Solved: Should we enable baseline for dhcp users in stealthwatch

blagov · ‎07-31-2022

Hello,

Is unclear if we should disable baseline for dhcp users , can someone please help me to understand what should be configured?

Philipp Tannich · ‎08-04-2022

Okay, it's a bit confusing, but I (hope) I get your point:

When you add a new host group under "Client IP Range (DHCP Range)" the clients might get a dynamic IP assigned, therefore, it's not good to start baselining on that specific IP if a few weeks later client A has a new IP address and client B gets the one, client A had before, or when client A is moving to a separate network, e.g. roaming and has different IP addresses assigned.
In this Sub-Host-Group the check is disabled and when you create a new group it is inherited, so you don't see the box checked.

A server normally keeps it's IP address till you remove it from the network. It (normally) won't take any trip to another data center. So baselining makes sense in this Sub-Host-Group and will be inherited on every new group you add below.

Back to your question: If you e.g. assign IP addresses with the dedicated MAC address and they also won't change when a device is changing networks, then you can enable baselining. Otherwise, it won't make any sense any might only be more confusing on your alerts then helping you find any bad actor.

Did I get your point correct?

View solution in original post

Philipp Tannich · ‎08-03-2022

Hi @blagov,

I do not really understand your question. Why do you want to disable baselining for DHCP users?
Is this something in the "Host Classifier" app or specific for a use case?

Thanks and cheers

blagov · ‎08-03-2022

That is the confusion .. when i created a new host group under dhcp range , i noticed that
Baseline was unchecked automatically. If i create host groups under sever lets say ..it doesn't get unchecked. I looked into the help menu documentation i there says...you can disable baseline for dynamic /dhcp host group which in a way makes sense if users will receive different IPs. I just wanted to confirm if this how should i leave it baseline unchecked for...dhcp users

I hope what i say makes sense....

Philipp Tannich · ‎08-04-2022

Okay, it's a bit confusing, but I (hope) I get your point:

When you add a new host group under "Client IP Range (DHCP Range)" the clients might get a dynamic IP assigned, therefore, it's not good to start baselining on that specific IP if a few weeks later client A has a new IP address and client B gets the one, client A had before, or when client A is moving to a separate network, e.g. roaming and has different IP addresses assigned.
In this Sub-Host-Group the check is disabled and when you create a new group it is inherited, so you don't see the box checked.

A server normally keeps it's IP address till you remove it from the network. It (normally) won't take any trip to another data center. So baselining makes sense in this Sub-Host-Group and will be inherited on every new group you add below.

Back to your question: If you e.g. assign IP addresses with the dedicated MAC address and they also won't change when a device is changing networks, then you can enable baselining. Otherwise, it won't make any sense any might only be more confusing on your alerts then helping you find any bad actor.

Did I get your point correct?

blagov · ‎08-04-2022

Hi Ptannich,
Thank you for your reply. Server host group totally make sense. The user vlan (dhcp) is the one that was confusing , but it I do see what you mean by inherited so that should be ok not to check it.