search

idaholab / Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
https://idaholab.github.io/Malcolm/
Other
358 stars 59 forks source link

Populate NetBox inventory via passively-gathered network traffic metadata #135

Closed mmguero closed 8 months ago

mmguero commented 1 year ago

Feature-tracking issue dependent on #131

If the LOGSTASH_NETBOX_AUTO_POPULATE environment variable in ./config/logstash.env is set to true, uninventoried devices with private IP addresses (as defined in RFC 1918 and RFC 4193) observed in known network segments will be automatically created in the NetBox inventory based on the information available. This value is set to true by answering Y to "Should Malcolm automatically populate NetBox inventory based on observed network traffic?" during configuration.

However, careful consideration should be made before enabling this feature: the purpose of an asset management system is to document the intended state of a network: with Malcolm configured to populate NetBox with the live network state, a network misconfiguration fault could result in an incorrect documented configuration.

Devices created using this autopopulate method will have their status field set to staged. It is recommended that users periodically review automatically-created devices for correctness and to fill in known details that couldn't be determined from network traffic. For example, the manufacturer field for automatically-created devices will be set based on the organizational unique identifier (OUI) determined from the first three bytes of the observed MAC address, which may not be accurate if the device's traffic was observed across a router. If possible, observed hostnames will be used in the naming of the automatically-created devices, falling back to the device manufacturer otherwise (e.g., MYHOSTNAME @ 10.10.0.123 vs. Schweitzer Engineering @ 10.10.0.123).

Since device autocreation is based on IP address, information about network segments (including virtual routing and forwarding (VRF) and prefixes) must be first manually specified in NetBox in order for devices to be automatically populated.

Although network devices can be automatically created using this method, services should inventoried manually. The Uninventoried Observed Services visualization in the Zeek Known Summary dashboard can help users review network services to be created in NetBox.

See idaholab/Malcolm#135 for more information on this feature.

mmguero commented 1 year ago

This is basically complete for v23.07.0, but it will be enhanced/improved in v23.08.0.

mmguero commented 8 months ago

I'm going to close this and open individual issues for improvements to this feature.