[Snort-users] DHCP Rules: Snort on W2k

Brian Ertel bsertel at ...4207...
Fri Jan 25 11:09:05 EST 2002


I am trying todetect a renegade DHCP server on my
network.  It's IP address is unknow, however I have
its MAC address.  I wrote a DHCP Rule to try to catch
a DHCP event from this renegade server.  The rule is as
follows.  I am REALLY unsure about it's syntax as I have
never written a rule.  ANY help is greatly appreciated.

alert udp $HOME_NET 547 -> $HOME_NET any (msg: "DHCP Req @ Ack";)

Thank you,


Brian Ertel
Systems & Networking
Amherst College
Voice: 413-542-8320
Fax:    413-542-2626
bsertel at ...4207...

More information about the Snort-users mailing list