[Snort-users] dhcp assigned address and no ip on snort interface

Jason Brvenik jason at ...5028...
Fri Feb 22 06:45:10 EST 2002


> [snip]
> One caveat:  as I'm sure you're aware, a number of vulnerabilities have
> been discovered with SNMP lately, and the PIX software is not immune. Be
> aware of the risks when using this solution. According to
> http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml
> the pix is only vulnerable from the host specified in your snmp-server host
> config line, which should greatly reduce your risk, but if you should
> definitely plan on upgrading to a patched version at some point.
> [old msg and sig zapped]

Given that the snmp get is over udp and easily spoofed I would try and avoid it. Using a trap that is picked off the wire with no
valid destination would seem much safer as there is no endpoint to attack and can be picked up directly behind the firewall.
Couple this with correlation of the dhcp session captured from in front of the firewall and I would guestimate it would be
sufficient for all but the most strict environments to use automated.

     Cable
          |------> IDS  <= capture dhcp here, ipless interface
        Pix             |
          |------> IDS  <= capture trap here, mgmt interface
     Internal ( 10.1.1.1 )


1) pix and cable modem negotiate a new IP. Tagging used to capture entire session.
     http://www.snort.org/docs/writing_rules/chap2.html#tag section
2) Pix sends a trap to 192.168.0.1 noting an interface change.. ( requires a host route to send it out the 10.1.1.1 interface )
3) IDS Picks up a trap destined to 192.168.0.1 which dies on the wire with no place to go and is logged separately
    http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.1
4) Process pulls the last negotiated IP out of #1 and compares it to #3. If all is well a reconfig is done and the IDS is
restarted.

All this should be possible to complete in no more than a minute. You can even send a notification of the change to the admin as
an alert to feel better about the automation. It automagically changed.

You could also run arpwatch -d in a process and catch stderr for the MAC of the fw and act on a change there as well. I myself
would probably grab the sources and hack up a specific version for this purpose though.

Jason

P.S. Doesn't snort-users-admin at lists.sourceforge.net get a copy of list mail already??







More information about the Snort-users mailing list