Hello and Happy holdiays All,
I have issues with Arnold feature there some IP's that not getting into quarantine profile, when other corresponding in same Vlan will get into quarantine profile. With same problematic IP's when i am trying to get them into manual quarantine they are not found , in other hand when using the Machine Tracker feature i am able to track down port switch and change Vlan assignment. Any idea how to sync between main Nav db and Arnold db , or did i missed some configuration ? Please advice Thanks
Hello!
The reason you may see results in Machine Tracker and not in Arnold is that Arnold has some rules for where not to detain. For instance it will not do anything with a trunk or on a GSW.
The logs should have more information about why no results where displayed.
If you want to allow detaining on GSW types, you can edit the 'allowtypes' in arnold.conf.
On 31. des. 2015 13:26, Tal Bar-Or wrote:
Hello and Happy holdiays All,
I have issues with Arnold feature there some IP's that not getting into quarantine profile, when other corresponding in same Vlan will get into quarantine profile. With same problematic IP's when i am trying to get them into manual quarantine they are not found , in other hand when using the Machine Tracker feature i am able to track down port switch and change Vlan assignment. Any idea how to sync between main Nav db and Arnold db , or did i missed some configuration ? Please advice Thanks
Hi, Thanks for the answer,I noticed that when i update Under seed Database
Vlan section for details and vlan numbers and Organization etc.. the
quarantine works perfect , but after a while from a reason i don't know yet maybe a bug all details populated are vanished again and Arnold quarantinedoesn't works again until its re-update and so forth. Any idea? Thanks
On Tue, Jan 5, 2016 at 10:09 AM, John Magne Bredal <john.m.bredal@uninett.no
wrote:
Hello!
The reason you may see results in Machine Tracker and not in Arnold is that Arnold has some rules for where not to detain. For instance it will not do anything with a trunk or on a GSW.
The logs should have more information about why no results where displayed.
If you want to allow detaining on GSW types, you can edit the 'allowtypes' in arnold.conf.
On 31. des. 2015 13:26, Tal Bar-Or wrote:
Hello and Happy holdiays All,
I have issues with Arnold feature there some IP's that not getting into quarantine profile, when other corresponding in same Vlan will get into quarantine profile. With same problematic IP's when i am trying to get them into manual quarantine they are not found , in other hand when using the Machine Tracker feature i am able to track down port switch and change Vlan assignment. Any idea how to sync between main Nav db and Arnold db , or did i missed some configuration ? Please advice Thanks
-- John Magne Bredal john.m.bredal@uninett.no +4791897366
Abels gt. 5- Teknobyen NO-7465 Trondheim
On Tue, 5 Jan 2016 20:45:33 +0200 Tal Bar-Or tbaror@gmail.com wrote:
Hi,
Thanks for the answer,I noticed that when i update Under seed Database Vlan section for details and vlan numbers and Organization etc.. the quarantine works perfect , but after a while from a reason i don't know yet maybe a bug all details populated are vanished again and Arnold quarantinedoesn't works again until its re-update and so forth. Any idea? Thanks
Hi Tal,
could you please provide some more details on the exact steps you are taking here, so that we could form some idea of what's going on?
How are you using Arnold to quarantine hosts, what are your quarantine VLANs, and what details are you changing in SeedDB?
Hi Morten, I noticed that Arnold working only if the vlan seed db is completed (in my case ),the steps are as follows Feed Usage categories for each net/vlan , next in Vlan section i am feeding each vlan/network detected and done , i noticed that the vlan i am quarantine interested all detected as Net type >core. The settings stay for a while after some time is back to prior to db feed status , with no vlan , ip association . As for Arnold host quarantine , I wrote TCP client/server in python v 3.44 which the client i turned into exe and attach on each windows machine using event trigger in case of Symantec infection(its can be set to any other event) , the event trigger execute the client which sends in SSL the event and the server will execute start_arnold ,I am i intend to expand the feathers and sends evends from our firewall's IPS(Snort) and execute upon pre-configured event rules arnold_trigger. Maybe its time to give back to the community , i am willing to share my project if someone is interested , i can upload it to Github or what ever. Thanks
On Wed, Jan 6, 2016 at 3:35 PM, Morten Brekkevold < morten.brekkevold@uninett.no> wrote:
On Tue, 5 Jan 2016 20:45:33 +0200 Tal Bar-Or tbaror@gmail.com wrote:
Hi,
Thanks for the answer,I noticed that when i update Under seed Database Vlan section for details and vlan numbers and Organization etc.. the quarantine works perfect , but after a while from a reason i don't know yet maybe a bug all details populated are vanished again and Arnold quarantinedoesn't works again until its re-update and so forth. Any idea? Thanks
Hi Tal,
could you please provide some more details on the exact steps you are taking here, so that we could form some idea of what's going on?
How are you using Arnold to quarantine hosts, what are your quarantine VLANs, and what details are you changing in SeedDB?
-- Morten Brekkevold UNINETT
Hi! Looks like the same problem that we have here. It's the firewall that doesn't send any info via SNMP (IF-MIB::ifAlias) = All info in SeedDB --> VLAN is removed/destroyed.
The subject on my communication with Morten was " NAV and VLAN with Virtualized firewall ". But much of that was private mail, to not show how our internat network looks. But maybe you can start look at the info coming from the firewall that's modifying the info to SeedDB if it's some problem there.
Regards Mattias
Från: "Tal Bar-Or" tbaror@gmail.com Till: "Morten Brekkevold" morten.brekkevold@uninett.no Kopia: "John Magne Bredal" john.m.bredal@uninett.no, "nav-users" nav-users@uninett.no Skickat: onsdag, 6 jan 2016 19:08:51 Ämne: Re: Arnold IP not found
Hi Morten, I noticed that Arnold working only if the vlan seed db is completed (in my case ),the steps are as follows Feed Usage categories for each net/vlan , next in Vlan section i am feeding each vlan/network detected and done , i noticed that the vlan i am quarantine interested all detected as Net type >core. The settings stay for a while after some time is back to prior to db feed status , with no vlan , ip association . As for Arnold host quarantine , I wrote TCP client/server in python v 3.44 which the client i turned into exe and attach on each windows machine using event trigger in case of Symantec infection(its can be set to any other event) , the event trigger execute the client which sends in SSL the event and the server will execute start_arnold ,I am i intend to expand the feathers and sends evends from our firewall's IPS(Snort) and execute upon pre-configured event rules arnold_trigger. Maybe its time to give back to the community , i am willing to share my project if someone is interested , i can upload it to Github or what ever. Thanks
On Wed, Jan 6, 2016 at 3:35 PM, Morten Brekkevold < morten.brekkevold@uninett.no > wrote:
On Tue, 5 Jan 2016 20:45:33 +0200 Tal Bar-Or < tbaror@gmail.com > wrote:
Hi,
Thanks for the answer,I noticed that when i update Under seed Database Vlan section for details and vlan numbers and Organization etc.. the quarantine works perfect , but after a while from a reason i don't know yet maybe a bug all details populated are vanished again and Arnold quarantinedoesn't works again until its re-update and so forth. Any idea? Thanks
Hi Tal,
could you please provide some more details on the exact steps you are taking here, so that we could form some idea of what's going on?
How are you using Arnold to quarantine hosts, what are your quarantine VLANs, and what details are you changing in SeedDB?
On Wed, 6 Jan 2016 19:08:51 +0200 Tal Bar-Or tbaror@gmail.com wrote:
Hi Morten, I noticed that Arnold working only if the vlan seed db is completed (in my case ),the steps are as follows
Feed Usage categories for each net/vlan , next in Vlan section i am feeding each vlan/network detected and done , i noticed that the vlan i am quarantine interested all detected as Net type >core.
As Mattias mentioned, you may find that usage categories and organization are changed as ipdevpoll will try to parse this information from router port descriptions (see https://nav.uninett.no/wiki/subnetsandvlans for more info).
I don't see how this would affect Arnold, though, unless NAV somehow changes the mapping between VLAN tags and subnet adresses.
One of your screenshots depict a predefined detention run, valid for VLANS 1, 2 and 15 (virus_alert). This means Arnold will only detain IP addresses within the known IP ranges for these VLAN tags.
Have you checked the logs of `start_arnold.py` to see what is logged when you feed it IP addresses from your virus checks? (Should be found in `/var/log/nav/arnold/start_arnold.log` on Debian).
The settings stay for a while after some time is back to prior to db feed status , with no vlan , ip association .
What type of router do you have routing these VLANs?
I am i intend to expand the feathers and sends evends from our firewall's IPS(Snort) and execute upon pre-configured event rules arnold_trigger.
Maybe its time to give back to the community , i am willing to share my project if someone is interested , i can upload it to Github or what ever.
I'm sure this could be useful for others as well. Contributions to the community are awesome :)