[unisog] Ciscoworks database dump -- WAS: [RE: DMCA notices..]

Michael Holstein michael.holstein at csuohio.edu
Fri Nov 10 14:10:20 GMT 2006


I think there's switches which alter the export format, because here I 
know I get it in plaintext (CSV, I think). BLAT is a simple email 
program (a windows version of doing a 'cat foo |mail -s somebody at .. in 
UNIX) .. google it.

~Mike.

David Lundy wrote:
> Michael:
>      We are on LMS 2.5.1  (Campus Manager 4.0.3).  cwinvcreport seems
> to be a CiscoWorks Small Network Management Solution command, but this
> put me on the track for cmexport which apparently extracts to XML.  Our
> sysadmin who handles the CiscoWorks (Solaris) box is diagnosing a
> configuration problem which interferes with some of its functionality. 
> Once that is fixed, I'll give it a try.
>      What is BLAT?
>      Does your Perl program parse CiscoWorks XML?  (I don't know if
> cwincvreport outputs XML.)  
>      Thanks.  Your email got me much closer to a solution.
> 
> Dave
> 
> ----
> David Lundy
> Acting IT Security Officer
> University of the Pacific
> Stockton, CA 95211
> Email: dlundy at pacific.edu
> Voice: 209-946-3951
> Fax: 209-946-2898
> 
>>>> Michael Holstein <michael.holstein at csuohio.edu> 11/09/06 8:03 AM
>>>>
> Found it ..
> 
> http://www.cisco.com/en/US/products/sw/cscowork/ps2408/products_user_guide_chapter09186a00804bb331.html
> 
> 
> you're looking for the 'cwinvcreport' command. It appears the latest 
> version also allows you to email it (older one didn't .. thus I used 
> BLAT to do that).
> 
> Just set it as a scheduled task to run ~15min or so after you tell 
> Ciscoworks to do a discovery (depending of course on how long your 
> environment takes to do a complete discovery .. we do it every 4hrs and
> 
> it takes ~10min to run).
> 
> Again .. if anyone wants the perlscripts I wrote to stick that into 
> MySQL (it imports most of the fields you'd want .. you can tweak to
> your 
> own specs) and the MySQL schema .. hit me off-list.
> 
> Cheers,
> 
> Michael Holstein CISSP GCIA
> Cleveland State University
> 
> David Lundy wrote:
>> All:
>>      I've thought about collecting information from CiscoWorks to
> keep
>> track of our DHCP assignments to do historical tracking, but have do
> not
>> have information on how to extract this information automatically on
> a
>> scheduled basis.  If someone else is doing scheduled data extraction
>> from CiscoWorks, I'd appreciate information on how you are doing
> this.
>> David Lundy
>>
>>
>> ----
>> David Lundy
>> Acting IT Security Officer
>> University of the Pacific
>> Stockton, CA 95211
>> Email: dlundy at pacific.edu 
>> Voice: 209-946-3951
>> Fax: 209-946-2898
>>
>>>>> Stephen C Woods <scw at seas.ucla.edu> 11/08/06 1:00 PM >>>
>>   As a general case you should keep a list of IP + mac + last time
>> this
>> combo was seen:
>>
>> 128.97.2.99 00:0d:56:12:4e:6e 200611081211  YYYYMMDDHHmm
>> 128.97.2.99 00:14:38:9f:dc:41 200607101207
>>
>>     Note: gathering IP/MAC pairs (sort -u is usefull here)
>> and process them hourly is probably sufficent.   It helps to have
>> a single router, otherwise you need to do some 'clever' filtering.
>> <scw>
>>
>>
>>
>> On Wed, Nov 08, 2006 at 03:57:23PM -0500, George C. Russ wrote:
>>> arp cache on routers will tell you. keep a history. cattools.
>>>
>>> George
>>> -----Original Message-----
>>> From: unisog-bounces at lists.dshield.org 
>>> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Dave
> Dittrich
>>> Sent: Tuesday, October 31, 2006 12:07 PM
>>> To: UNIversity Security Operations Group
>>> Subject: Re: [unisog] another round of bogus DMCA notices
>>>
>>> Michael Holstein wrote:
>>>> I know this has happened several times in the past, but today I
> got
>> a 
>>>> round of DMCA notices for non-existent IP addresses.
>>>>
>>>> Is anybody saving these and their supporting evidence (that
>> they're
>>> bogus)?
>>>
>>> What do you mean by "bogus" or "non-existent?"  If the IP addresses
>>> are valid within your netblocks, but are just not active at the
> time
>>> you look (or you are just doing "ping IP-ADDRESS" to verify, I
>>> would assume some clever miscreant has simply decided to start
>>> doing short-lived IP aliasing, firewalling, or something else
>>> designed to make verification of piracy harder.  You may have
>>> to start logging traffic across your border to verify the claim.
>>>
>>> -- 
>>> Dave Dittrich                          Information Assurance
>> Researcher,
>>> dittrich at u.washington.edu              The iSchool
>>> http://staff.washington.edu/dittrich   University of Washington
>>>
>>> PGP key      http://staff.washington.edu/dittrich/pgpkey.txt 
>>> Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5
>>> _______________________________________________
>>> unisog mailing list
>>> unisog at lists.dshield.org 
>>> https://lists.sans.org/mailman/listinfo/unisog 
>>>
>>> _______________________________________________
>>> unisog mailing list
>>> unisog at lists.dshield.org 
>>> https://lists.sans.org/mailman/listinfo/unisog 
>>>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org 
> https://lists.sans.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
> 


More information about the unisog mailing list