Re: [Snort-sigs] DHCP Attack

Thanks a bunch !!
I never thought this simple rule will working well.

Thanks again ..
Arif Jamoko

|+-----------------------------+------------------------------------------|
||   "Kenneth G. Arnold"       |                                          |
||   <bkarnold@cbu.edu>        |           To:                            |
||                             |   arif.jatmoko@sea.ccamatil.com          |
||   08/19/2004 09:29          |           cc:                            |
||                             |   snort-sigs@lists.sourceforge.net       |
||                             |           Subject:        Re:            |
||                             |   [Snort-sigs] DHCP Attack               |
||                             |                                          |
|+-----------------------------+------------------------------------------|






We have found the following rule to be very effective in spotting rogue
DHCP servers on our campus.

#
# DHCP Servers
#
alert udp !$DHCP_SERVERS 67 -> 255.255.255.255 any (msg: "DHCP Server On
Campus"; sid:1000001;)

Define DHCP_SERVERS to be all the IP addresses that are valid DHCP
servers in your network.

Kenneth Arnold
System Administrator
Christian Brothers University

On Thu, 19 Aug 2004 arif.jatmoko@sea.ccamatil.com wrote:

> Hi list,
>
> I have experienced problem during last two days with kind of DHCP attack.
> There were more than one DHCP server available on the network using
private
> IP address (192.168.x.x) while our DHCP using public ip address. Every
DHCP
> client request served by those rogues DHCP. Can we detect this kind of
> attack ?
> I'm thinking about DNS spoofing, DHCP spoofing and other MITM attack.
> knew that there are tools like dhcploc.exe bundled with Win2k Resource
Kit
> or dhcp_probe available at
> http://www.net.princeton.edu/software/dhcp_probe/.
>
> PS. Our DHCP server using Win2K with active directory enabled, while
> rogues DHCP server using Win2K on VMWare (other PCs).
>
> Thanks,
> Arif Jatmoko
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________





-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs