Re: DHCP Rules: Snort on W2k

[Matt Kettler <mkettler () evi-inc com>]

hmm... is there a windows port of arpwatch? if there is, use it and let it 
compile an IP->MAC address list for you.. Seems much simpler than trying to 
get snort to log DHCP.

If there's not a port of arpwatch, your idea seems somewhat reasonable, but 
are you sure you want to monitor DHCPv6 (this is really intended for IPv6 
networks, I suspect you have an IPv4 network unless you know what the 
difference is)

I'd suggest trying these first:

! catch initial assignments (detects bootp and IPv4 dhcp)
alert udp $HOME_NET 67 -> 255.255.255.255/32 68 (msg: "DHCP/BOOTP initial 
Req Ack";)

! renewals (detects bootp and IPv4 dhcp)
alert udp $HOME_NET 67 -> $HOME_NET 68 (msg: "DHCP/BOOTP Renewal Ack";)


Note that when a DHCPing machine first fires up, it has no IP address, so 
the DHCP answer goes to the address 255.255.255.255 instead of anything in 
$HOME_NET.


At 02:08 PM 1/25/2002 -0500, Brian Ertel wrote:
> Hello,
>
> I am trying todetect a renegade DHCP server on my
> network.  It's IP address is unknow, however I have
> its MAC address.  I wrote a DHCP Rule to try to catch
> a DHCP event from this renegade server.  The rule is as
> follows.  I am REALLY unsure about it's syntax as I have
> never written a rule.  ANY help is greatly appreciated.
>
> alert udp $HOME_NET 547 -> $HOME_NET any (msg: "DHCP Req @ Ack";)
>
> Thank you,
>
> Brian


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users