ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    OpenSource or free rogue device detection

    Scheduled Pinned Locked Moved IT Discussion
    30 Posts 10 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jason Banned @dafyre
      last edited by

      @dafyre said in OpenSource or free rouge device detection:

      @Jason said in OpenSource or free rouge device detection:

      web interface seems to be okay for Lan Marshal, Nmap is installed but doesn't seem to be running (and there for not scanning). Not sure if there is something else I need to do or what.

      Are you looking for rogue APs, or devices that are connected to your network that shouldn't be?

      Just devices on the network.

      1 Reply Last reply Reply Quote 0
      • art_of_shredA
        art_of_shred
        last edited by

        Out of curiosity, are we filtering for red devices (rouge) or things that don't belong (rogue)?

        J scottalanmillerS 2 Replies Last reply Reply Quote 2
        • J
          Jason Banned @art_of_shred
          last edited by Jason

          @art_of_shred said in OpenSource or free rouge device detection:

          Out of curiosity, are we filtering for red devices (rouge) or things that don't belong (rogue)?

          BAHAHAHAHAHAHAHA. Fixed it.

          1 Reply Last reply Reply Quote 1
          • dafyreD
            dafyre
            last edited by

            For "Just Devices" something like NetDisco is great... You can follow devices around the network. It records what switch and port a MAC address is seen on... and if the device ever shows up on a different network jack, it can record that too.

            I also just discovered phpipam (http://phpipam.net/)... It seems to be good at finding devices, but it doesn't track what switch port they're plugged into, etc...

            They have a demo available (http://phpipam.net/phpipam-demo/).

            PHPIPAM Screen shots...
            0_1474483460739_upload-c9cdb9b8-5151-4552-a921-2bbc5bb55d54

            0_1474483510920_upload-f29ad7c0-bdb5-4a3e-9ef4-81fa354ddc2c

            J 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @art_of_shred
              last edited by

              @art_of_shred said in OpenSource or free rogue device detection:

              Out of curiosity, are we filtering for red devices (rouge) or things that don't belong (rogue)?

              I figured that they flagged red when in the interface.

              Green field, red devices. You know.

              art_of_shredA 1 Reply Last reply Reply Quote 0
              • art_of_shredA
                art_of_shred @scottalanmiller
                last edited by art_of_shred

                @scottalanmiller said in OpenSource or free rogue device detection:

                @art_of_shred said in OpenSource or free rogue device detection:

                Out of curiosity, are we filtering for red devices (rouge) or things that don't belong (rogue)?

                I figured that they flagged red when in the interface.

                Green field, red devices. You know.

                Red/green: Must be confusing to the colorblind...

                I apologize for hijacking the thread. Please carry on.

                1 Reply Last reply Reply Quote 0
                • J
                  Jason Banned @dafyre
                  last edited by

                  @dafyre said in OpenSource or free rogue device detection:

                  NetDisco

                  Looks nice. Can either this or phpiam do email alerts? I'm not seeing that in the demos.

                  dafyreD 1 Reply Last reply Reply Quote 0
                  • dafyreD
                    dafyre @Jason
                    last edited by

                    @Jason said in OpenSource or free rogue device detection:

                    @dafyre said in OpenSource or free rogue device detection:

                    NetDisco

                    Looks nice. Can either this or phpiam do email alerts? I'm not seeing that in the demos.

                    It's been so long since I've used NetDisco, I can't remember. Let me go check phpIPAM real quick... * poof *

                    Okay, I'm back. It looks like phpIPAM can do email stuff. I don't know what all it can do, but it's worth a quick look. Setup is relatively straight forward.

                    1 Reply Last reply Reply Quote 0
                    • J
                      Jason Banned
                      last edited by

                      so with LanMarshal It's filtering down to Apple devices hence why it didn't work for me. I just need to figure out what to edit here.

                      #!/bin/sh
                      #
                      # This script extracts mobile devices from a Nmap scan. This version recognizes
                      # Apple devices.
                      # 
                      # copyright 2013 Artelsys.com
                      #
                      #
                      # Redistribution and use of this script, with or without modification, is
                      # permitted provided that the following conditions are met:
                      #
                      # 1. Redistributions of this script must retain the above copyright
                      #    notice, this list of conditions and the following disclaimer.
                      #
                      #  THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED
                      #  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
                      #  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO
                      #  EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
                      #  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
                      #  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
                      #  OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
                      #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
                      #  OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
                      #  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
                      
                      # Global constants and variables
                      dumpfile="/home/app/servers/dump.txt"
                      tempfile="/home/app/servers/temp.txt"
                      result="/home/app/servers/result.txt"
                      
                      
                      # It ...
                      #
                      function _extract_device() {
                      
                        # Extract relevant fields
                        MAC=$(grep -n -m 1 "MAC Address" $tempfile | awk -F " " '{print $3 }')
                        IP=$(grep -n -m 1 "Nmap scan report" $tempfile | awk -F " " '{print $5 }')
                        DEVICE=$(grep -n -m 1 "Device type:" $tempfile | awk -F " " '{print $3 " " $4 }')
                        OS=$(grep -n -m 1 "Running:" $tempfile | awk -F " " '{$1=""; print }')
                        OS_CPE=$(grep -n -m 1 "OS CPE:" $tempfile | awk -F " " '{$1=""; $2=""; print }')
                        OS_DETAILS=$(grep -n -m 1 "OS details:" $tempfile | awk -F " " '{$1=""; $2=""; print }')
                      
                        # Remove leading white spaces
                        OS=$(echo $OS | sed 's/^ *//g')
                        OS_CPE=$(echo $OS_CPE | sed 's/^ *//g')
                        OS_DETAILS=$(echo $OS_DETAILS | sed 's/^ *//g')
                      
                        echo "$MAC;$IP;$DEVICE;$OS;$OS_CPE;$OS_DETAILS" >> $result
                      }
                      
                      
                      # It ...
                      #
                      function _extract_block() {
                      
                        # Extract the block and copy it to
                        sed -n '/Nmap scan/,/Network Distance/p;/Network Distance/q' $dumpfile > $tempfile
                        lines=$(wc -l < $tempfile)
                        #sed q $tempfile
                        #echo "$lines lines have been extracted."
                      
                        # Delete the extracted block from input file
                        while [ $lines -gt 0 ]; do
                      	sed -i "1d" $dumpfile
                      	let lines=lines-1
                        done
                      
                        # Check if extracted device info matches 'iPhone OS'.
                        if grep -q 'iphone_os' $tempfile; then
                      	#echo 'Bingo!';
                      	_extract_device
                        fi
                      }
                      
                      # -----------------------------------------------------------------------------
                      # Main program
                      #
                      # -----------------------------------------------------------------------------
                      
                      # Delete file containing list of detected devices
                      if [ -e "$result" ]; then
                        rm $result
                      fi
                      touch $result
                      
                      # Clean up the file by removing the two first lines and the empty lines
                      sed -i '1,2d' $dumpfile
                      sed -i '/^$/d' $dumpfile
                      
                      # Extract the 'Nmap' blocks and store detected mobile into database
                      # echo "extracting Nmap blocks ..."
                      # Do until all the blocks are extracted
                      size=$(wc -l < $dumpfile)
                      while [ $size -gt 3 ]; do
                        _extract_block
                        size=$(wc -l < $dumpfile)
                      done
                      
                      exit 0
                      
                      dafyreD 1 Reply Last reply Reply Quote 0
                      • J
                        Jason Banned
                        last edited by

                        Changed

                        # Check if extracted device info matches 'iPhone OS'.
                        if grep -q 'iphone_os' $tempfile; then
                        #echo 'Bingo!';
                        _extract_device
                        

                        to we shall see if that does it.

                        Check if extracted device info matches 'iPhone OS'.

                         if grep -q '*' $tempfile; then
                        #echo 'Bingo!';
                        _extract_device
                        
                        1 Reply Last reply Reply Quote 0
                        • dafyreD
                          dafyre @Jason
                          last edited by

                          @Jason said in OpenSource or free rogue device detection:

                            if grep -q 'iphone_os' $tempfile; then
                          	#echo 'Bingo!';
                          	_extract_device
                            fi
                          

                          You could also try changing it to

                          	#echo 'Bingo!';
                          	_extract_device
                          
                          1 Reply Last reply Reply Quote 0
                          • T
                            tomV @stacksofplates
                            last edited by

                            @stacksofplates Per Alienvault 12/2016, it does not do rogue device detection and alerting. Yet, anyway seeing it is a major flaw in it being a USM.

                            1 Reply Last reply Reply Quote 0
                            • 1
                            • 2
                            • 2 / 2
                            • First post
                              Last post