[Snort-users] DHCP Rules: Snort on W2k

Matt Kettler mkettler at ...4108...
Fri Jan 25 12:02:05 EST 2002


hmm... is there a windows port of arpwatch? if there is, use it and let it 
compile an IP->MAC address list for you.. Seems much simpler than trying to 
get snort to log DHCP.

If there's not a port of arpwatch, your idea seems somewhat reasonable, but 
are you sure you want to monitor DHCPv6 (this is really intended for IPv6 
networks, I suspect you have an IPv4 network unless you know what the 
difference is)

I'd suggest trying these first:

! catch initial assignments (detects bootp and IPv4 dhcp)
alert udp $HOME_NET 67 -> 255.255.255.255/32 68 (msg: "DHCP/BOOTP initial 
Req Ack";)

! renewals (detects bootp and IPv4 dhcp)
alert udp $HOME_NET 67 -> $HOME_NET 68 (msg: "DHCP/BOOTP Renewal Ack";)


Note that when a DHCPing machine first fires up, it has no IP address, so 
the DHCP answer goes to the address 255.255.255.255 instead of anything in 
$HOME_NET.


At 02:08 PM 1/25/2002 -0500, Brian Ertel wrote:
>Hello,
>
>I am trying todetect a renegade DHCP server on my
>network.  It's IP address is unknow, however I have
>its MAC address.  I wrote a DHCP Rule to try to catch
>a DHCP event from this renegade server.  The rule is as
>follows.  I am REALLY unsure about it's syntax as I have
>never written a rule.  ANY help is greatly appreciated.
>
>alert udp $HOME_NET 547 -> $HOME_NET any (msg: "DHCP Req @ Ack";)
>
>Thank you,
>
>Brian





More information about the Snort-users mailing list