Address unknown, part 2

By Robert Currier, ITworld.com |  Networking

December 11, 2000, 2:18 PM In our last
column we talked about the problems we faced when a rogue DHCP server came to life
on our residential network. In this installment we'll show you how to use Snort, the
lightweight intrusion detection software, to grab the beast by the throat and put an
end to its bad behavior.

Taking advantage of the flexible rules language of snort, we quickly cranked out a DHCP
server detection rule set. Our generic rule looked like this:

    alert udp !$RES_NET 67 -> any 68 (msg: "Rogue DHCP
server...");

This rule tells snort to generate an alert if it sees a udp packet originating from a
network other than the home network -- in this example our residential network -- with
a source port of 67 (DHCP server) destined for port 68 (DHCP client) on any host.

The rule worked fine. In fact, it worked too well. Snort was detecting our enterprise
DHCP servers and generating tremendous amounts of logging data. We needed a way to
eliminate the valid traffic while still detecting rogue servers. Snort's pass alert
mechanism did the trick:

    pass udp 152.3.250.1 67 -> any 68;

    pass udp 152.3.250.2 67 -> any 68;

    pass udp 152.16.2.250 67 -> any 68;

    alert udp !$RES_NET 67 -> any 68 (msg: "Rogue DHCP
server...");

The new rule set should have done the trick. But it didn't. We were still seeing
traffic from the hosts we had told snort to ignore. What was going on?

Digging through the snort documentation we discovered that snort reads in all the rules
at execution time. The rules aren't evaluated in the order they are written. By
default snort reads rules in the following order: alert, log, pass. Evaluating the
rules in this sequence prevents a bad pass rule from defeating fifty valid alert
rules.

Fortunately for us snort provides a means to reverse the order of evaluation: the --o
command line option. Once we kicked off snort with the --o option our rule set worked
perfectly. Traffic from our enterprise servers was ignored and snort concentrated on
looking for rogue servers. And it didn't take long to find our problem:

    Xxxxx xxxxx xxxxxx 169.x.x.x.-> 10.0.1.35 .xxxx Rogue DHCP
server...

It turned out that student had installed an Apple Airport wireless hub in his dorm
room. He hadn't changed the default settings on the Airport and it was happily acting
as a DHCP server and handing out addresses in the 10.0.1.0 private network space. We
tracked the MAC address of the Airport hub to a dorm room and deactivated the port. A
quick phone call to the student and the mystery was solved.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

How do you enter DFU mode on an iPhone 4?
0 answers
Why are people freaking out about people taking photos with Google Glass?
0 answers
How much better is VP9 than VP8?
1 answer
More questions
Ask a Question