NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2002-02

From: pbsarnacThoughtWorks.com
Date: Thu Feb 21 2002 - 17:57:18 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you're running the PIX 5.2x or later software, you could just enable an
snmp host on the inside interface and use snmpwalk to get the address. I
think the OID is ip.ipAddrTable.ipAddrEntry.ipAdEntAddr. You would need to
use configure the pix with:

snmp-server host inside x.x.x.x ! Where x.x.x.x is the address
of the machine doing the SNMP polling.
snmp-server community /something/ ! Where /something/ is a unique
community name (NOT "public")

Then, you could use the following snmpwalk to get your interface addresses:

# the /community name/ is the snmp community name you set on the PIX
above. Do NOT use the community string "public"!! y.y.y.y is the ip address
of your PIX

snmpwalk -q y.y.y.y /community name/ .1.3.6.1.2.1.4.20.1.1

The various addresses listed are the ip addresses of your interfaces, in
numerical order. (so eth0 will be the first one listed, eth1 the second,
and so on). That should be less kludgey to parse than the pinging solution
below.

One caveat: as I'm sure you're aware, a number of vulnerabilities have
been discovered with SNMP lately, and the PIX software is not immune. Be
aware of the risks when using this solution. According to
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml
the pix is only vulnerable from the host specified in your snmp-server host
config line, which should greatly reduce your risk, but if you should
definitely plan on upgrading to a patched version at some point.

|---------+--------------------------------------->
| | "Madhav Diwan" |
| | <mdiwanwagweb.com> |
| | Sent by: |
| | snort-users-adminlists.sour|
| | ceforge.net |
| | |
| | |
| | 02/21/2002 01:01 PM |
| | |
|---------+--------------------------------------->
>--------------------------------------------------------------------------------------------------------------------------|
  | |
  | To: "Jason Brvenik" <jasonbrvenik.com> |
  | cc: "Snort User Lists" <snort-userslists.sourceforge.net> |
  | Subject: RE: [Snort-users] dhcp assigned address and no ip on snort interface |
>--------------------------------------------------------------------------------------------------------------------------|

Thanks for the tips.

I was planning on writing a re-spawning script which essentially did
this:

ping out local lan interface of IDS box through the pix ( which nats to
its dhcp address) to a known ip address on the internet
then tcpdump on the IDS interface and look for echo replies from that
known ip address coming back to the "pix"

Whatever address the reply comes back to must be my firewall and
therefore i have my snort network which i can assign into a variable

I can use the replace command from within the script to put the derived
network address variable into snort.conf and restart snort.

I would prefer to do this via arpwatch as per your first suggestion ..
but i dont think it offers much in the way of user configuration to look
for only certain mac/ip pairings.

Madhav

On Wed, 2002-02-20 at 15:12, Jason Brvenik wrote:

> -----Original Message-----
> From: Madhav Diwan [mailto:mdiwanwagweb.com]
> Sent: Wednesday, February 20, 2002 1:55 PM
> To: Snort User Lists
> Subject: [Snort-users] dhcp assigned address and no ip on snort
interface

[snip]
> how should i "PERIODICALLY" check the dhcp assigned ip of the PIX and
> send that to the snort.conf .. (is it easier to send this address to a

> commandline?) .... so that i know what network to log against.

There are several ways I can imagine to do this, YMMV. Putting best
practice aside for you to decide here are some suggestions.
1) You can use something like arpwatch to log the change in the IP ->
MAC mapping for your pix. Should work on an IPless interface.
2) You can script a login to check the interfaces. I have a perl script
I use for some automated tasks with routers that should be portable to
the pix.
( Would doing this to/with a firewall require a beer? )
3) login over a console connection but there are similar issues since
you give automated access at some level to the firewall. See #2
4) Set up a rule in your IDS capturing the DHCP sessions and then use a
custom log method to dump it out for analysis or alert you.
5) Configure the pix to use syslog and have the IDS log the traffic for
analysis.
6) Configure the pix to send a SNMP trap and have the IDS log the
traffic for analysis. ( make sure you are patched up )

#5 and #6 assume you are capturing on the mgmt interface as well but it
would be trivial to set it up.
If you combine #4 and one of #5 or #6 you could gain a reasonable
assurance that the change is in fact real and have some automation to
boot.

> I'm playing with sending a number of pings out the from the cisco and
> then packet capturing the echo requests and echo replies and greping
out
> the ip of the cisco on the internet side.. but i cant trust that this
> will always work.

How are you automating this?

HTH,
Jason.

Note: The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and deleting it
from your computer. Thank you. Wagner Weber & Williams

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]