Snort mailing list archives
Re: Rogue DHCP servers
From: Jon Hart <warchild () spoofed org>
Date: Fri, 31 Oct 2003 10:35:57 -0500
On Fri, Oct 31, 2003 at 07:23:13AM -0600, Martin Jr., D. Michael wrote:
ACLs are your friends. BUT, when you have legacy wiring and hubs and all of the users on one VLAN (and that is your only choice because of the wiring and existing infrastructure), ACLs aren't that viable. In our setting, each person in our residence halls is connected to a 10Mb Baystack Hub. In turn, each building (with multiple hubs in the building) is then connected to a central campus Cisco switch. We could implement ACLs at that switch level but that does not keep students from putting DHCP servers (and routers...and they buy those for their rooms all the time) within the building. I need to use Snort to detect those routers in those building proactively so we can go and find them and disconnect them from the network so that services can be restored to the rest of the student population.
If you want to use Snort to do this, I'd suggest doing what someone else has already suggested -- use bpf filters. Assuming ethernet, something like this should catch rogue DHCPOFFERs: udp and src port 67 and dst port 68 and not src ether '($server1 or $server2 or $server3)' This is mostly because I don't think you can write snort rules that will match based on ethernet addresses. To make this rule even better, you could use the byte_* options to match certain parts of the packet to ensure that it is a DHCP packet and that it is indeed rogue. If I had to choose, I'd start with making sure the BOOTP 'op' field was a BOOTREPLY and that 'yiaddr' is something other than the IP address(es) of your valid DHCP servers. Of course, if you don't want to get that fancy, you don't even need snort to do this. tcpdump alone will work. But, keep in mind that unless you can actually see the packets on the rogue student networks, you may be S.O.L. DHCP/BOOTP reply packets are unicast back to the client, so it is entirely possible that you won't see these on truly rogue networks. To the best of my knowledge, the only packets that are broadcasted are the initial DHCPDISCOVERs from the client and subsequent DHCPREQUESTs (which are essentially packets sent to the broadcast ethernet address saying "I pick this IP address as my DHCP server"). After that, everything is unicasted to/from a specific server. Good luck, -jon ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rogue DHCP servers Martin Jr., D. Michael (Oct 30)
- Re: Rogue DHCP servers Bennett Todd (Oct 31)
- <Possible follow-ups>
- RE: Rogue DHCP servers Kaplan, Andrew H. (Oct 30)
- RE: Rogue DHCP servers Martin Jr., D. Michael (Oct 30)
- Re: Rogue DHCP servers Jason Haar (Oct 30)
- RE: Rogue DHCP servers Kaplan, Andrew H. (Oct 31)
- RE: Rogue DHCP servers Martin Jr., D. Michael (Oct 31)
- RE: Rogue DHCP servers Gilbert Mendoza (Oct 31)
- RE: Rogue DHCP servers Gilbert Mendoza (Oct 31)
- Re: Rogue DHCP servers Jon Hart (Oct 31)
- RE: Rogue DHCP servers Gilbert Mendoza (Oct 31)