Snort mailing list archives
Re: DHCP Rules: Snort on W2k
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 25 Jan 2002 15:03:10 -0500
hmm... is there a windows port of arpwatch? if there is, use it and let it compile an IP->MAC address list for you.. Seems much simpler than trying to get snort to log DHCP.
If there's not a port of arpwatch, your idea seems somewhat reasonable, but are you sure you want to monitor DHCPv6 (this is really intended for IPv6 networks, I suspect you have an IPv4 network unless you know what the difference is)
I'd suggest trying these first: ! catch initial assignments (detects bootp and IPv4 dhcp)alert udp $HOME_NET 67 -> 255.255.255.255/32 68 (msg: "DHCP/BOOTP initial Req Ack";)
! renewals (detects bootp and IPv4 dhcp) alert udp $HOME_NET 67 -> $HOME_NET 68 (msg: "DHCP/BOOTP Renewal Ack";)Note that when a DHCPing machine first fires up, it has no IP address, so the DHCP answer goes to the address 255.255.255.255 instead of anything in $HOME_NET.
At 02:08 PM 1/25/2002 -0500, Brian Ertel wrote:
Hello, I am trying todetect a renegade DHCP server on my network. It's IP address is unknow, however I have its MAC address. I wrote a DHCP Rule to try to catch a DHCP event from this renegade server. The rule is as follows. I am REALLY unsure about it's syntax as I have never written a rule. ANY help is greatly appreciated. alert udp $HOME_NET 547 -> $HOME_NET any (msg: "DHCP Req @ Ack";) Thank you, Brian
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DHCP Rules: Snort on W2k Brian Ertel (Jan 25)
- <Possible follow-ups>
- Re: DHCP Rules: Snort on W2k Matt Kettler (Jan 25)