Snort mailing list archives
RE: dhcp assigned address and no ip on snort interface
From: Jason Brvenik <jason () brvenik com>
Date: Wed, 20 Feb 2002 15:12:12 -0500
-----Original Message----- From: Madhav Diwan [mailto:mdiwan () wagweb com] Sent: Wednesday, February 20, 2002 1:55 PM To: Snort User Lists Subject: [Snort-users] dhcp assigned address and no ip on snort
interface [snip]
how should i "PERIODICALLY" check the dhcp assigned ip of the PIX and send that to the snort.conf .. (is it easier to send this address to a
commandline?) .... so that i know what network to log against.
There are several ways I can imagine to do this, YMMV. Putting best
practice aside for you to decide here are some suggestions.
1) You can use something like arpwatch to log the change in the IP ->
MAC mapping for your pix. Should work on an IPless interface.
2) You can script a login to check the interfaces. I have a perl script
I use for some automated tasks with routers that should be portable to
the pix.
( Would doing this to/with a firewall require a beer? )
3) login over a console connection but there are similar issues since
you give automated access at some level to the firewall. See #2
4) Set up a rule in your IDS capturing the DHCP sessions and then use a
custom log method to dump it out for analysis or alert you.
5) Configure the pix to use syslog and have the IDS log the traffic for
analysis.
6) Configure the pix to send a SNMP trap and have the IDS log the
traffic for analysis. ( make sure you are patched up )
#5 and #6 assume you are capturing on the mgmt interface as well but it
would be trivial to set it up.
If you combine #4 and one of #5 or #6 you could gain a reasonable
assurance that the change is in fact real and have some automation to
boot.
I'm playing with sending a number of pings out the from the cisco and then packet capturing the echo requests and echo replies and greping
out
the ip of the cisco on the internet side.. but i cant trust that this will always work.
How are you automating this? HTH, Jason. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- dhcp assigned address and no ip on snort interface Madhav Diwan (Feb 20)
- Re: dhcp assigned address and no ip on snort interface John Sage (Feb 21)
- Re: OT: Correct Drinkage Calculation... Erek Adams (Feb 21)
- <Possible follow-ups>
- RE: dhcp assigned address and no ip on snort interface Jason Brvenik (Feb 20)
- RE: dhcp assigned address and no ip on snort interface Madhav Diwan (Feb 21)
- RE: dhcp assigned address and no ip on snort interface pbsarnac (Feb 21)
- Re: dhcp assigned address and no ip on snort interface Jason Haar (Feb 21)
- Re: dhcp assigned address and no ip on snort interface Jason Brvenik (Feb 22)
- Re: dhcp assigned address and no ip on snort interface pbsarnac (Feb 21)
- Re: dhcp assigned address and no ip on snort interface John Sage (Feb 21)