[Snort-sigs] DHCP Attack

twebster at ...2725... twebster at ...2725...
Thu Aug 19 13:49:04 EDT 2004




what sort of switch do you have?  Do you have a layer-3 switch aggregating
this traffic and routing?

You need to "span" a port or two into the snort box via your switch?  All
layer-3 and most layer-2 switchs have some sort of spanning ability.
Depends on what sort of bandwidth you are talking about but normally a 2-3
gig ports would be adequate for many small-medium setups.

Tony

snort-sigs-admin at lists.sourceforge.net wrote on 08/19/2004 01:30:03 PM:

> Where do you have your Snort sensor for this rule? There are quite a few
> tools to find Rogue DHCP servers, but our problem has been finding a
> graceful solution to mitigate the amount of hardware needed to watch 30
> subnets.
>
> (Sorry... this is getting slightly off-topic) Is there some way to
> monitor several subnets from a single sensor? Our Cisco core router is
> programmed to pass all DHCP requests to a central server. Anyone know if
> there is something similar that can be done for all DHCP traffic?
>
> Thanks -- this is one our largest concerns for our network come fall.
> (Not a memorable date for most Snort users -- but for those of us using
> Snort in an educational environment, it's a huge event to prepare for.)
>
> -Nick
>
> Kenneth G. Arnold wrote:
>
> >We have found the following rule to be very effective in spotting rogue
> >DHCP servers on our campus.
> >
> >#
> ># DHCP Servers
> >#
> >alert udp !$DHCP_SERVERS 67 -> 255.255.255.255 any (msg: "DHCP Server On
> >Campus"; sid:1000001;)
> >
> >Define DHCP_SERVERS to be all the IP addresses that are valid DHCP
> >servers in your network.
> >
> >Kenneth Arnold
> >System Administrator
> >Christian Brothers University
> >
> >On Thu, 19 Aug 2004 arif.jatmoko at ...2741... wrote:
> >
> >
> >
> >>Hi list,
> >>
> >>I have experienced problem during last two days with kind of DHCP
attack.
> >>There were more than one DHCP server available on the network using
private
> >>IP address (192.168.x.x) while our DHCP using public ip address. Every
DHCP
> >>client request served by those rogues DHCP. Can we detect this kind of
> >>attack ?
> >>I'm thinking about DNS spoofing, DHCP spoofing and other MITM attack. I
> >>knew that there are tools like dhcploc.exe bundled with Win2k Resource
Kit
> >>or dhcp_probe available at
> >>http://www.net.princeton.edu/software/dhcp_probe/.
> >>
> >>PS. Our DHCP server using Win2K with active directory enabled, while a
> >>rogues DHCP server using Win2K on VMWare (other PCs).
> >>
> >>Thanks,
> >>Arif Jatmoko
> >>
> >>
> >>
> >>-------------------------------------------------------
> >>SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> >>100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> >>Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> >>http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> >>_______________________________________________
> >>Snort-sigs mailing list
> >>Snort-sigs at lists.sourceforge.net
> >>https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >>
> >>
> >>
> >
> >
> >-------------------------------------------------------
> >SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> >100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> >Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> >http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> >_______________________________________________
> >Snort-sigs mailing list
> >Snort-sigs at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
>
>
> --
> ResTek, Residential Technology Services
> http://restek.wwu.edu, x2946
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list