Open-AudIT
http://www.open-audit.org/phpBB3/

audits over vpn
http://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6484
Page 1 of 2

Author:  vanderheyde [ Mon Jan 04, 2016 6:34 pm ]
Post subject:  audits over vpn

Hey,

We have openAudit running over a site-to-site vpn. However, when we do this, we get false-positives; a device on *every* IP address in the subnet. The addresses where there is actually a device display the correct information. The other 200 IP's show as 'type unknown'.

Any way you could point me in the right direction as to where to look?

Thanks,

vanderheyde

Author:  jpa [ Tue Jan 05, 2016 4:36 am ]
Post subject:  Re: audits over vpn

How are you doing the subnet audit? OpenAudit Enterprise or one of the subnet scripts? The subnet scripts use nmap which doesn't return MAC data with cross-subnet audits which causes problems. You should try running the subnet audit scripts from a machine in each of your subnets. If you're using OpenAudit Enterprise I'm not sure what it's doing.

Author:  vanderheyde [ Thu Jan 07, 2016 7:11 pm ]
Post subject:  Re: audits over vpn

I'm using OpenAudit Enterprise... But if there is no mac data on those IP's, how can not returning any of it be an issue?

And how would I go about using a script to do it?


thanks :)

Author:  jpa [ Fri Jan 08, 2016 2:30 am ]
Post subject:  Re: audits over vpn

Since you're using Open Audit Enterprise I'm not sure what is going on as I don't know exactly how it operates. Someone on the Opmantek team should be able to help you.

A scripted audit would use the audit scripts that come with OpenAudit (discover_subnet, audit_subnet) to discover and audit a subnet. Maybe Enterprise does this already. I'm not sure.

Author:  vanderheyde [ Sat Jan 09, 2016 12:41 am ]
Post subject:  Re: audits over vpn

I've installed a local server on one of the sites and was able to scan those correctly.

It seems that it's just tripping over the VPN.

Author:  Mark [ Sun Jan 10, 2016 4:16 pm ]
Post subject:  Re: audits over vpn

Try running an nmap scan from the local Open-AudIT server against an address you know has nothing responding on it like below and posting the results.
Code:
nmap -v -sn -n -T4 REMOTE_IP_ADDRESS

Author:  vanderheyde [ Mon Jan 11, 2016 8:39 pm ]
Post subject:  Re: audits over vpn

Sent from the server at this office over the vpn. It also shows up as an 'unknown type' on the server.
Code:
Starting Nmap 6.00 ( http://nmap.org ) at 2016-01-11 11:23 CET
Initiating Ping Scan at 11:23
Scanning 192.168.15.7 [4 ports]
Completed Ping Scan at 11:23, 2.01s elapsed (1 total hosts)
Nmap scan report for 192.168.15.7 [host down]
Read data files from: /usr/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.01 seconds
           Raw packets sent: 8 (304B) | Rcvd: 0 (0B)


sent from the server at the remote subnet. Doesn't show up in openAudit:
Code:
Starting Nmap 6.00 ( http://nmap.org ) at 2016-01-11 11:24 CET
Initiating ARP Ping Scan at 11:24
Scanning 192.168.15.7 [1 port]
Completed ARP Ping Scan at 11:24, 0.40s elapsed (1 total hosts)
Nmap scan report for 192.168.15.7 [host down]
Read data files from: /usr/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.41 seconds
           Raw packets sent: 2 (56B) | Rcvd: 0 (0B)

Author:  vanderheyde [ Thu Jan 14, 2016 7:32 am ]
Post subject:  Re: audits over vpn

Any idea what could be the cause (or solution) of this? Or any idea for a work-around? All I can come up with, is putting an open-audit server on each site (over a dozen). Not very fond of that idea...

Author:  vanderheyde [ Fri Jan 15, 2016 7:49 am ]
Post subject:  Re: audits over vpn

So here's the workaround I got:

install an open-Audit server on each site with a VPN connection to my open-audit server. On each server, the SQL database of my open-audit server is being used, so each site writes to the same database. Then, I can still check the data on one central server, and won't have to work with 12 different DNS entries.

Then, configure the cronjob on each server, so they all discover & audit their own subnet. Of course, if I need to make changes to this, I'll have to do them on each individual server. It's still a step up from having to switch between 12 'websites' to get an overview.

I've given it a quick proof of concept today, and it seemed to work fine from one site. I don't expect any issues if I add more.

Author:  jpa [ Fri Jan 15, 2016 9:28 am ]
Post subject:  Re: audits over vpn

I really don't know what the Enterprise scan version of OpenAudit does but this seems like overkill for fixing the problem. Until Mark and Opmantek help you with the Enterprise scanning stuff I would use the discover_subnet and audit_subnet scripts available in the other directory to do your discovery. You'll need a server in each subnet with nmap installed and scheduled running of the audit scripts which have been configured with the correct options and paths to upload to your central OpenAudit server.

After review I notice that the documentation states that Enterprise calls the audit_subnet script. My copy of audit_subnet.vbs from 1.8.4 is broken. The write_log function at the end of the script is missing an "end if" which means the script fails. Maybe this is causing the problem.

Author:  vanderheyde [ Sat Jan 16, 2016 1:04 am ]
Post subject:  Re: audits over vpn

jpa wrote:
I really don't know what the Enterprise scan version of OpenAudit does but this seems like overkill for fixing the problem. Until Mark and Opmantek help you with the Enterprise scanning stuff I would use the discover_subnet and audit_subnet scripts available in the other directory to do your discovery. You'll need a server in each subnet with nmap installed and scheduled running of the audit scripts which have been configured with the correct options and paths to upload to your central OpenAudit server.

After review I notice that the documentation states that Enterprise calls the audit_subnet script. My copy of audit_subnet.vbs from 1.8.4 is broken. The write_log function at the end of the script is missing an "end if" which means the script fails. Maybe this is causing the problem.



That does sound like a cleaner solution... Thanks I'm implementing it this way :)

Author:  Mark [ Tue Jan 19, 2016 1:54 pm ]
Post subject:  Re: audits over vpn

Quote:
The write_log function at the end of the script is missing an "end if" which means the script fails.

Thanks JPA - fixed for next release.

If the returning results are the same (and they appear to be), then I'm unsure why it would appear for one and not the other. The source of the scan is irrelevant. I know I audit across a device to subnet VPN every day and it works as intended. That's not a subnet to subnet VPN though. But the returning data is what matters and that appears to be the same. Very weird. Try running the below from both ends of the VPN and seeing if the resulting file is different between them. Apart from the timestamps it should be the same.
Code:
cscript audit_subnet.vbs create_file=y submit_online=n subnet=192.168.15.7

Author:  vanderheyde [ Wed Jan 20, 2016 3:03 am ]
Post subject:  Re: audits over vpn

I'm getting the 'unknown' types now on the local server as well. I have no idea why I didn't, before. Nothing has changed.

I'll try that command when I get to work tomorrow.

Author:  vanderheyde [ Wed Jan 20, 2016 6:38 pm ]
Post subject:  Re: audits over vpn

getting an error on this script too:

audit_subnet.sh: 90: [: n: unexpected operator
audit_subnet.sh: 148: audit_subnet.sh: Syntax error: "(" unexpected

Could you please share the fixed cron script? I *think* the issue started to arise after I scheduled the cronjob (or that was just a coincidence, I have no idea anymore at this point).

Author:  jpa [ Thu Jan 21, 2016 5:45 am ]
Post subject:  Re: audits over vpn

I don't do Unix but you need to check which shell you're running the script with. Looks like it doesn't support brackets.

Page 1 of 2 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/