Snort mailing list archives

DHCP Rules: Snort on W2k

From: Brian Ertel <bsertel () amherst edu>
Date: Fri, 25 Jan 2002 14:08:33 -0500

Hello,

I am trying todetect a renegade DHCP server on my
network.  It's IP address is unknow, however I have
its MAC address.  I wrote a DHCP Rule to try to catch
a DHCP event from this renegade server.  The rule is as
follows.  I am REALLY unsure about it's syntax as I have
never written a rule.  ANY help is greatly appreciated.

alert udp $HOME_NET 547 -> $HOME_NET any (msg: "DHCP Req @ Ack";)

Thank you,

Brian

----------------------------------
Brian Ertel
Systems & Networking
Amherst College
Voice: 413-542-8320
Fax:    413-542-2626
bsertel () amherst edu
----------------------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DHCP Rules: Snort on W2k Brian Ertel (Jan 25)
- <Possible follow-ups>
- Re: DHCP Rules: Snort on W2k Matt Kettler (Jan 25)