New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Captain Captain
Captain
718 views

use case for mac adresses

Hi,

After we got finally Dhcpd logs in arcsight, i was wondering some of you got the same idea:

I want to build a use case to detect potential rogue wireless equipment on our network. Since I don't have airdefense or stuff like that, we could only use the dhcpd logs.


Well, in ArcSight the "Attacker Mac Adress"  field is not a string and not a number. We got very few options left to play with.

I can't create a filter that says "start with mac 00:aa:bb"  the only option left is between "00:aa:bb:00:00:00,00:aa:bb:ff:ff:ff" but it really slow down the processes

Anyone have ideas?

Labels (1)
Tags (4)
0 Likes
7 Replies
Highlighted
Absent Member.
Absent Member.

You can use velocity template to convert the MAC address to a string variable.

#set ($macString=$attackerMacAddress)

The catch is you can only use this option in a rule.

Whether this would be faster, I think, would very much depend on the conditions you use with the MAC address.

HTH,

Duc

Update: Technically speaking, you can also use this inside a filter, but you can only use that filter inside a rule

0 Likes
Highlighted
Captain Captain
Captain

time time ago i've used the map file to convert the mac address to vendor.

it was regex map file and it was kill the connector (memory issue) when file was larger then 1500 rows

it was happened even the connector was configured to use 1024MB java heap

BTW - i have used my own connector (flex) for MS DHCP. in this case you can map first bits as a string

0 Likes
Highlighted
Absent Member.
Absent Member.

Maybe you could develop some rules in snort to detect this and then use the snort agent to send the events

to ESM or Logger.

0 Likes
Highlighted
Captain Captain
Captain

Thanks,  I think this will be really helpful !

0 Likes
Highlighted
Absent Member.
Absent Member.

Hello.  Your question was also answered here: http://answers.metanet.io/questions/8/use-case-for-mac-adresses

A.

0 Likes
Highlighted
Captain Captain
Captain

The awnser, again, was interresting ! However, due to our large network and more than 30K users, it's quite impossible to us to track the login / logout of users. The other problem I mentionned is that we cannot use  "start-with" in the MAC Addresses fields. Maybe it's related to the version of ESM we use (4.0 .... )

0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Any news about this interesting case?

Could you share your map file, et tell me how to use it?

Thanks in davance

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.