Re: Rogue DHCP servers

[Jon Hart <warchild () spoofed org>]

On Fri, Oct 31, 2003 at 07:23:13AM -0600, Martin Jr., D. Michael wrote:
> ACLs are your friends.  BUT, when you have legacy wiring and hubs and
> all of the users on one VLAN (and that is your only choice because of
> the wiring and existing infrastructure), ACLs aren't that viable.
>
> In our setting, each person in our residence halls is connected to a
> 10Mb Baystack Hub.  In turn, each building (with multiple hubs in the
> building) is then connected to a central campus Cisco switch.  We could
> implement ACLs at that switch level but that does not keep students from
> putting DHCP servers (and routers...and they buy those for their rooms
> all the time) within the building.
>
> I need to use Snort to detect those routers in those building
> proactively so we can go and find them and disconnect them from the
> network so that services can be restored to the rest of the student
> population.

If you want to use Snort to do this, I'd suggest doing what someone else
has already suggested -- use bpf filters.

Assuming ethernet, something like this should catch rogue DHCPOFFERs: 

udp and src port 67 and dst port 68 and not src ether '($server1 or
$server2 or $server3)'

This is mostly because I don't think you can write snort rules that will
match based on ethernet addresses.

To make this rule even better, you could use the byte_* options to match
certain parts of the packet to ensure that it is a DHCP packet and that
it is indeed rogue.  If I had to choose, I'd start with making sure the
BOOTP 'op' field was a BOOTREPLY and that 'yiaddr' is something other
than the IP address(es) of your valid DHCP servers.  Of course, if you
don't want to get that fancy, you don't even need snort to do this.
tcpdump alone will work.

But, keep in mind that unless you can actually see the packets on the
rogue student networks, you may be S.O.L.  DHCP/BOOTP reply packets are
unicast back to the client, so it is entirely possible that you won't
see these on truly rogue networks.  To the best of my knowledge, the
only packets that are broadcasted are the initial DHCPDISCOVERs from the
client and subsequent DHCPREQUESTs (which are essentially packets sent
to the broadcast ethernet address saying "I pick this IP address as my
DHCP server").  After that, everything is unicasted to/from a specific
server.

Good luck,

-jon



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users