Open-AudIT
https://www.open-audit.org/phpBB3/

E-Mail alert when Nmap finds unknown devices?
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6586
Page 1 of 1

Author:  username123 [ Thu Feb 09, 2017 1:33 am ]
Post subject:  E-Mail alert when Nmap finds unknown devices?

Hi everyone,


I've been looking for a specific feature in OpenAudIT Enterprise which I haven't found yet and I'd like to know if there is any way to achieve what I want.

Since OAE scans my network every 60 minutes, would it be possible for it to notify me whenever it finds a device which it hasn't seen before? Once I have inventoried all our devices, every device that is found is something not under our control and therefor not authorized to use the network. Except, of course, I add a new device myself, then I could just ignore the alert.

At the moment I'm using the Reports feature that gives me all devices found within the last 24 hours, but I get that only once a day, and most of the time it's empty anyway - it would be great if it only came when there were any actual results.

Thank you!

Author:  Mark [ Fri Feb 10, 2017 10:10 am ]
Post subject:  Re: E-Mail alert when Nmap finds unknown devices?

Interesting post and good thoughts. Thanks for posting. Stuff like this makes me think and improves the product!

To answer your questions, though...

I think you're doing all that can be done at the moment. You could write a report for only Unknown Devices and run it. Scratch that - the query definition is below. Menu -> Admin -> Queries -> Import Query to get it into Open-AudIT.

Only having it email if it has contents is not currently possible - sorry. I've made a note to think about this sort of thing for a future release. Thanks for the idea.

[code]<?xml version="1.0" encoding="ISO-8859-1"?>
<report>
<details>
<report_name>Unknown Devices</report_name>
<report_description>Icon, name, ip address, first seen, last seen, last seen by.</report_description>
<report_display_in_menu>y</report_display_in_menu>
<report_sql><![CDATA[SELECT system.id AS `system.id`, system.icon AS `system.icon`, system.type AS `system.type`, system.name AS `system.name`, system.domain AS `system.domain`, system.ip AS `system.ip`, system.first_seen AS `system.first_seen`, system.last_seen AS `system.last_seen`, system.last_seen_by AS `system.last_seen_by`, system.os_family AS `system.os_family` FROM system LEFT JOIN oa_group_sys ON (oa_group_sys.system_id = system.id) WHERE oa_group_sys.group_id = @group AND system.type = 'unknown' GROUP BY system.id ORDER BY system.name]]></report_sql>
<report_view_file>v_report</report_view_file>
<report_view_contents></report_view_contents>
<report_processing></report_processing>
<report_sort_column>0</report_sort_column>
</details>
<columns>
<column>
<id>207</id>
<column_order>1</column_order>
<column_name>Icon</column_name>
<column_variable>system.icon</column_variable>
<column_type>image</column_type>
<column_link></column_link>
<column_secondary>system.os_family</column_secondary>
<column_ternary></column_ternary>
<column_align>center</column_align>
</column>
<column>
<id>208</id>
<column_order>2</column_order>
<column_name>Device Name</column_name>
<column_variable>system.name</column_variable>
<column_type>link</column_type>
<column_link>/devices/</column_link>
<column_secondary>system.id</column_secondary>
<column_ternary></column_ternary>
<column_align>left</column_align>
</column>
<column>
<id>209</id>
<column_order>3</column_order>
<column_name>Type</column_name>
<column_variable>system.type</column_variable>
<column_type>text</column_type>
<column_link></column_link>
<column_secondary></column_secondary>
<column_ternary></column_ternary>
<column_align>left</column_align>
</column>
<column>
<id>210</id>
<column_order>4</column_order>
<column_name>IP Address</column_name>
<column_variable>system.ip</column_variable>
<column_type>ip_address</column_type>
<column_link></column_link>
<column_secondary></column_secondary>
<column_ternary></column_ternary>
<column_align>left</column_align>
</column>
<column>
<id>211</id>
<column_order>5</column_order>
<column_name>Manufacturer</column_name>
<column_variable>system.first_seen</column_variable>
<column_type>text</column_type>
<column_link></column_link>
<column_secondary></column_secondary>
<column_ternary></column_ternary>
<column_align>left</column_align>
</column>
<column>
<id>212</id>
<column_order>6</column_order>
<column_name>Model</column_name>
<column_variable>system.last_seen</column_variable>
<column_type>text</column_type>
<column_link></column_link>
<column_secondary></column_secondary>
<column_ternary></column_ternary>
<column_align>left</column_align>
</column>
<column>
<id>213</id>
<column_order>7</column_order>
<column_name>Serial</column_name>
<column_variable>system.last_seen_by</column_variable>
<column_type>text</column_type>
<column_link></column_link>
<column_secondary></column_secondary>
<column_ternary></column_ternary>
<column_align>left</column_align>
</column>
</columns>
</report>[/code]

EDIT - Fixed query as per JPA's suggestion below.

Author:  username123 [ Mon Feb 13, 2017 11:14 pm ]
Post subject:  Re: E-Mail alert when Nmap finds unknown devices?

Hi Mark,

thanks a lot for getting back to me personally and even supplying me with a query! :)
However, the query gives me a PHP Error - see attached screenshot. I'm running the NMIS appliance VM. Any idea what I could do about it?

Thank you!

Attachments:
2017-02-13 14_13_23-Unknown Devices.png
2017-02-13 14_13_23-Unknown Devices.png [ 26.79 KiB | Viewed 7491 times ]

Author:  jpa [ Tue Feb 14, 2017 3:16 am ]
Post subject:  Re: E-Mail alert when Nmap finds unknown devices?

Add os_family to the SELECT query as in (no guarantees, not tested):[code]<report_sql><![CDATA[SELECT system.id AS `system.id`, system.icon AS `system.icon`, system.type AS `system.type`, system.name AS `system.name`, system.domain AS `system.domain`, system.ip AS `system.ip`, system.os_family AS `system.os_family`, system.first_seen AS `system.first_seen`, system.last_seen AS `system.last_seen`, system.last_seen_by AS `system.last_seen_by` FROM system LEFT JOIN oa_group_sys ON (oa_group_sys.system_id = system.id) WHERE oa_group_sys.group_id = @group AND system.type = 'unknown' GROUP BY system.id ORDER BY system.name]]></report_sql>[/code]

Author:  Mark [ Tue Feb 14, 2017 8:59 am ]
Post subject:  Re: E-Mail alert when Nmap finds unknown devices?

Apologies username123. Thanks JPA. Query updated above.

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/