I came across an interesting scenario today that was worth sharing. I'm in charge of a multi-context Cisco FWSM (firewall services module). Today, while troubleshooting an issue I ran a packet capture to analyze the problem which is normally one of the first things I do.
I realized I had done this capture on a context which did not have a management IP address (don't ask). Not having any way to directly route to the context meant that my usual method of downloading the capture in *.pcap format wouldn't work via a browser, so what to do?
After some searching around, I discovered that you could simply use TFTP through the FWSM's system context to obtain the file...problem solved!
FWSM# copy /pcap capture:examplecontext/in-cap tftp:
FWSM# copy /pcap capture:public/skid-capture.pcap tftp:
Source capture name [public/skid-capture]?
Address or name of remote host []? 1.1.1.1
Destination filename [skid-capture.pcap]?
!!!!!!
111 packets copied in 1.200 secs (111 bytes/sec)
Thursday, November 4, 2010
Wednesday, November 3, 2010
Determining When Devices Hit the Wire
Often I will find myself needing to determine when a device comes back online. The reasons are numerous, but it could be as simple as waiting for a device to complete a reboot or it could be that a pesky, malware-laden device which only pokes its head online for short durations each day. Back in the day, it would likely take a continuous ping running in the background to determine when the device comes online, although who wants to continuously monitor a ping? Also, if I wasn't at my computer at that particular moment then I may never be the wiser.
To tackle these scenarios, I thought it would be personally useful if there was an automated method of notification so that this process could all be done in the background for me, and I could continue whatever work I was doing without having to micro-manage a ping.
For me, I felt it would be great if an email notification could be used since I could use Outlook's preview window in conjunction with my ping to quickly break me away from what I was doing to allow my investigation to begin when the device in question came back online. My first attempt at this was using a simple ICMP echo (type 8) to determine device's status. When the device came back online, I used the Linux sendEmail program to email me with the status update. The result was a short little bash script and the code that follows.
As you can see, nothing too special here. The script simply ran a ping in loop, where it would send a single ICMP type 8 echo packet and wait for an ICMP echo-reply (type 0) to return. Now, there are a couple glaring problems with this, most notably what happens if the device in question doesn't respond to ICMP because it is behind a firewall, for example? To overcome some of the limitations with using ICMP, I came up with a second script that makes calls the fantastic Nmap in order to customize the types of probes used to determine a device's online status.
Besides a more polished look, this will actually cater the TCP probes based on the type of device in question. I customized the Nmap options based on personal experience with various types of OS. As with the ICMP script, it will wait for a device to come back online before notifying via email. Both of these bash scripts were written using the Linux Backtrack4 distro. Note that I did not require authentication on the SMTP relay server in the latter script.
To tackle these scenarios, I thought it would be personally useful if there was an automated method of notification so that this process could all be done in the background for me, and I could continue whatever work I was doing without having to micro-manage a ping.
For me, I felt it would be great if an email notification could be used since I could use Outlook's preview window in conjunction with my ping to quickly break me away from what I was doing to allow my investigation to begin when the device in question came back online. My first attempt at this was using a simple ICMP echo (type 8) to determine device's status. When the device came back online, I used the Linux sendEmail program to email me with the status update. The result was a short little bash script and the code that follows.
#!/bin/bash
echo "Please enter the IP address or FQDN of the host you are interested in: "
read ipaddress
echo -e "\nPlease enter Exchange password (Used for sendEmail Purposes): "
read -s PASSWORD
while :
do
ping -c 1 $ipaddress > /dev/null
if [ $? -eq 0 ]; then
sendEmail -f (enter from address) -t (enter your email address) -u Commence the Investigation!!! -m Host $ipaddress is back online! -s (enter SMTP relay server):25 -xu (enter username) -xp $PASSWORD -o tls=no
break
fi
done
As you can see, nothing too special here. The script simply ran a ping in loop, where it would send a single ICMP type 8 echo packet and wait for an ICMP echo-reply (type 0) to return. Now, there are a couple glaring problems with this, most notably what happens if the device in question doesn't respond to ICMP because it is behind a firewall, for example? To overcome some of the limitations with using ICMP, I came up with a second script that makes calls the fantastic Nmap in order to customize the types of probes used to determine a device's online status.
#!/bin/bash
NMAP=/usr/bin/nmap
NMAPOPTIONSLINUX="-n -PN -sS -p22,25,53,80,110,143,443 -PA22,53,80,443"
NMAPOPTIONSWIN="-n -PN -sS -p135-139,445,1025 -PA135-139,445,1025"
NMAPOPTIONSCISCO="-n -PN -sS -p22,23,80,443"
function Linux {
while :
do
$NMAP $NMAPOPTIONSLINUX $IPADDYLINUX > nmap.txt
cat nmap.txt | grep "Host is up" > /dev/null
if [ $? -eq 0 ]; then
sendEmail -f (from email address) -t (to email address) -u Commence the Investigation!!! -m Host $IPADDYLINUX is back online! -s (SMTP relay server) -o tls=no
break
fi
done
}
function Windows {
while :
do
$NMAP $NMAPOPTIONSWIN $IPADDYWIN > nmap.txt
cat nmap.txt | grep "Host is up" > /dev/null
if [ $? -eq 0 ]; then
sendEmail -f (from email address) -t (to email address) -u Commence the Investigation!!! -m Host $IPADDYLINUX is back online! -s (SMTP relay server) -o tls=no
break
fi
done
}
function Cisco {
while :
do
$NMAP $NMAPOPTIONSCISCO $IPADDYCISCO > nmap.txt
cat nmap.txt | grep "Host is up" > /dev/null
if [ $? -eq 0 ]; then
sendEmail -f (from email address) -t (to email address) -u Commence the Investigation!!! -m Host $IPADDYLINUX is back online! -s (SMTP relay server) -o tls=no
break
fi
done
}
function Menu {
clear
cat > /dev/stdout <<DELIM
========================================================
Please Select the Appropriate Device Type
[L]inux or Unix
[W]indows
[C]isco
[Q]uit
========================================================
DELIM
read DEVICETYPE
clear
shopt -s nocasematch
if [[ $DEVICETYPE = *L* ]]; then
echo "Please input IP address of Linux/Unix device:"
read IPADDYLINUX
echo -e "Thank You, An Email Will Be Sent When Host is Back Online...\n"
Linux
elif [[ $DEVICETYPE = *W* ]]; then
echo "Please input IP address of Windows device:"
read IPADDYWIN
echo -e "\nThank You, An Email Will Be Sent When Host is Back Online...\n"
Windows
elif [[ $DEVICETYPE = *C* ]]; then
echo "Please input IP address of Cisco device:"
read IPADDYCISCO
echo -e "\nThank You, An Email Will Be Sent When Host is Back Online...\n"
Cisco
elif [[ $DEVICETYPE = *Q* ]]; then
echo -e "\n\nGoodbye, and thank you for being the Network Police!"
exit 0
else
echo "Sorry, --> $DEVICETYPE <-- is an Unknown Selection"
echo "Press Enter to Continue..."
read
Menu
fi
shopt -u nocasematch
}
Menu
Besides a more polished look, this will actually cater the TCP probes based on the type of device in question. I customized the Nmap options based on personal experience with various types of OS. As with the ICMP script, it will wait for a device to come back online before notifying via email. Both of these bash scripts were written using the Linux Backtrack4 distro. Note that I did not require authentication on the SMTP relay server in the latter script.
Subscribe to:
Posts (Atom)