Anonymous_User Absent Member.
Absent Member.
227 views

How to identify endpoint machine with dynamic IP address


Dear my friends, I need design correlation rules in sentinel, the rule
is used to specific username login in OA system from authorized
endpoint, But all endpoints obtain dynamic IP address from DHCP Server,
My customer have a map table about username to hostname or MAC address,
How to import into the sentinel? or how does collector map username into
hostname or MAC Address? Does the sentinel has asset module? how to
import into the asset module? Is there these fields about asset in
sentinel? Thanks!


--
steve_zeng
------------------------------------------------------------------------
steve_zeng's Profile: https://forums.netiq.com/member.php?userid=3875
View this thread: https://forums.netiq.com/showthread.php?t=46517

0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: How to identify endpoint machine with dynamic IP address

It may help to know more about what you are trying to do with the
correlation rule; for example, which business case is being solved via
this rule based on the other mapping.

To answer individual questions, in no particular order:

Yes, Sentinel has the capability of handling assets; there is a generic
asset collector which can read data from a file; see that collector's
documentation, or the Sentinel documentation on assets, for more
information. For reference, all plugins can be found on the Sentinel
plug-in website:
http://support.novell.com/products/sentinel/secure/sentinelplugins.html

Regarding the question about how a collector '[maps] username into
hostname or MAC Address', I'm not sure what you mean. If you have a
dynamic list that includes which usernames SHOULD be accessing which hosts
then you could probably refer to that in a correlation rule, or customized
collector, and then do something based on that, but without the business
case it sounds like you want the collector to be able to map from a user
to a MAC address which, of course, doesn't make sense. MAC addresses can
be picked up, depending on if the event sources send those data, and
inserted into event data from collectors, but usually a mAC address isn't
as useful as, for example, something else that concretely identifies a
host AND that can be accessed from a part of the network other than the
local network segment. MAC addresses on packets, for example, change at
every hop, so getting MAC address data from events requires that the
events be picked up the segment where the host lives before any routers
change the packets.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to identify endpoint machine with dynamic IP address


ab;224070 Wrote:
> It may help to know more about what you are trying to do with the
> correlation rule; for example, which business case is being solved via
> this rule based on the other mapping.
>
> To answer individual questions, in no particular order:
>
> Yes, Sentinel has the capability of handling assets; there is a generic
> asset collector which can read data from a file; see that collector's
> documentation, or the Sentinel documentation on assets, for more
> information. For reference, all plugins can be found on the Sentinel
> plug-in website:
> http://tinyurl.com/7zoyhsy
>
> Regarding the question about how a collector '[maps] username into
> hostname or MAC Address', I'm not sure what you mean. If you have a
> dynamic list that includes which usernames SHOULD be accessing which
> hosts
> then you could probably refer to that in a correlation rule, or
> customized
> collector, and then do something based on that, but without the
> business
> case it sounds like you want the collector to be able to map from a
> user
> to a MAC address which, of course, doesn't make sense. MAC addresses
> can
> be picked up, depending on if the event sources send those data, and
> inserted into event data from collectors, but usually a mAC address
> isn't
> as useful as, for example, something else that concretely identifies a
> host AND that can be accessed from a part of the network other than the
> local network segment. MAC addresses on packets, for example, change
> at
> every hop, so getting MAC address data from events requires that the
> events be picked up the segment where the host lives before any routers
> change the packets.
>
> Good luck.


I am very pleasure got your reply! Because the logs of OA system don't
include hostname field but only IP Address field, But IP Adress is
dyinmic, So I must base hostname to identify, Custmer need is that
specific username login only from authorized hostname! Our customer can
build the map table between username and hostname, I have two ideas to
implement it but I don't know how to do it by sentinel!
1, collector read the map file into sentinel asset module, correlation
rules reference hostname field, is it ok? I don't know!
2, when collector do parse and normalization, can it pass the hostname
to sentinel field by lies the file into specific directory(Arcsight)
Thanks!


--
steve_zeng
------------------------------------------------------------------------
steve_zeng's Profile: https://forums.netiq.com/member.php?userid=3875
View this thread: https://forums.netiq.com/showthread.php?t=46517

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to identify endpoint machine with dynamic IP address

> I am very pleasure got your reply! Because the logs of OA system don't
> include hostname field but only IP Address field, But IP Adress is
> dyinmic, So I must base hostname to identify, Custmer need is that
> specific username login only from authorized hostname!


With dynamic IPs I also assume your IPs, then, will change from time to
time (not just be assigned dynamically but in a fairly static way). If
that is the case, how will Sentinel know about these changes at the time
that they happen?

> Our customer can
> build the map table between username and hostname, I have two ideas to
> implement it but I don't know how to do it by sentinel!
> 1, collector read the map file into sentinel asset module, correlation
> rules reference hostname field, is it ok? I don't know!


This sounds fine to me, but from where will you get these maps? I assume
the DHCP server will somehow be able to feed you the hostname/IP
information, but will it?

> 2, when collector do parse and normalization, can it pass the hostname
> to sentinel field by lies the file into specific directory(Arcsight)


You can tell the collector to do anything that you can script (pretty much
anything) assuming that either the event has the information
(hostname/IP/etc.) or the Sentinel system already has it somewhere
(dynamic list, assets, etc.). You have already stated that the event
source is not able to send you the hostname, and that seems like the
biggest issue. Working around that (since the event data do not contain
the necessary information) means you need to tell Sentinel another way to
know the relationship between hostname and IP address. As long as you can
get that reliably, and timely, into Sentinel then that should not be a big
problem. So.... can you get these data in a way that can be immediately
sent to Sentinel via some file or message on the wire?

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to identify endpoint machine with dynamic IP address


Hello Steve,

It sounds to me like you need to look into the Mapping Service a bit.

From your description, it sounds like:
1) You have a source that can tell Sentinel which user can use which
host (by name)
2) You probably can come up with a list of MAC address to hostname
mappings
3) The events you actually see from the hosts only include the IP
address.

So what you need, then, is to take the IP address from inbound events,
figure out what the associated hostname is, and then see if the
associated user is allowed.

Here's how I would achieve this:
1) Get a list of MAC address to hostname mappings and put it in a CSV
file
2) Write a custom Collector that consumes events from your DHCP server -
these typically say things like "I gave IP address X to MAC address Y"
- The Collector should take each inbound event, extract the MAC-IP
mapping, look up the MAC address in the CSV file from step (1) (there's
a simple 'KeyMap' construct in the Collector API to do this), and then
write out a new CSV file that maps the newly allocated IP address to the
hostname. This new CSV file would go in
/var/opt/novell/sentinel/data/map_data, and you'll have to handle
re-writes and things like that - look at the Generic IP Geolocation for
some good examples.
3) Create a Mapping Service map based on that new CSV file that keys off
the IP address and injects the hostname into the event.
4) Get a list of allowed hostname/username mappings, put them in a CSV
file, and create another Mapping Service map that keys off of
hostname/username and puts a 1 or a 0 into another field depending on
whether the combination is "allowed" or not.

The tricky bit here is the Collector which needs to manage the
IP/hostname map while consuming the DHCP data. The rest of it is pretty
easy. Post here some more specific examples of the data you're looking
at (such as the DHCP server output) and perhaps we can help more.


--
DCorlette
------------------------------------------------------------------------
DCorlette's Profile: https://forums.netiq.com/member.php?userid=323
View this thread: https://forums.netiq.com/showthread.php?t=46517

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.