Re: dhcp assigned address and no ip on snort interface

[Jason Brvenik <jason () brvenik com>]

> [snip]
> One caveat:  as I'm sure you're aware, a number of vulnerabilities have
> been discovered with SNMP lately, and the PIX software is not immune. Be
> aware of the risks when using this solution. According to
> http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml
> the pix is only vulnerable from the host specified in your snmp-server host
> config line, which should greatly reduce your risk, but if you should
> definitely plan on upgrading to a patched version at some point.
> [old msg and sig zapped]

Given that the snmp get is over udp and easily spoofed I would try and avoid it. Using a trap that is picked off the 
wire with no
valid destination would seem much safer as there is no endpoint to attack and can be picked up directly behind the 
firewall.
Couple this with correlation of the dhcp session captured from in front of the firewall and I would guestimate it would 
be
sufficient for all but the most strict environments to use automated.

     Cable
          |------> IDS  <= capture dhcp here, ipless interface
        Pix             |
          |------> IDS  <= capture trap here, mgmt interface
     Internal ( 10.1.1.1 )


1) pix and cable modem negotiate a new IP. Tagging used to capture entire session.
     http://www.snort.org/docs/writing_rules/chap2.html#tag section
2) Pix sends a trap to 192.168.0.1 noting an interface change.. ( requires a host route to send it out the 10.1.1.1 
interface )
3) IDS Picks up a trap destined to 192.168.0.1 which dies on the wire with no place to go and is logged separately
    http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.1
4) Process pulls the last negotiated IP out of #1 and compares it to #3. If all is well a reconfig is done and the IDS 
is
restarted.

All this should be possible to complete in no more than a minute. You can even send a notification of the change to the 
admin as
an alert to feel better about the automation. It automagically changed.

You could also run arpwatch -d in a process and catch stderr for the MAC of the fw and act on a change there as well. I 
myself
would probably grab the sources and hack up a specific version for this purpose though.

Jason

P.S. Doesn't snort-users-admin () lists sourceforge net get a copy of list mail already??




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users