Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 2:44 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 19 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: audits over vpn
PostPosted: Mon Jan 04, 2016 6:34 pm 
Offline
Newbie

Joined: Fri Dec 25, 2015 1:56 am
Posts: 28
Hey,

We have openAudit running over a site-to-site vpn. However, when we do this, we get false-positives; a device on *every* IP address in the subnet. The addresses where there is actually a device display the correct information. The other 200 IP's show as 'type unknown'.

Any way you could point me in the right direction as to where to look?

Thanks,

vanderheyde


Top
 Profile  
Reply with quote  
 Post subject: Re: audits over vpn
PostPosted: Tue Jan 05, 2016 4:36 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
How are you doing the subnet audit? OpenAudit Enterprise or one of the subnet scripts? The subnet scripts use nmap which doesn't return MAC data with cross-subnet audits which causes problems. You should try running the subnet audit scripts from a machine in each of your subnets. If you're using OpenAudit Enterprise I'm not sure what it's doing.


Top
 Profile  
Reply with quote  
 Post subject: Re: audits over vpn
PostPosted: Thu Jan 07, 2016 7:11 pm 
Offline
Newbie

Joined: Fri Dec 25, 2015 1:56 am
Posts: 28
I'm using OpenAudit Enterprise... But if there is no mac data on those IP's, how can not returning any of it be an issue?

And how would I go about using a script to do it?


thanks :)


Top
 Profile  
Reply with quote  
 Post subject: Re: audits over vpn
PostPosted: Fri Jan 08, 2016 2:30 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Since you're using Open Audit Enterprise I'm not sure what is going on as I don't know exactly how it operates. Someone on the Opmantek team should be able to help you.

A scripted audit would use the audit scripts that come with OpenAudit (discover_subnet, audit_subnet) to discover and audit a subnet. Maybe Enterprise does this already. I'm not sure.


Top
 Profile  
Reply with quote  
 Post subject: Re: audits over vpn
PostPosted: Sat Jan 09, 2016 12:41 am 
Offline
Newbie

Joined: Fri Dec 25, 2015 1:56 am
Posts: 28
I've installed a local server on one of the sites and was able to scan those correctly.

It seems that it's just tripping over the VPN.


Top
 Profile  
Reply with quote  
 Post subject: Re: audits over vpn
PostPosted: Sun Jan 10, 2016 4:16 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
Try running an nmap scan from the local Open-AudIT server against an address you know has nothing responding on it like below and posting the results.
[code]nmap -v -sn -n -T4 REMOTE_IP_ADDRESS[/code]

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
 Post subject: Re: audits over vpn
PostPosted: Mon Jan 11, 2016 8:39 pm 
Offline
Newbie

Joined: Fri Dec 25, 2015 1:56 am
Posts: 28
Sent from the server at this office over the vpn. It also shows up as an 'unknown type' on the server.
[code]Starting Nmap 6.00 ( http://nmap.org ) at 2016-01-11 11:23 CET
Initiating Ping Scan at 11:23
Scanning 192.168.15.7 [4 ports]
Completed Ping Scan at 11:23, 2.01s elapsed (1 total hosts)
Nmap scan report for 192.168.15.7 [host down]
Read data files from: /usr/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.01 seconds
Raw packets sent: 8 (304B) | Rcvd: 0 (0B)
[/code]

sent from the server at the remote subnet. Doesn't show up in openAudit:
[code]Starting Nmap 6.00 ( http://nmap.org ) at 2016-01-11 11:24 CET
Initiating ARP Ping Scan at 11:24
Scanning 192.168.15.7 [1 port]
Completed ARP Ping Scan at 11:24, 0.40s elapsed (1 total hosts)
Nmap scan report for 192.168.15.7 [host down]
Read data files from: /usr/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.41 seconds
Raw packets sent: 2 (56B) | Rcvd: 0 (0B)
[/code]


Top
 Profile  
Reply with quote  
 Post subject: Re: audits over vpn
PostPosted: Thu Jan 14, 2016 7:32 am 
Offline
Newbie

Joined: Fri Dec 25, 2015 1:56 am
Posts: 28
Any idea what could be the cause (or solution) of this? Or any idea for a work-around? All I can come up with, is putting an open-audit server on each site (over a dozen). Not very fond of that idea...


Top
 Profile  
Reply with quote  
 Post subject: Re: audits over vpn
PostPosted: Fri Jan 15, 2016 7:49 am 
Offline
Newbie

Joined: Fri Dec 25, 2015 1:56 am
Posts: 28
So here's the workaround I got:

install an open-Audit server on each site with a VPN connection to my open-audit server. On each server, the SQL database of my open-audit server is being used, so each site writes to the same database. Then, I can still check the data on one central server, and won't have to work with 12 different DNS entries.

Then, configure the cronjob on each server, so they all discover & audit their own subnet. Of course, if I need to make changes to this, I'll have to do them on each individual server. It's still a step up from having to switch between 12 'websites' to get an overview.

I've given it a quick proof of concept today, and it seemed to work fine from one site. I don't expect any issues if I add more.


Top
 Profile  
Reply with quote  
 Post subject: Re: audits over vpn
PostPosted: Fri Jan 15, 2016 9:28 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
I really don't know what the Enterprise scan version of OpenAudit does but this seems like overkill for fixing the problem. Until Mark and Opmantek help you with the Enterprise scanning stuff I would use the discover_subnet and audit_subnet scripts available in the other directory to do your discovery. You'll need a server in each subnet with nmap installed and scheduled running of the audit scripts which have been configured with the correct options and paths to upload to your central OpenAudit server.

After review I notice that the [url=https://community.opmantek.com/display/OA/How+to+audit+a+subnet+using+a+script]documentation states that Enterprise calls[/url] the audit_subnet script. My copy of audit_subnet.vbs from 1.8.4 is broken. The write_log function at the end of the script is missing an "end if" which means the script fails. Maybe this is causing the problem.


Top
 Profile  
Reply with quote  
 Post subject: Re: audits over vpn
PostPosted: Sat Jan 16, 2016 1:04 am 
Offline
Newbie

Joined: Fri Dec 25, 2015 1:56 am
Posts: 28
[quote="jpa"]I really don't know what the Enterprise scan version of OpenAudit does but this seems like overkill for fixing the problem. Until Mark and Opmantek help you with the Enterprise scanning stuff I would use the discover_subnet and audit_subnet scripts available in the other directory to do your discovery. You'll need a server in each subnet with nmap installed and scheduled running of the audit scripts which have been configured with the correct options and paths to upload to your central OpenAudit server.

After review I notice that the [url=https://community.opmantek.com/display/OA/How+to+audit+a+subnet+using+a+script]documentation states that Enterprise calls[/url] the audit_subnet script. My copy of audit_subnet.vbs from 1.8.4 is broken. The write_log function at the end of the script is missing an "end if" which means the script fails. Maybe this is causing the problem.



That does sound like a cleaner solution... Thanks I'm implementing it this way :)

Top
 Profile  
Reply with quote  
 Post subject: Re: audits over vpn
PostPosted: Tue Jan 19, 2016 1:54 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
[quote] The write_log function at the end of the script is missing an "end if" which means the script fails.

Thanks JPA - fixed for next release.

If the returning results are the same (and they appear to be), then I'm unsure why it would appear for one and not the other. The source of the scan is irrelevant. I know I audit across a device to subnet VPN every day and it works as intended. That's not a subnet to subnet VPN though. But the returning data is what matters and that appears to be the same. Very weird. Try running the below from both ends of the VPN and seeing if the resulting file is different between them. Apart from the timestamps it should be the same.
[code]cscript audit_subnet.vbs create_file=y submit_online=n subnet=192.168.15.7[/code]

_________________
Support and Development hours available from [url=https://opmantek.com]Opmantek[/url].
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
 Post subject: Re: audits over vpn
PostPosted: Wed Jan 20, 2016 3:03 am 
Offline
Newbie

Joined: Fri Dec 25, 2015 1:56 am
Posts: 28
I'm getting the 'unknown' types now on the local server as well. I have no idea why I didn't, before. Nothing has changed.

I'll try that command when I get to work tomorrow.


Top
 Profile  
Reply with quote  
 Post subject: Re: audits over vpn
PostPosted: Wed Jan 20, 2016 6:38 pm 
Offline
Newbie

Joined: Fri Dec 25, 2015 1:56 am
Posts: 28
getting an error on this script too:

audit_subnet.sh: 90: [: n: unexpected operator
audit_subnet.sh: 148: audit_subnet.sh: Syntax error: "(" unexpected

Could you please share the fixed cron script? I *think* the issue started to arise after I scheduled the cronjob (or that was just a coincidence, I have no idea anymore at this point).


Top
 Profile  
Reply with quote  
 Post subject: Re: audits over vpn
PostPosted: Thu Jan 21, 2016 5:45 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
I don't do Unix but you need to check which shell you're running the script with. Looks like it doesn't support brackets.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 19 posts ]  Go to page 1, 2  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group