[Snort-users] snort and dhcp new devices on network

Sharif Uddin Sharif.Uddin at ...17113...
Mon Mar 30 07:33:24 EDT 2015

I have currently have the following rule in local.rules

alert udp $HOME_NET any -> $DHCP_SERVERS any (msg:"DHCP";content:"|35 01 08|";sid:1000042; rev:1;)

first of all, it does not seem to get any events. Secondly i need to check if it is a known network device by running a script which check a MySQL table for the mac address or if it is unknown device to block it from receiving a dhcp address, which I do not know how to do.

From: Sharif Uddin [mailto:Sharif.Uddin at ...17113...]
Sent: 30 March 2015 11:08
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] snort and dhcp new devices on network


Is it possible to set up snort to monitor new devices on network using dhcp logs etc. and able to disable unknown devices?

Currently I am doing monitoring using Nagios plugin, which only just alerts us. If I can get snort to alert and disable that would be great.

If it is possible can anyone shed some light on how to do this please.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150330/7d250f6f/attachment.html>

More information about the Snort-users mailing list