Snort mailing list archives
RE: Rogue DHCP servers
From: Gilbert Mendoza <linuxcruiser () yahoo com>
Date: Fri, 31 Oct 2003 07:25:41 -0800 (PST)
I read this about 3 weeks ago. http://security.itworld.com/4363/ITW3542/page_1.html To sum up the article, you need make a custom rule that looks for all DHCP requests, but ignore your approved DHCP server messages. The two rules look like so (Your DHCP Server as X.X.X.X): pass udp X.X.X.X 67 -> any 68; alert udp !$RES_NET 67 -> any 68 (msg: "Rogue DHCP server..."); Make sure you add the "--o" option when you start snort. This reverses the order in which it reads the snort.conf rules, considering "pass" statements before "alert". Have a great day, -GM -------------------------------------------- "If at first you don't succeed... You must be using Windows." -------------------------------------------- --- "Martin Jr., D. Michael" <martinm () montevallo edu> wrote:
ACLs are your friends. BUT, when you have legacy wiring and hubs and all of the users on one VLAN (and that is your only choice because of the wiring and existing infrastructure), ACLs aren't that viable. In our setting, each person in our residence halls is connected to a 10Mb Baystack Hub. In turn, each building (with multiple hubs in the building) is then connected to a central campus Cisco switch. We could implement ACLs at that switch level but that does not keep students from putting DHCP servers (and routers...and they buy those for their rooms all the time) within the building. I need to use Snort to detect those routers in those building proactively so we can go and find them and disconnect them from the network so that services can be restored to the rest of the student population. Thanks, Michael -----Original Message----- From: Jason Haar [mailto:Jason.Haar () trimble co nz] Sent: Thursday, October 30, 2003 6:28 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Rogue DHCP servers On Thu, Oct 30, 2003 at 04:58:27PM -0600, Martin Jr., D. Michael wrote:No. It is a residence hall network. Therefore,we have anything andeverything imaginable (FreeBSD, Linux, Windows,MacOS, etc...). ACLs on switches are your friends... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== -------------------------------------------- "If at first you don't succeed... You must be using Windows." -------------------------------------------- __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rogue DHCP servers Martin Jr., D. Michael (Oct 30)
- Re: Rogue DHCP servers Bennett Todd (Oct 31)
- <Possible follow-ups>
- RE: Rogue DHCP servers Kaplan, Andrew H. (Oct 30)
- RE: Rogue DHCP servers Martin Jr., D. Michael (Oct 30)
- Re: Rogue DHCP servers Jason Haar (Oct 30)
- RE: Rogue DHCP servers Kaplan, Andrew H. (Oct 31)
- RE: Rogue DHCP servers Martin Jr., D. Michael (Oct 31)
- RE: Rogue DHCP servers Gilbert Mendoza (Oct 31)
- RE: Rogue DHCP servers Gilbert Mendoza (Oct 31)
- Re: Rogue DHCP servers Jon Hart (Oct 31)
- RE: Rogue DHCP servers Gilbert Mendoza (Oct 31)