Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] DHCP Attack

from [twebster] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] DHCP Attack
Date: Thu, 19 Aug 2004 14:47:34 -0600 




what sort of switch do you have?  Do you have a layer-3 switch aggregating
this traffic and routing?

You need to "span" a port or two into the snort box via your switch?  All
layer-3 and most layer-2 switchs have some sort of spanning ability.
Depends on what sort of bandwidth you are talking about but normally a 2-3
gig ports would be adequate for many small-medium setups.

Tony

snort-sigs-admin@lists.sourceforge.net wrote on 08/19/2004 01:30:03 PM:


Where do you have your Snort sensor for this rule? There are quite a few
tools to find Rogue DHCP servers, but our problem has been finding a
graceful solution to mitigate the amount of hardware needed to watch 30
subnets.

(Sorry... this is getting slightly off-topic) Is there some way to
monitor several subnets from a single sensor? Our Cisco core router is
programmed to pass all DHCP requests to a central server. Anyone know if
there is something similar that can be done for all DHCP traffic?

Thanks -- this is one our largest concerns for our network come fall.
(Not a memorable date for most Snort users -- but for those of us using
Snort in an educational environment, it's a huge event to prepare for.)

-Nick

Kenneth G. Arnold wrote:


We have found the following rule to be very effective in spotting rogue
DHCP servers on our campus.

#
# DHCP Servers
#
alert udp !$DHCP_SERVERS 67 -> 255.255.255.255 any (msg: "DHCP Server On
Campus"; sid:1000001;)

Define DHCP_SERVERS to be all the IP addresses that are valid DHCP
servers in your network.

Kenneth Arnold
System Administrator
Christian Brothers University

On Thu, 19 Aug 2004 arif.jatmoko@sea.ccamatil.com wrote:




Hi list,

I have experienced problem during last two days with kind of DHCP

attack.

There were more than one DHCP server available on the network using

private

IP address (192.168.x.x) while our DHCP using public ip address. Every

DHCP

client request served by those rogues DHCP. Can we detect this kind of
attack ?
I'm thinking about DNS spoofing, DHCP spoofing and other MITM attack. I
knew that there are tools like dhcploc.exe bundled with Win2k Resource

Kit

or dhcp_probe available at
http://www.net.princeton.edu/software/dhcp_probe/.

PS. Our DHCP server using Win2K with active directory enabled, while a
rogues DHCP server using Win2K on VMWare (other PCs).

Thanks,
Arif Jatmoko



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs






-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





--
ResTek, Residential Technology Services
http://restek.wwu.edu, x2946



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Snort-sigs] Snort Rule Howto, John Hally
Next by Date:  Re: [Snort-sigs] PNG vulnerabilities and more, Joe Stewart
Previous by Thread:  Re: [Snort-sigs] DHCP Attack, Kenneth G. Arnold
Next by Thread:  Re: [Snort-sigs] DHCP Attack, Frank Knobbe
Indexes:  [Date] [Thread] [Top] [All Lists]