RE: dhcp assigned address and no ip on snort interface

["Madhav Diwan" <mdiwan () wagweb com>]

Thanks for the tips.

I was planning on writing a re-spawning script which essentially did
this:

 ping out local lan interface of IDS box through the pix ( which nats to
its dhcp address) to a known ip address on the internet
then tcpdump on the IDS interface and look for echo replies from that
known ip address  coming back to the "pix" 

IDSBOX noip-----Cable modem
|               |
|               |
|local lan ----PIX


Whatever address the reply comes back to must be my firewall and
therefore i have my snort network which i can assign into a variable

I can use the replace command from within the script to put the derived
network address variable into snort.conf and restart snort.


I would prefer to do this via arpwatch  as per your first suggestion ..
but i dont think it offers much in the way of user configuration to look
for only certain mac/ip pairings. 

Madhav

On Wed, 2002-02-20 at 15:12, Jason Brvenik wrote:

> -----Original Message-----
> From: Madhav Diwan [mailto:mdiwan () wagweb com]
> Sent: Wednesday, February 20, 2002 1:55 PM
> To: Snort User Lists
> Subject: [Snort-users] dhcp assigned address and no ip on snort
interface

[snip]
> how should i "PERIODICALLY" check the dhcp assigned ip of the PIX and
> send that to the snort.conf .. (is it easier to send this address to a

> commandline?) .... so that i know what network to log against.

There are several ways I can imagine to do this, YMMV. Putting best
practice aside for you to decide here are some suggestions.
1) You can use something like arpwatch to log the change in the IP ->
MAC mapping for your pix. Should work on an IPless interface.
2) You can script a login to check the interfaces. I have a perl script
I use for some automated tasks with routers that should be portable to
the pix.
    ( Would doing this to/with a firewall require a beer? )
3) login over a console connection but there are similar issues since
you give automated access at some level to the firewall. See #2
4) Set up a rule in your IDS capturing the DHCP sessions and then use a
custom log method to dump it out for analysis or alert you.
5) Configure the pix to use syslog and have the IDS log the traffic for
analysis.
6) Configure the pix to send a SNMP trap and have the IDS log the
traffic for analysis. ( make sure you are patched up )

#5 and #6 assume you are capturing on the mgmt interface as well but it
would be trivial to set it up.
If you combine #4 and one of #5 or #6 you could gain a reasonable
assurance that the change is in fact real and have some automation to
boot.

> I'm playing with sending a number of pings out the from the cisco and
> then packet capturing the echo requests and echo replies and greping
out
> the ip of the cisco on the internet side.. but i cant trust that this
> will always work.

How are you automating this?

HTH,
Jason.







Note: The information contained in this message may be privileged and confidential and protected from disclosure.  If 
the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify us immediately by 
replying to the message and deleting it from your computer.  Thank you.  Wagner Weber & Williams

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users