
fixed in mtn revision
Summary0000541: pfdetect_remote only validates source IPs but not destination IPs
Descriptionit should validate destination IPs too and send the good IP to PF
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2009-01-21 11:54rbalzardNew Issue
2009-01-21 13:35user4Statusnew => assigned
2009-01-21 13:35user4Assigned To => user4
2009-01-21 19:33user4Note Added: 0001025
2009-01-21 19:33user4Assigned Touser4 => rbalzard
2009-01-21 19:33user4Statusassigned => feedback
2009-01-26 09:03user4Category1.8.0 => 1.8.1
2009-01-26 09:04user4Severityminor => feature
2009-03-03 15:22user4Category1.8.1 => 1.8.2
2009-04-13 13:39user4Category1.8.2 => 1.8.3
2009-06-05 08:52user4ProjectPacketFence => PacketFence 1.9
2010-04-15 17:43obilodeauProjectPacketFence 1.9 => PacketFence
2011-01-18 11:41obilodeauTarget Version => 2.1.0
2011-03-03 15:15obilodeauTarget Version2.1.0 => +1
2011-03-03 15:18obilodeauTarget Version+1 => +2
2011-03-07 11:07obilodeauReporterrbalzard => aarchi10
2011-03-07 11:07obilodeauAssigned Torbalzard =>
2011-03-07 11:07obilodeauCategory => IDS
2011-10-31 10:32fgaudreaultNote Added: 0002406
2011-10-31 10:32fgaudreaultStatusfeedback => resolved
2011-10-31 10:32fgaudreaultResolutionopen => won't fix
2011-10-31 10:32fgaudreaultAssigned To => fgaudreault
2011-12-30 23:48obilodeauTarget Version+2 =>
2012-06-14 12:23obilodeauStatusresolved => closed

Notes
(0001025)
user4   
2009-01-21 19:33   
We probably do not want to systematically send alerts for destination IPs. Simply imagine the case where a node does a host scan. We want to isolate the source node, but surely not all the destination IPs, otherwise we'll isolate possibly the whole subnet.

So, my suggestion would be to introduce a new DetectDest keyword :
Detect::... isolates the source IP, DetectDest:: isolates the destination IP of the snort alert

What do you think ?
(0002406)
fgaudreault   
2011-10-31 10:32   
pfdetect_remote doesn't care about the ip, it only relay the alert to PF.

Checking destination IP is not a valid scenario to me, we do not want to isolate someone that is a victim.

Re-open if you see a better use case.