Snort mailing list archives
Re: dhcp assigned address and no ip on snort interface
From: Jason Brvenik <jason () brvenik com>
Date: Fri, 22 Feb 2002 09:41:48 -0500
[snip] One caveat: as I'm sure you're aware, a number of vulnerabilities have been discovered with SNMP lately, and the PIX software is not immune. Be aware of the risks when using this solution. According to http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml the pix is only vulnerable from the host specified in your snmp-server host config line, which should greatly reduce your risk, but if you should definitely plan on upgrading to a patched version at some point. [old msg and sig zapped]
Given that the snmp get is over udp and easily spoofed I would try and avoid it. Using a trap that is picked off the wire with no valid destination would seem much safer as there is no endpoint to attack and can be picked up directly behind the firewall. Couple this with correlation of the dhcp session captured from in front of the firewall and I would guestimate it would be sufficient for all but the most strict environments to use automated. Cable |------> IDS <= capture dhcp here, ipless interface Pix | |------> IDS <= capture trap here, mgmt interface Internal ( 10.1.1.1 ) 1) pix and cable modem negotiate a new IP. Tagging used to capture entire session. http://www.snort.org/docs/writing_rules/chap2.html#tag section 2) Pix sends a trap to 192.168.0.1 noting an interface change.. ( requires a host route to send it out the 10.1.1.1 interface ) 3) IDS Picks up a trap destined to 192.168.0.1 which dies on the wire with no place to go and is logged separately http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.1 4) Process pulls the last negotiated IP out of #1 and compares it to #3. If all is well a reconfig is done and the IDS is restarted. All this should be possible to complete in no more than a minute. You can even send a notification of the change to the admin as an alert to feel better about the automation. It automagically changed. You could also run arpwatch -d in a process and catch stderr for the MAC of the fw and act on a change there as well. I myself would probably grab the sources and hack up a specific version for this purpose though. Jason P.S. Doesn't snort-users-admin () lists sourceforge net get a copy of list mail already?? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- dhcp assigned address and no ip on snort interface Madhav Diwan (Feb 20)
- Re: dhcp assigned address and no ip on snort interface John Sage (Feb 21)
- Re: OT: Correct Drinkage Calculation... Erek Adams (Feb 21)
- <Possible follow-ups>
- RE: dhcp assigned address and no ip on snort interface Jason Brvenik (Feb 20)
- RE: dhcp assigned address and no ip on snort interface Madhav Diwan (Feb 21)
- RE: dhcp assigned address and no ip on snort interface pbsarnac (Feb 21)
- Re: dhcp assigned address and no ip on snort interface Jason Haar (Feb 21)
- Re: dhcp assigned address and no ip on snort interface Jason Brvenik (Feb 22)
- Re: dhcp assigned address and no ip on snort interface pbsarnac (Feb 21)
- Re: dhcp assigned address and no ip on snort interface John Sage (Feb 21)