November 30, 2008

CISCO Router Forensics

Category: Security Information Management — Tags: , , – Raffael Marty @ 1:49 pm

I just came across this list of command to capture the state of a CISCO router. I wanted to capture this and maybe inspire someone to build an application for Splunk. It would be interesting to build a set of expect scripts that go out and capture this information in Splunk. You can then use the information for forensics, but also for change management. By building alerts you could even alert on unauthorized or potentially malicious changes. If you are interested in building an application, let me know. I’ be happy to help.

show clock detail
show version
show running-config
show startup-config
show reload
show users
show who
show log
show debug
show stack
show context
show tech-support
show processes
show processes cpu
show processes memory
content of bootflash
show ip route
show ip ospf
show ip ospf summary
show ip ospf neighbors
show ip bgp summary
show cdp neighbors
show ip arp
show interfaces
show ip interfaces
show tcp brief all
show ip sockets
show ip nat translations verbose
show ip cache flow
show ip cef
show snmp
show snmp user
show snmp group
show snmp sessions
show file descriptors

3 Comments »

  1. I’ve found expect to be of more trouble than it’s worth for most scripts anymore, especially something like this. Assuming that the device has SSH enabled you should be able to run these commands directly without much interactivity (as Expect was designed for.)

    Comment by Mike — December 9, 2008 @ 6:49 pm

  2. Many people still use RANCID to collect information about their routers (me included), which already does all the expect wizardry required. The commands that are run by rancid should be a good starting point.
    On the other hand, you could just pull the files that RANCID stores into Splunk (or go all the way and use Splunk as backend instead of CVS/SVN).

    Comment by Alex — January 7, 2009 @ 7:39 am

  3. Hm, you only realy need 1 command…

    show tech

    That should spit it all out…..

    Comment by Nico — March 2, 2009 @ 4:04 am

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> .