|
1/28/2009 8:28:18 AM
|
Eric Winch
Posts 6
|
I'm profiling devices on my network which include Apple products such as MAC Books, iPhones and iPods. I've noticed that the Vendor Class field is (null) which makes it difficult to profile these devices using the common DHCP method.
What are recommendations to profile Apple products?
|
|
1/28/2009 8:53:01 AM
|
Andy Saltmarsh
Posts 2
|
You are correct that most Apple products use a "null" in the Vendor Class field, therefore that parameter can't be used by Beacon to Profile Apple endpoints. There may be other information in the DHCP requests that Beacon as seen, for example the DHCP Options list, you could use the Options list along with the MAC Vendor id in a Advance rule. Similar to this example:
<Rule name="Apple PC">
<RuleEntity entity="Mac OS" cf="0.45"/>
<AND>
<Vendor vendor="/^Apple/i"/>
<DHCPReqOptions option-list="/^1,3,6,15,112,113,78,79,95/"/>
</AND>
</Rule>
Another field that could be used is Profiling Apple endpoints is the DHCP Hostname, if available.
|
|
1/28/2009 10:22:15 AM
|
Eric Winch
Posts 6
|
Andy, this is great. This advanced rule profiled many of my users, however, I still have a lot of them lurching in the unknown profile. We have since added a SPAN to internal WEB servers which allowed us to use User Agent data to move from Unknown to Apple User profile. we are also considering adding a SPAN to our external internet interface to capture more User Agent data for those users who may or may not attach to internal servers.
|
|
2/1/2009 7:35:06 AM
|
spettit
Posts 4
|
Eric,
I believe adding User Agents will be a big leap forward in Profiling Apple devices. Hopefully you'll check back and post your findings.
Regarding DHCP information, I was recently made aware of this site which might be some help:
link
I looked quickly and there are some Apple devices cataloged there.
|
|
2/1/2009 5:53:43 PM
|
Eric Winch
Posts 6
|
Hi Steve,
You are absolutely correct. User Agent greatly increased the certainty levels of my Apple device profiling. Furhter I reviewed the link you sent and created the below proflie for iPhones. We have effectively increased the certainty level and profiled 'more' Apple iPhone devices based on the various option lists we look at versed to the single option lists I had initially implemented.
<Rule name="Apple iPhone">
<RuleEntity entity="Apple iPhone" cf="0.80"/>
<AND>
<Vendor vendor="/^Apple/i"/>
<DHCPHost name="/iPhone/i"/>
<OR>
<DHCPOptions option-list="/^53,55,57,61,50,51,12/"/>
<DHCPOptions option-list="/^53,55,57,61,51/"/>
<DHCPOptions option-list="/^53,55,57,61,51,1/"/>
<DHCPOptions option-list="/^53,55,57,61,50,51/"/>
<DHCPOptions option-list="/^53,55,57,61,50,54,12/"/>
<DHCPOptions option-list="/^1,3,6,15,119,252/"/>
<DHCPOptions option-list="/^1,3,6,15,119,252/"/>
</OR>
</AND>
</Rule>
|
|
2/2/2009 7:40:56 PM
|
spettit
Posts 4
|
Eric,
Good stuff. Would you mind posting some of the User Agents you found as well? I think we've got most/all of them, but you never know with software updates and new hardware coming out all the time.
|
|
2/3/2009 8:39:13 AM
|
Andy Saltmarsh
Posts 2
|
Eric, please be aware that in your current advance rule you are utilizing "AND" statements, the rule for your User Agent has been added to the Profile, therefore this Profile has two rules. The two rules are "ORed" when considering Profiling a Endpoint into this Profile, which is fine as long you understand that a endpoint could be classified into this profile based on just the "User Agent" rule or the Advance rule. If you meant to have this rule as "AND" Statement then the rule would have be added to the Advance rule.
|
|
2/3/2009 8:31:33 PM
|
Eric Winch
Posts 6
|
Hi Andy,
This is a great point. Our thought was to keep this as an OR. The reason is that we've noted not all devices (for example: iPhones) will have the word iPhone in the host name. Since it's more difficult to interfere with the user agent string, we can give a higher confidence factor for user agent detection.
On another note, we've applied the same concepts for iPhones to iPods. This has also resulted in a significant increase of detected iPods.
<Rule name="Apple iPod">
<RuleEntity entity="Apple iPod" cf="0.80"/>
<AND>
<Vendor vendor="/^Apple/i"/>
<DHCPHost name="/iPod/i"/>
<OR>
<DHCPReqOptions option-list="/^1,3,6,15,119,252/"/>
<DHCPReqOptions option-list="/^53,55,57,61,50,5/"/>
<DHCPReqOptions option-list="/^53,55,57,61,50,51,12/"/>
<DHCPReqOptions option-list="/^53,55,57,61,50,54/"/>
<DHCPReqOptions option-list="/^53,55,57,61,50,54,12/"/>
<DHCPOptions option-list="/^53,55,57,61,50,51,12,255/"/>
</OR>
</AND>
</Rule>
We're making further considerations to deal with Apple MAC OS detections.
|
|
pages:
1 |
|---|