[Snort-sigs] DHCP Attack

Chris Reining creining at ...1973...
Wed Aug 18 21:08:03 EDT 2004


Arif,
A simple rule like the following should do the trick:

alert udp !$HOME_NET 67 -> any 68 (msg:"Potential Rogue DHCP server";
sid:1000001);

Chris

On Thu, Aug 19, 2004 at 09:15:13AM +0700, arif.jatmoko at ...2741... wrote:
> 
> 
> Hi list,
> 
> I have experienced problem during last two days with kind of DHCP attack.
> There were more than one DHCP server available on the network using private
> IP address (192.168.x.x) while our DHCP using public ip address. Every DHCP
> client request served by those rogues DHCP. Can we detect this kind of
> attack ?
> I'm thinking about DNS spoofing, DHCP spoofing and other MITM attack. I
> knew that there are tools like dhcploc.exe bundled with Win2k Resource Kit
> or dhcp_probe available at
> http://www.net.princeton.edu/software/dhcp_probe/.
> 
> PS. Our DHCP server using Win2K with active directory enabled, while a
> rogues DHCP server using Win2K on VMWare (other PCs).
> 
> Thanks,
> Arif Jatmoko
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 




More information about the Snort-sigs mailing list