On Wed, 6 Jan 2016 19:08:51 +0200 Tal Bar-Or tbaror@gmail.com wrote:
Hi Morten, I noticed that Arnold working only if the vlan seed db is completed (in my case ),the steps are as follows
Feed Usage categories for each net/vlan , next in Vlan section i am feeding each vlan/network detected and done , i noticed that the vlan i am quarantine interested all detected as Net type >core.
As Mattias mentioned, you may find that usage categories and organization are changed as ipdevpoll will try to parse this information from router port descriptions (see https://nav.uninett.no/wiki/subnetsandvlans for more info).
I don't see how this would affect Arnold, though, unless NAV somehow changes the mapping between VLAN tags and subnet adresses.
One of your screenshots depict a predefined detention run, valid for VLANS 1, 2 and 15 (virus_alert). This means Arnold will only detain IP addresses within the known IP ranges for these VLAN tags.
Have you checked the logs of `start_arnold.py` to see what is logged when you feed it IP addresses from your virus checks? (Should be found in `/var/log/nav/arnold/start_arnold.log` on Debian).
The settings stay for a while after some time is back to prior to db feed status , with no vlan , ip association .
What type of router do you have routing these VLANs?
I am i intend to expand the feathers and sends evends from our firewall's IPS(Snort) and execute upon pre-configured event rules arnold_trigger.
Maybe its time to give back to the community , i am willing to share my project if someone is interested , i can upload it to Github or what ever.
I'm sure this could be useful for others as well. Contributions to the community are awesome :)