Snort mailing list archives

Alternatives to matching on source MAC

From: "Jason Rohm" <jtrohm () rohmtech com>
Date: Mon, 23 Jun 2014 19:52:59 -0500

Warning: List Noob.

 

I am looking for an alternate way to match a particular event that needs to
somehow reference the source MAC.

 

Background:

 

My company has identified a bug in some Kaspersky products that causes the
device to send a DHCP discover message with what appears to be a crafted MAC
address as the source client identifier. After further inspection, it
appears what is really going on is that the software is causing devices to
request DHCP leases for other NICs on the system.

 

The most common example appears to be Windows 7 Pro laptops that are plugged
in to a wired Ethernet jack. We see DHCP discover messages with a source MAC
of the wired NIC but a client ID of the wireless NIC. 

 

The problem can be fairly easily found by running wireshark on the local
network, capturing "udp port 67" and using the filter:
"(bootp.option.dhcp==01)&&!(bootp.hw.mac_addr==eth.src)". Unfortunately,
without the ability to look backward into the L2 header, I'm unsure how to
match this as a Snort rule.

 

This symptom by itself is more of an annoyance than anything else and isn't
a situation you wouldn't run into under normal circumstances (such as an IP
helper/DHCP forwarder). However, because the packet is malformed and not
handled on return by the PC, the Windows DHCP server perceives this as a
BOOTP request and, absent accounting for this, creates a 30 day lease for
the bogus device. The end result in many cases is effectively to DoS your
network by DHCP pool exhaustion.

 

Looking for ways to pragmatically alert upon seeing this event.

 

Thanks Much!

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Alternatives to matching on source MAC jtrohm (Jun 23)
- <Possible follow-ups>
- Alternatives to matching on source MAC Jason Rohm (Jun 23)