Network Security: Detailed info on Re: [Snort-sigs] DHCP Attack

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Snort-Signatures

[Top] [All Lists]

Re: [Snort-sigs] DHCP Attack

from [Frank Knobbe] Network Security

[Permanent Link]

Subject:	Re: [Snort-sigs] DHCP Attack
Date:	Thu, 19 Aug 2004 22:56:55 -0500

On Thu, 2004-08-19 at 14:30, Nick Hatch wrote:

Where do you have your Snort sensor for this rule? There are quite a few 
tools to find Rogue DHCP servers, but our problem has been finding a 
graceful solution to mitigate the amount of hardware needed to watch 30 
subnets.


How about setting up a script on a box whose segment is monitored by
Snort. That script can fire a dummy "whos-my-dhcp-server-daddy"
broadcast query packet to 255.255.255.255 port 67 and see what machines
respond (server:67 to client:68... iirc). That way you don't need to
monitor each collision domain, only your broadcast domains.

In essence, you're baiting the rogue DHCP server with fake DHCP queries
:)

Regards,
Frank

signature.asc
Description: This is a digitally signed message part

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] DHCP Attack, arif . jatmoko Re: [Snort-sigs] DHCP Attack, Kenneth G. Arnold Re: [Snort-sigs] DHCP Attack, arif . jatmoko Re: [Snort-sigs] DHCP Attack, Nick Hatch Re: [Snort-sigs] DHCP Attack, Kenneth G. Arnold Re: [Snort-sigs] DHCP Attack, twebster Re: [Snort-sigs] DHCP Attack, Frank Knobbe <= Re: [Snort-sigs] DHCP Attack, Chris Reining

Previous by Date:	Re: [Snort-sigs] New adobe vulnerability, Frank Knobbe
Next by Date:	[Snort-sigs] BleedingSnort rules hits information, Federico Petronio
Previous by Thread:	Re: [Snort-sigs] DHCP Attack, twebster
Next by Thread:	Re: [Snort-sigs] DHCP Attack, Chris Reining
Indexes:	[Date] [Thread] [Top] [All Lists]