use case for mac adresses
After we got finally Dhcpd logs in arcsight, i was wondering some of you got the same idea:
I want to build a use case to detect potential rogue wireless equipment on our network. Since I don't have airdefense or stuff like that, we could only use the dhcpd logs.
Well, in ArcSight the "Attacker Mac Adress" field is not a string and not a number. We got very few options left to play with.
I can't create a filter that says "start with mac 00:aa:bb" the only option left is between "00:aa:bb:00:00:00,00:aa:bb:ff:ff:ff" but it really slow down the processes
Anyone have ideas?
You can use velocity template to convert the MAC address to a string variable.
The catch is you can only use this option in a rule.
Whether this would be faster, I think, would very much depend on the conditions you use with the MAC address.
Update: Technically speaking, you can also use this inside a filter, but you can only use that filter inside a rule
time time ago i've used the map file to convert the mac address to vendor.
it was regex map file and it was kill the connector (memory issue) when file was larger then 1500 rows
it was happened even the connector was configured to use 1024MB java heap
BTW - i have used my own connector (flex) for MS DHCP. in this case you can map first bits as a string
The awnser, again, was interresting ! However, due to our large network and more than 30K users, it's quite impossible to us to track the login / logout of users. The other problem I mentionned is that we cannot use "start-with" in the MAC Addresses fields. Maybe it's related to the version of ESM we use (4.0 .... )