Snort mailing list archives
Re: Rogue DHCP servers
From: Bennett Todd <bet () rahul net>
Date: Fri, 31 Oct 2003 09:19:01 -0500
2003-10-30T15:10:57 Martin Jr., D. Michael:
I have heard about a "plugin" for Snort but haven't found it as yet for detecting rouge DHCP servers.
There may exist a helpful plugin for this, I don't know. But since I haven't seen anyone else point out the plugin you want, I offer an alternative. The canonical way to make snort alert on rogue "foo" is to tell it to ignore the legitimate "foo", then tell it to alert on any "foo" it sees. It's possible to tell snort to ignore stuff with snort rules and a config tweak, or with bpf filter rules. Somehow it seems to work out that the bpf filter rules end up being the way to go, most of the time, or so is the impression I get. So you want bpf filter rules to drop legit DHCP replies from your real servers. If you have more than a couple of legit DHCP servers that'll probably end up meaning you want to put your bpf rules in a file, the cmdline gets long quick. Then you want a rule, local.rules would be the canonical place to put it, that alerts on any DHCP replies you see. -Bennett
Attachment:
_bin
Description:
Current thread:
- Rogue DHCP servers Martin Jr., D. Michael (Oct 30)
- Re: Rogue DHCP servers Bennett Todd (Oct 31)
- <Possible follow-ups>
- RE: Rogue DHCP servers Kaplan, Andrew H. (Oct 30)
- RE: Rogue DHCP servers Martin Jr., D. Michael (Oct 30)
- Re: Rogue DHCP servers Jason Haar (Oct 30)
- RE: Rogue DHCP servers Kaplan, Andrew H. (Oct 31)
- RE: Rogue DHCP servers Martin Jr., D. Michael (Oct 31)
- RE: Rogue DHCP servers Gilbert Mendoza (Oct 31)
- RE: Rogue DHCP servers Gilbert Mendoza (Oct 31)
- Re: Rogue DHCP servers Jon Hart (Oct 31)
- RE: Rogue DHCP servers Gilbert Mendoza (Oct 31)