Snort mailing list archives
Alternatives to matching on source MAC
From: "Jason Rohm" <jtrohm () rohmtech com>
Date: Mon, 23 Jun 2014 19:52:59 -0500
Warning: List Noob. I am looking for an alternate way to match a particular event that needs to somehow reference the source MAC. Background: My company has identified a bug in some Kaspersky products that causes the device to send a DHCP discover message with what appears to be a crafted MAC address as the source client identifier. After further inspection, it appears what is really going on is that the software is causing devices to request DHCP leases for other NICs on the system. The most common example appears to be Windows 7 Pro laptops that are plugged in to a wired Ethernet jack. We see DHCP discover messages with a source MAC of the wired NIC but a client ID of the wireless NIC. The problem can be fairly easily found by running wireshark on the local network, capturing "udp port 67" and using the filter: "(bootp.option.dhcp==01)&&!(bootp.hw.mac_addr==eth.src)". Unfortunately, without the ability to look backward into the L2 header, I'm unsure how to match this as a Snort rule. This symptom by itself is more of an annoyance than anything else and isn't a situation you wouldn't run into under normal circumstances (such as an IP helper/DHCP forwarder). However, because the packet is malformed and not handled on return by the PC, the Windows DHCP server perceives this as a BOOTP request and, absent accounting for this, creates a 30 day lease for the bogus device. The end result in many cases is effectively to DoS your network by DHCP pool exhaustion. Looking for ways to pragmatically alert upon seeing this event. Thanks Much!
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Alternatives to matching on source MAC jtrohm (Jun 23)
- <Possible follow-ups>
- Alternatives to matching on source MAC Jason Rohm (Jun 23)