This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
shotoz
Captain Captain
Captain
‎2011-01-12 17:18
773 views

use case for mac adresses

Hi,

After we got finally Dhcpd logs in arcsight, i was wondering some of you got the same idea:

I want to build a use case to detect potential rogue wireless equipment on our network. Since I don't have airdefense or stuff like that, we could only use the dhcpd logs.


Well, in ArcSight the "Attacker Mac Adress"  field is not a string and not a number. We got very few options left to play with.

I can't create a filter that says "start with mac 00:aa:bb"  the only option left is between "00:aa:bb:00:00:00,00:aa:bb:ff:ff:ff" but it really slow down the processes

Anyone have ideas?

Labels (1)
Labels
Tags (4)
0 Likes
Reply
Report Inappropriate Content
7 Replies
dha
Absent Member.
Absent Member.
‎2011-01-13 01:06

You can use velocity template to convert the MAC address to a string variable.

#set ($macString=$attackerMacAddress)

The catch is you can only use this option in a rule.

Whether this would be faster, I think, would very much depend on the conditions you use with the MAC address.

HTH,

Duc

Update: Technically speaking, you can also use this inside a filter, but you can only use that filter inside a rule

0 Likes
Reply
Report Inappropriate Content
alexmo
Captain Captain
Captain
‎2011-01-13 06:47

time time ago i've used the map file to convert the mac address to vendor.

it was regex map file and it was kill the connector (memory issue) when file was larger then 1500 rows

it was happened even the connector was configured to use 1024MB java heap

BTW - i have used my own connector (flex) for MS DHCP. in this case you can map first bits as a string

0 Likes
Reply
Report Inappropriate Content
KauaiDave
Absent Member.
Absent Member.
‎2011-01-14 18:33

Maybe you could develop some rules in snort to detect this and then use the snort agent to send the events

to ESM or Logger.

0 Likes
Reply
Report Inappropriate Content
shotoz
Captain Captain
Captain
‎2011-01-18 20:26

Thanks,  I think this will be really helpful !

0 Likes
Reply
Report Inappropriate Content
a2g
Absent Member.
Absent Member.
‎2011-01-31 21:45

Hello.  Your question was also answered here: http://answers.metanet.io/questions/8/use-case-for-mac-adresses

A.

0 Likes
Reply
Report Inappropriate Content
shotoz
Captain Captain
Captain
‎2011-02-01 13:16

The awnser, again, was interresting ! However, due to our large network and more than 30K users, it's quite impossible to us to track the login / logout of users. The other problem I mentionned is that we cannot use  "start-with" in the MAC Addresses fields. Maybe it's related to the version of ESM we use (4.0 .... )

0 Likes
Reply
Report Inappropriate Content
danje571
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
‎2014-03-21 08:40

Any news about this interesting case?

Could you share your map file, et tell me how to use it?

Thanks in davance

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.