OpenSource or free rogue device detection
-
AliehVault does NID. Suricata may also be helpful.
-
@Jason said in OpenSource or free rouge device detection:
https://lanmarshal.mobilabs.fr/lanmarshal.html#getlanmarshal
Found this.. Let's see if it works. Anyone used it before?
Looks interesting, but there is no link to anything but the appliance.
-
web interface seems to be okay for Lan Marshal, Nmap is installed but doesn't seem to be running (and there for not scanning). Not sure if there is something else I need to do or what.
-
@Jason said in OpenSource or free rouge device detection:
web interface seems to be okay for Lan Marshal, Nmap is installed but doesn't seem to be running (and there for not scanning). Not sure if there is something else I need to do or what.
Are you looking for rogue APs, or devices that are connected to your network that shouldn't be?
-
@dafyre said in OpenSource or free rouge device detection:
@Jason said in OpenSource or free rouge device detection:
web interface seems to be okay for Lan Marshal, Nmap is installed but doesn't seem to be running (and there for not scanning). Not sure if there is something else I need to do or what.
Are you looking for rogue APs, or devices that are connected to your network that shouldn't be?
Just devices on the network.
-
Out of curiosity, are we filtering for red devices (rouge) or things that don't belong (rogue)?
-
@art_of_shred said in OpenSource or free rouge device detection:
Out of curiosity, are we filtering for red devices (rouge) or things that don't belong (rogue)?
BAHAHAHAHAHAHAHA. Fixed it.
-
For "Just Devices" something like NetDisco is great... You can follow devices around the network. It records what switch and port a MAC address is seen on... and if the device ever shows up on a different network jack, it can record that too.
I also just discovered phpipam (http://phpipam.net/)... It seems to be good at finding devices, but it doesn't track what switch port they're plugged into, etc...
They have a demo available (http://phpipam.net/phpipam-demo/).
PHPIPAM Screen shots...
-
@art_of_shred said in OpenSource or free rogue device detection:
Out of curiosity, are we filtering for red devices (rouge) or things that don't belong (rogue)?
I figured that they flagged red when in the interface.
Green field, red devices. You know.
-
@scottalanmiller said in OpenSource or free rogue device detection:
@art_of_shred said in OpenSource or free rogue device detection:
Out of curiosity, are we filtering for red devices (rouge) or things that don't belong (rogue)?
I figured that they flagged red when in the interface.
Green field, red devices. You know.
Red/green: Must be confusing to the colorblind...
I apologize for hijacking the thread. Please carry on.
-
@dafyre said in OpenSource or free rogue device detection:
NetDisco
Looks nice. Can either this or phpiam do email alerts? I'm not seeing that in the demos.
-
@Jason said in OpenSource or free rogue device detection:
@dafyre said in OpenSource or free rogue device detection:
NetDisco
Looks nice. Can either this or phpiam do email alerts? I'm not seeing that in the demos.
It's been so long since I've used NetDisco, I can't remember. Let me go check phpIPAM real quick... * poof *
Okay, I'm back. It looks like phpIPAM can do email stuff. I don't know what all it can do, but it's worth a quick look. Setup is relatively straight forward.
-
so with LanMarshal It's filtering down to Apple devices hence why it didn't work for me. I just need to figure out what to edit here.
#!/bin/sh # # This script extracts mobile devices from a Nmap scan. This version recognizes # Apple devices. # # copyright 2013 Artelsys.com # # # Redistribution and use of this script, with or without modification, is # permitted provided that the following conditions are met: # # 1. Redistributions of this script must retain the above copyright # notice, this list of conditions and the following disclaimer. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO # EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # Global constants and variables dumpfile="/home/app/servers/dump.txt" tempfile="/home/app/servers/temp.txt" result="/home/app/servers/result.txt" # It ... # function _extract_device() { # Extract relevant fields MAC=$(grep -n -m 1 "MAC Address" $tempfile | awk -F " " '{print $3 }') IP=$(grep -n -m 1 "Nmap scan report" $tempfile | awk -F " " '{print $5 }') DEVICE=$(grep -n -m 1 "Device type:" $tempfile | awk -F " " '{print $3 " " $4 }') OS=$(grep -n -m 1 "Running:" $tempfile | awk -F " " '{$1=""; print }') OS_CPE=$(grep -n -m 1 "OS CPE:" $tempfile | awk -F " " '{$1=""; $2=""; print }') OS_DETAILS=$(grep -n -m 1 "OS details:" $tempfile | awk -F " " '{$1=""; $2=""; print }') # Remove leading white spaces OS=$(echo $OS | sed 's/^ *//g') OS_CPE=$(echo $OS_CPE | sed 's/^ *//g') OS_DETAILS=$(echo $OS_DETAILS | sed 's/^ *//g') echo "$MAC;$IP;$DEVICE;$OS;$OS_CPE;$OS_DETAILS" >> $result } # It ... # function _extract_block() { # Extract the block and copy it to sed -n '/Nmap scan/,/Network Distance/p;/Network Distance/q' $dumpfile > $tempfile lines=$(wc -l < $tempfile) #sed q $tempfile #echo "$lines lines have been extracted." # Delete the extracted block from input file while [ $lines -gt 0 ]; do sed -i "1d" $dumpfile let lines=lines-1 done # Check if extracted device info matches 'iPhone OS'. if grep -q 'iphone_os' $tempfile; then #echo 'Bingo!'; _extract_device fi } # ----------------------------------------------------------------------------- # Main program # # ----------------------------------------------------------------------------- # Delete file containing list of detected devices if [ -e "$result" ]; then rm $result fi touch $result # Clean up the file by removing the two first lines and the empty lines sed -i '1,2d' $dumpfile sed -i '/^$/d' $dumpfile # Extract the 'Nmap' blocks and store detected mobile into database # echo "extracting Nmap blocks ..." # Do until all the blocks are extracted size=$(wc -l < $dumpfile) while [ $size -gt 3 ]; do _extract_block size=$(wc -l < $dumpfile) done exit 0 -
Changed
# Check if extracted device info matches 'iPhone OS'. if grep -q 'iphone_os' $tempfile; then #echo 'Bingo!'; _extract_deviceto we shall see if that does it.
Check if extracted device info matches 'iPhone OS'.
if grep -q '*' $tempfile; then #echo 'Bingo!'; _extract_device -
@Jason said in OpenSource or free rogue device detection:
if grep -q 'iphone_os' $tempfile; then #echo 'Bingo!'; _extract_device fiYou could also try changing it to
#echo 'Bingo!'; _extract_device -
@stacksofplates Per Alienvault 12/2016, it does not do rogue device detection and alerting. Yet, anyway seeing it is a major flaw in it being a USM.
