Re: snort and dhcp new devices on network

[Sharif Uddin <Sharif.Uddin () spectrumgeo com>]

I have currently have the following rule in local.rules

alert udp $HOME_NET any -> $DHCP_SERVERS any (msg:"DHCP";content:"|35 01 08|";sid:1000042; rev:1;)



first of all, it does not seem to get any events. Secondly i need to check if it is a known network device by running a 
script which check a MySQL table for the mac address or if it is unknown device to block it from receiving a dhcp 
address, which I do not know how to do.


From: Sharif Uddin [mailto:Sharif.Uddin () spectrumgeo com]
Sent: 30 March 2015 11:08
To: snort-users () lists sourceforge net
Subject: [Snort-users] snort and dhcp new devices on network

Hello


Is it possible to set up snort to monitor new devices on network using dhcp logs etc. and able to disable unknown 
devices?


Currently I am doing monitoring using Nagios plugin, which only just alerts us. If I can get snort to alert and disable 
that would be great.


If it is possible can anyone shed some light on how to do this please.


Sharif

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!