" indicates that you have an incomplete understanding of this and you need to read up a bit more.Īlso, you should be able to configure your DHCP server so that it logs all leases and associations, providing a time-based record of who gets what IP address when. Your sentence beginning "It is my understanding that Security Onion stores no packets.
This means that you have access to all the traffic for an IP address that traversed the interface your sensor is listening to. Perhaps you are not aware that Security Onion stores ALL packets that its sensors see, not just the ones from an alert, unless it is prevented from doing so by a BPF filter. This means that unless your network is completely flat, with no routers except for those to the outside, the MAC address will belong to the last-hop router's interface on the network you have installed your sensor on. Consider: the MAC address in the L2 header of a packet will be that of the interface from which it last came. This may not be possible, depending on how your network is arranged and where your sensor is listening. I know the obvious answer is to lengthen the lease time on my DHCP server, but we don't want to do that because we have a huge turnover in devices (we may get 1000 new, unique devices in 12 hours on a busy day on our network). Is there any way to link the MAC address of a local IP to an alert automatically, or store a sample of packets from each local IP triggering an alert? If not, is there somewhere that this packet header data is stored on the server?
It is my understanding that Security Onion stores no packets unless a pcap is triggered via WireShark or Sguil. Unfortunately sometimes these machines are not online anymore, or their DHCP lease has expired, and I need to verify that the past alerts came from a specific MAC address so I avoid blacklisting a computer that just happened to get that IP lease after the offending computer disconnected. I am looking for a way to extract the MAC address from the header of packets that triggered alerts in the past 24 hours.
0 kommentar(er)
