Re: [security-onion] finding MAC addresses from past alerts

[Mark K. Ayler Jr.]

This is a really good question. I'm experiencing something similar. It would be nice if there was an option to include the ip - mac or ip - hostname in the alert.

On Fri, Sep 21, 2012 at 8:37 AM, Mike Herman <mgh...@gmail.com> wrote:

I am looking for a way to extract the MAC address from the header of packets that triggered alerts in the past 24 hours. Unfortunately sometimes these machines are not online anymore, or their DHCP lease has expired, and I need to verify that the past alerts came from a specific MAC address so I avoid blacklisting a computer that just happened to get that IP lease after the offending computer disconnected. It is my understanding that Security Onion stores no packets unless a pcap is triggered via WireShark or Sguil. Is there any way to link the MAC address of a local IP to an alert automatically, or store a sample of packets from each local IP triggering an alert? If not, is there somewhere that this packet header data is stored on the server?

I know the obvious answer is to lengthen the lease time on my DHCP server, but we don't want to do that because we have a huge turnover in devices (we may get 1000 new, unique devices in 12 hours on a busy day on our network).

--

--
Mark K Ayler Jr.
CCNA, MCSE, NNCSS, OASIS.

[Castle, Shane]

This may not be possible, depending on how your network is arranged and where your sensor is listening. Consider: the MAC address in the L2 header of a packet will be that of the interface from which it last came. This means that unless your network is completely flat, with no routers except for those to the outside, the MAC address will belong to the last-hop router's interface on the network you have installed your sensor on.

Perhaps you are not aware that Security Onion stores ALL packets that its sensors see, not just the ones from an alert, unless it is prevented from doing so by a BPF filter. This means that you have access to all the traffic for an IP address that traversed the interface your sensor is listening to. Your sentence beginning "It is my understanding that Security Onion stores no packets ..." indicates that you have an incomplete understanding of this and you need to read up a bit more.

Also, you should be able to configure your DHCP server so that it logs all leases and associations, providing a time-based record of who gets what IP address when. With this, you don't need to extract the MAC from the packet (which, as mentioned, may not correspond to the device anyway), you just need to know the time and then check the DHCP server log.

--
Shane Castle
Data Security Mgr, Boulder County IT

[Mark K. Ayler Jr.]

damnit, you are totally right. I forgot about macs changing from hop to hop (i/f to i/f). Is ip -> hostname still an option?

--

[Mark K. Ayler Jr.]

check out /nsm/sensor-data/$sensor_name/dailylogs

On Fri, Sep 21, 2012 at 9:19 AM, Mike Herman <mgh...@gmail.com> wrote:

Shane-

Thanks for exposing my ignorance. I clearly still have a lot to learn about Security Onion. I'll go back and re-read the documentation, but would greatly appreciate a hint as to where I can access and review the packet captures, or where in the documentation I should be looking.

Our monitored networks hit no routers before the gateway, so there should be no problem in retrieving the L2 information once I learn how to review the raw packet captures.

--

[Castle, Shane]

Also, you can extract just the traffic for the IP address you are interested in (see the posts with the subject "Investigation of a particular host through daily logs") and then use Wireshark or tcpdump to examine that. ("tcpdump -elvv -s 0 -X -n -r <filename>" will give lots of useful info, including MACs.)

--
Shane Castle
Data Security Mgr, Boulder County IT


-----Original Message-----

--

[Castle, Shane]

Yes, this is an issue when your network changes a lot with devices arriving and leaving, and short DHCP lease times. For instance, when reviewing Sguil or Snorby output, the PTR record belonging to the IP address is the one *currently* in DNS, not the one that existed when the packet was captured, so the name<->IP pair is good only for near-real-time reviewing of data. Again, having this information captured by a DHCP server log is really the only way out of this.

Also, I've noticed that depending on how the DHCP client is configured, no hostname is passed to the DHCP server and none is assigned, so an IP address is all there is, even with full logging on the part of the DHCP server.

--

[Castle, Shane]

I just noticed that, if you run Security Onion, you could add the contributed Bro script roam.bro that will collect MAC<->IP mappings over time. Look in the repository: http://git.bro-ids.org/bro-scripts.git/tree

Bro is way cool. I can hardly wait for the new SO with the new Bro, plus ELSA. Good things!

--
Shane Castle
Data Security Mgr, Boulder County IT

CISSP GSEC GCIH

-----Original Message-----
From: securit...@googlegroups.com [mailto:securit...@googlegroups.com] On Behalf Of Mike Herman
Sent: Friday, September 21, 2012 12:05
To: securit...@googlegroups.com
Subject: Re: [security-onion] finding MAC addresses from past alerts

Shane-

Thanks again. I tested it with Wireshark and it gave me exactly what I needed. The DHCP server logging is something else we will be looking in to. I'm going to read up on tcpdump and will look at the posts you mentioned.

--

[Florin Sfetea]

Hi Shane,
do you perhaps know if the new BRO scripts are already available in security-onion?

[Dustin Lee]

Florin,

The post you're referencing appears to be from some time ago. Bro 2.6.1 is now included in Security Onion and has a relatively recent scripting update format. 

More information can be found here:

https://blog.securityonion.net/2019/01/security-onion-160456-now-available.html

https://www.zeek.org/download/NEWS.bro.html

- Dustin

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[fsf...@gmail.com]

On Monday, February 4, 2019 at 2:36:27 PM UTC+1, Dustin Lee wrote:
> Florin,
>
>
> The post you're referencing appears to be from some time ago. Bro 2.6.1 is now included in Security Onion and has a relatively recent scripting update format. 
>
>
> More information can be found here:
> https://blog.securityonion.net/2019/01/security-onion-160456-now-available.html
>
> https://www.zeek.org/download/NEWS.bro.html
>
>
>
> - Dustin
>

I found something better

https://gist.github.com/grigorescu/a28b814a8fb626e2a7b4715d278198aa

Perhaps should/could be included in the future SO version