Security

last person joined: 9 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Is there an updated ClearPass Profiling TechNote V1.2 document

  • 1.  Is there an updated ClearPass Profiling TechNote V1.2 document

    Posted Sep 10, 2018 04:39 AM

    Been looking at how to create custom fingerprints.

    My initial one was to generate a "UoY Amazon Echo" fingerprint as the supplied one didn't have the MAC OUI of the Echo e bought.

     

    What I did was create the following and uploaded it to the MP. 

     

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>

    <TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">

    <TipsHeader exportTime="Tue Jul 24 12:38:04 BST 2018" version="6.7"/>

     

    <!—

    Date: 27/07/18

    Name: Amazon-echo-fingerprint.xml

    Function; Create a locally defined fingerprint category="Home Audio/Video Equipment" family="Amazon" name="UoY Amazon Echo”. Take the standard ClarPass definition and add the OUI of the device on my desk to the list of known ones.

    —>

     

       <DeviceFingerprints>

        <DeviceFingerprint category="Home Audio/Video Equipment" family="Amazon" name="UoY Amazon Echo">

          <FingerprintRules>

            <FingerprintRule match-conditions="ALL">

              <RuleCondition name="mac_vendor" operator="contains" value="Amazon"/>

    <RuleCondition name="device.family" operator="contains" value="Android"/>

    <!-- OUI prefixes for the default ClearPass Amazon Echo fingerprint and addition of the one on my desk -->

              <RuleCondition name="mac" operator="contains" >

    <valueList>[34d270 40b4cd fca667 4cefc0 8871e5]</valueList>

              </RuleCondition>

     

    <RuleCondition name="dhcp.option60" operator="contains" >

    <valueList>["dhcpcd-5.5.6"]</valueList>

              </RuleCondition>

    <RuleCondition name="dhcp.option55" operator="contains" >

    <valueList>["1,33,3,6,15,28,51,58,59"]</valueList>

              </RuleCondition>

    <RuleCondition name="dhcp.options" operator="contains" >

    <valueList>["53,50,57,60,12,55"]</valueList>

              </RuleCondition>

            </FingerprintRule>

          </FingerprintRules>

        </DeviceFingerprint>

      </DeviceFingerprints>

    </TipsContents>

     

    In the ClearPass profilling doc the example to add a rule is

     

    RULES API:

    1. API to ADD Rules:

    Given an unknown endpoint, this API will automatically create rules by ANDing rule attributes from endpoint mac_vendor, hostname and fingerprints (ex:

    "dhcp.option60", "snmp.sys_descr", "host.user_agent", "host.os_type", "nmap.device",

    100000.

    ). Rules created using API will have ids starting from

    Method: POST
    URL: /async_netd/deviceprofiler/rules Values:
    {

    mac:

    rule_fields: [..] }

    Where rule_fields = mac_vendor, hostname, dhcp.option55, dhcp.options, dhcp.option60, snmp.sys_descr, host.user_agent etc...

    Example:
    CMD:
    curl -X POST -u apiadmin:password https://<CPPM IP>/async_netd/deviceprofiler/rules –H "Content-Type: application/json" -k -d

    '{"mac" : "6cadf8112341",
    "rule_fields": ["mac_vendor", "dhcp.option55"] }'

    Output: 100000 [New rule ID]

     

    What JSON format do I have to use to implement the 

     

    <RuleCondition name="mac" operator="contains" >

    <valueList>[34d270 40b4cd fca667 4cefc0 8871e5]</valueList>

              </RuleCondition>

    In my import XML file?

     

    Rgds

    Alex

     

     



  • 2.  RE: Is there an updated ClearPass Profiling TechNote V1.2 document

    Posted Sep 10, 2018 09:46 AM

    Also, the doc refers to https://<clearpass server>/async_netd/..... bit in the API explorer on CPPM 6.7.5 there isn't an api section for async_netd

     

    A

     

     



  • 3.  RE: Is there an updated ClearPass Profiling TechNote V1.2 document

    Posted Nov 27, 2018 10:51 AM

    The problem wit my XML file is that there's currently a bug in clearpass

     

    My XML file specifies strings of DHCP options. Unfortunately if you importit it takes all the members of the string and treats them as individual elements. This threfor can apply your new fingerprint to all sorts of devices ... not a good idea. Might ber fixed in 6.7.8

    A