Re: Rogue DHCP servers

[Bennett Todd <bet () rahul net>]

2003-10-30T15:10:57 Martin Jr., D. Michael:
> I have heard about a "plugin" for Snort but haven't found it as
> yet for detecting rouge DHCP servers.

There may exist a helpful plugin for this, I don't know. But since I
haven't seen anyone else point out the plugin you want, I offer an
alternative.

The canonical way to make snort alert on rogue "foo" is to tell it
to ignore the legitimate "foo", then tell it to alert on any "foo"
it sees. It's possible to tell snort to ignore stuff with snort
rules and a config tweak, or with bpf filter rules. Somehow it seems
to work out that the bpf filter rules end up being the way to go,
most of the time, or so is the impression I get.

So you want bpf filter rules to drop legit DHCP replies from your
real servers. If you have more than a couple of legit DHCP servers
that'll probably end up meaning you want to put your bpf rules in a
file, the cmdline gets long quick. Then you want a rule, local.rules
would be the canonical place to put it, that alerts on any DHCP
replies you see.

-Bennett

Attachment: _bin
Description: