StoneBlog.stonesoft.com

The SMC provide users with a sophisticate alert system and a wide varieties of notification media. Most of them relay on standard Internet servers, like the email service. The only exception is the SMS notification that relay on external hardware.

So far Stonesoft has tested and validate the Wavecom Fastrack M1306B. Since it has reached the end-of-life state we have started to test the replacing model: Wavecom Fastrack Supreme 20. Even though the 2 devices look quite similar, after initial tests with SMC 4.3.x we can say that the new SMS modem is not compatible with SMC. Most likely we are going to fix the problem in next release, just do not rush on the new model. By the way if you wish to test another device it is the right time to speak up: simply add a comment to this post explaining your reasons.

written by maurob - 1,328 views \\ tags: Alert Escalation, modem, sms

Let’s combine the power of Deep Inspection, Alert Escalation/Script response and the following perl script to achieve a housemade yet powerful and flexible way to perform the so-called post-admission NAC.

The idea is that IPS monitors in inline or port mirroring mode a network segment. When finding true positives, it raises an alert to Log Server.

Alert is then evaluated against the Alert Escalation Policy and a reaction is triggered.

One of the possible reactions is a script executed by the Log Server that will send SNMP instructions to the switch where the evil machine is connected to put the physical network port in shutdown.

The script below has been tested with HP Procurve switch but should be applicable with any switches understanding SNMP.

#!/usr/bin/perl

use Net::SNMP;

use Sys::Syslog;

my $ip=$ARGV[9];

my $mac=$ARGV[10];

my $realarp,$session,$error,@bytes,$oid,$int_id,$int_name;

my $hostname=’172.23.11.63′;

my $community=’public’;

my $int_oid=’.1.3.6.1.2.1.2.2.1.7′;

my $mac_oid=’.1.3.6.1.2.1.17.4.3.1.2′;

my $iname_oid=’.1.3.6.1.2.1.31.1.1.1.1′;

openlog(“Blocker”, ‘ndelay,pid’, ‘local0′);

syslog(‘info’,'Got Ip address %s and Mac address %s’,$ip,$mac);

($session,$error) = Net::SNMP->session(Hostname => $hostname, Community => $community);

syslog(‘warning’,'DIED: Snmp session error-> %s’, $error) unless ($session);

die “session error: $error” unless ($session);

@bytes=split(/\:/,$mac);

$realarp=sprintf(“%d.%d.%d.%d.%d.%d”,hex($bytes[0]),hex($bytes[1]),hex($bytes[2]),hex($bytes[3]),hex($bytes[4]),hex($bytes[5]));

$oid=”$mac_oid.$realarp”;

$result = $session->get_request(“$oid”);

syslog(‘warning’,'DIED: Snmp session error-> %s’, $error) unless (defined $result);

die “request error: “.$session->error unless (defined $result);

$int_id=$result->{$oid};

$oid=”$iname_oid.$int_id”;

$result = $session->get_request(“$oid”);

$int_name=$result->{$oid};

syslog(‘info’,'Successfully found %s on interface %s (id %s)’, $mac, $int_name, $int_id);

$oid=”$int_oid.$int_id”;

$result = $session->set_request(

-varbindlist => [$oid, INTEGER, 2]

);

syslog(‘crit’,'Blocked interface %s on %s’, $int_name, $hostname);

$session->close;

closelog();

Did you test this with other devices?
Please help the community by posting your experience here using comments!

written by RoarinPenguin - 1,529 views \\ tags: Alert Escalation, IPS, NAC, network access control, post-admission, script