|
2/9/2009 2:01:48 PM
|
Tim Richter
Posts 5
|
Anyone Else doing some custom reporting or scripting using Beacon?
I wrote a couple of perl scripts that takes output of Malware/Trojan Alarm Triggers from out Dragon IDS systems, queries Beacon via a standard https connection, and produces a nice spreadsheet report with switch/port/user info for easy of scanning and cleaning devices...
Attached is a "Sanitized" version of the report. Actuall report has all the valid info such as real IP/MAC/User.. But should give you a pretty good idea on what it does.
edited by admin on 2/16/2009
edited by admin on 2/17/2009
edited by admin on 2/20/2009
edited by admin on 2/20/2009
edited by admin on 2/20/2009
edited by admin on 2/25/2009
Attachments:
DragonReport-Malware.xls
|
|
2/9/2009 2:09:54 PM
|
abeats
Posts 5
|
Tim, this is impressive. You've managed to "correlate" data from an IDS, with location/endpoint data from Beacon, into a single resource (xls file) - and then actually use the script to email the xls file to yourself (or anyone else for that matter). I've been working with numerous IDS customers who are reliant on Beacon's endpoint location/history data, but have not been able to easily correlate this data into a single resource (they typically view two consoles: one is the IDS console, and the other is Beacon). And another really cool aspect of your scripting effort is that you used a standard HTTP call to get the required data from Beacon. Can you share a few more details about how you connected to Beacon and grabbed the required data? Thanks, man! :--)
|
|
2/9/2009 6:48:32 PM
|
Tim Richter
Posts 5
|
*** Disclaimer: I am not a professional perl programmer! , so There may be a more efficient way to do this  ****
The main script uses a Perl Module called LWP::UserAgent to make the HTTPS Call
It makes the HTTPS call to our Beacon server, just as you would in a regular Browser..
Originally, I had coded it in case you wanted to use different usernames/passwords for different systems, but it would be quite easy to code it to 1 account and password.
This way, I don't have to monkey around with the Database back end or any special mojo, just the typical user interface you normally use.
Here is the Perl Routine I use to get the page from Beacon:
our(@webUser)=(
'username'
); # These are the users to try to connect to the web interface with.
our(@webPass)=(
'password'
); # These are the passwords to try to connect to the web interface with.
my($host)='IP-ADDRESS-OF-BEACON-SERVER';
### Setup the Beacon URL
my($file)="beacon/search.php?mode=search&trace=t&mac=&mac_vendor=&cidr=$sip&endpoint=&authname=";
### $sip above is passed to the script from Dragon IDS System
GETWEB: {
# Looping through the user list.
$size1=@webUser;
for($i=0;$i<$size1;$i++) {
# Looping through the password list.
$size2=@webPass;
for($j=0;$j<$size2;$j++) {
# Attempting to get the page from the web interface.
my $ua = LWP::UserAgent->new;
$ua->timeout(8);
$ua->agent("Mozilla/8.0"); # pretend we are very capable browser
my $req = HTTP::Request->new(GET => "https://$host/$file");
$req->authorization_basic("$webUser[$i]", "$webPass[$j]");
my $res = $ua->request($req);
if ($res->is_success) {
$page = $res->as_string;
undef($wissues);
}
else {
print "Failed: ", $res->status_line, "\n";
$wissues = $res->status_line;
$wissues = "Https Error: $wissues";
$page = $res->status_line;
}
# Checking if Auth Failed.
if($page =~ m/401 Authorization Required/i) {
print("$webUser[$i]:$webPass[$j] FAILED");
$badpw = 'badpw';
next;
} elsif(length($page) > 0) {
$user=$webUser[$i];
$pass=$j;
$badpw = 'no';
$gotWeb='yes';
last;
}
} # End of password loop.
# Blowing out of this loop also if I $gotWeb.
if($gotWeb eq 'yes') {
last;
}
} # End of user loop.
}
After I get the web page, the script goes on to chop out all the info I want, puts into an array, and then writes it out to a nice .XLS Spreadsheet after collecting all the info from the different hosts infected with Malware.
|
|
2/10/2009 7:58:06 PM
|
Eric Winch
Posts 6
|
Hey Tim,
This is a great script to have in the tool chest . The opportunity to have 'automated' notification that correlates a Dragon incident with location information is a great enhancement to security related events.
Is it possible to share any implementation recommendations for running this script? IE: CRON TAB?
Thank you for sharing this with everyone.
Eric
|
|
2/12/2009 9:32:42 AM
|
Tim Richter
Posts 5
|
On the Dragon EMS, I created the following the script and then setup an Alarm which calls the script and passes the Info I want to it :
#!/usr/bin/perl
#
# Script to send info to tracker log on Rita
#
print "@ARGV\n";
($date,$time,$sip,$name) = @ARGV;
system("/usr/bin/ssh", "USERNAME\@HOST", "echo $date,$time,$sip,$name >> tracker.log");
exit;
Basically, all this does is transfers to a central log on a different host so I don't have to use resources on my EMS server to create my reports.
As far as running the main script, I'm currently running it manually, but a simple Crontab would be ideal for a daily/weekly/whatever report
|
|
pages:
1 |
|---|