OpenSource or free rogue device detection

Jason

web interface seems to be okay for Lan Marshal, Nmap is installed but doesn't seem to be running (and there for not scanning). Not sure if there is something else I need to do or what.

dafyre

@Jason said in OpenSource or free rouge device detection:

web interface seems to be okay for Lan Marshal, Nmap is installed but doesn't seem to be running (and there for not scanning). Not sure if there is something else I need to do or what.

Are you looking for rogue APs, or devices that are connected to your network that shouldn't be?

Jason

@dafyre said in OpenSource or free rouge device detection:

@Jason said in OpenSource or free rouge device detection:

web interface seems to be okay for Lan Marshal, Nmap is installed but doesn't seem to be running (and there for not scanning). Not sure if there is something else I need to do or what.

Are you looking for rogue APs, or devices that are connected to your network that shouldn't be?

Just devices on the network.

art_of_shred

Out of curiosity, are we filtering for red devices (rouge) or things that don't belong (rogue)?

Jason

@art_of_shred said in OpenSource or free rouge device detection:

Out of curiosity, are we filtering for red devices (rouge) or things that don't belong (rogue)?

BAHAHAHAHAHAHAHA. Fixed it.

dafyre

For "Just Devices" something like NetDisco is great... You can follow devices around the network. It records what switch and port a MAC address is seen on... and if the device ever shows up on a different network jack, it can record that too.

I also just discovered phpipam (http://phpipam.net/)... It seems to be good at finding devices, but it doesn't track what switch port they're plugged into, etc...

They have a demo available (http://phpipam.net/phpipam-demo/).

PHPIPAM Screen shots...
0_1474483460739_upload-c9cdb9b8-5151-4552-a921-2bbc5bb55d54

0_1474483510920_upload-f29ad7c0-bdb5-4a3e-9ef4-81fa354ddc2c

scottalanmiller

@art_of_shred said in OpenSource or free rogue device detection:

Out of curiosity, are we filtering for red devices (rouge) or things that don't belong (rogue)?

I figured that they flagged red when in the interface.

Green field, red devices. You know.

art_of_shred

@scottalanmiller said in OpenSource or free rogue device detection:

@art_of_shred said in OpenSource or free rogue device detection:

Out of curiosity, are we filtering for red devices (rouge) or things that don't belong (rogue)?

I figured that they flagged red when in the interface.

Green field, red devices. You know.

Red/green: Must be confusing to the colorblind...

I apologize for hijacking the thread. Please carry on.

Jason

@dafyre said in OpenSource or free rogue device detection:

NetDisco

Looks nice. Can either this or phpiam do email alerts? I'm not seeing that in the demos.

dafyre

@Jason said in OpenSource or free rogue device detection:

@dafyre said in OpenSource or free rogue device detection:

NetDisco

Looks nice. Can either this or phpiam do email alerts? I'm not seeing that in the demos.

It's been so long since I've used NetDisco, I can't remember. Let me go check phpIPAM real quick... * poof *

Okay, I'm back. It looks like phpIPAM can do email stuff. I don't know what all it can do, but it's worth a quick look. Setup is relatively straight forward.

Jason

so with LanMarshal It's filtering down to Apple devices hence why it didn't work for me. I just need to figure out what to edit here.

#!/bin/sh
#
# This script extracts mobile devices from a Nmap scan. This version recognizes
# Apple devices.
# 
# copyright 2013 Artelsys.com
#
#
# Redistribution and use of this script, with or without modification, is
# permitted provided that the following conditions are met:
#
# 1. Redistributions of this script must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
#
#  THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED
#  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO
#  EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
#  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
#  OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
#  OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
#  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

# Global constants and variables
dumpfile="/home/app/servers/dump.txt"
tempfile="/home/app/servers/temp.txt"
result="/home/app/servers/result.txt"


# It ...
#
function _extract_device() {

  # Extract relevant fields
  MAC=$(grep -n -m 1 "MAC Address" $tempfile | awk -F " " '{print $3 }')
  IP=$(grep -n -m 1 "Nmap scan report" $tempfile | awk -F " " '{print $5 }')
  DEVICE=$(grep -n -m 1 "Device type:" $tempfile | awk -F " " '{print $3 " " $4 }')
  OS=$(grep -n -m 1 "Running:" $tempfile | awk -F " " '{$1=""; print }')
  OS_CPE=$(grep -n -m 1 "OS CPE:" $tempfile | awk -F " " '{$1=""; $2=""; print }')
  OS_DETAILS=$(grep -n -m 1 "OS details:" $tempfile | awk -F " " '{$1=""; $2=""; print }')

  # Remove leading white spaces
  OS=$(echo $OS | sed 's/^ *//g')
  OS_CPE=$(echo $OS_CPE | sed 's/^ *//g')
  OS_DETAILS=$(echo $OS_DETAILS | sed 's/^ *//g')

  echo "$MAC;$IP;$DEVICE;$OS;$OS_CPE;$OS_DETAILS" >> $result
}


# It ...
#
function _extract_block() {

  # Extract the block and copy it to
  sed -n '/Nmap scan/,/Network Distance/p;/Network Distance/q' $dumpfile > $tempfile
  lines=$(wc -l < $tempfile)
  #sed q $tempfile
  #echo "$lines lines have been extracted."

  # Delete the extracted block from input file
  while [ $lines -gt 0 ]; do
	sed -i "1d" $dumpfile
	let lines=lines-1
  done

  # Check if extracted device info matches 'iPhone OS'.
  if grep -q 'iphone_os' $tempfile; then
	#echo 'Bingo!';
	_extract_device
  fi
}

# -----------------------------------------------------------------------------
# Main program
#
# -----------------------------------------------------------------------------

# Delete file containing list of detected devices
if [ -e "$result" ]; then
  rm $result
fi
touch $result

# Clean up the file by removing the two first lines and the empty lines
sed -i '1,2d' $dumpfile
sed -i '/^$/d' $dumpfile

# Extract the 'Nmap' blocks and store detected mobile into database
# echo "extracting Nmap blocks ..."
# Do until all the blocks are extracted
size=$(wc -l < $dumpfile)
while [ $size -gt 3 ]; do
  _extract_block
  size=$(wc -l < $dumpfile)
done

exit 0

Jason

Changed

# Check if extracted device info matches 'iPhone OS'.
if grep -q 'iphone_os' $tempfile; then
#echo 'Bingo!';
_extract_device

to we shall see if that does it.

Check if extracted device info matches 'iPhone OS'.

 if grep -q '*' $tempfile; then
#echo 'Bingo!';
_extract_device

dafyre

@Jason said in OpenSource or free rogue device detection:

  if grep -q 'iphone_os' $tempfile; then
	#echo 'Bingo!';
	_extract_device
  fi

You could also try changing it to

	#echo 'Bingo!';
	_extract_device

tomV

@stacksofplates Per Alienvault 12/2016, it does not do rogue device detection and alerting. Yet, anyway seeing it is a major flaw in it being a USM.