using Nagios to detect rogue DHCP servers?

Rogelio Bastardo scubacuda at gmail.com
Tue Jul 10 20:12:14 CEST 2007


>
>
> requires a whole new plugin written from scratch, I haven't seen a
> tcpdump like plugin. Therefore much more difficult and more time
> required, as well as more computationally intensive to watch all traffic
> for another dhcpoffer, when actually you'll get the same result.



What about writing a custom plugin that uses this GPL prog to return the
warning/critical/ok/pending values?

https://roguedetect.bountysource.com/

>From the website:

Rogue Detect sends DHCPDISCOVER packets to the network and listens for
DHCPservers to respond and checks responses against authorized dhcp
servers.
It’s written in Perl. By default it supports sending reports to syslog,
email, standard out or a customer script of your chosing. Each reporting
method has it’s own independent reporting level.

Their wiki is here:  https://roguedetect.bountysource.com/wiki

notes at the bottom of the wiki:

"Sending a DHCPDISCOVER packet causes any DHCPSERVERS listning to allocate
an IP address for a few seconds, while they wait for the detector to
ACKtheir offer. Since we never do send an
ACK, the IP is not allocated to us. Hence, it should be ok to run this on
the network.. but do so at your OWN RISK!!

This package is nice in that you do not have to have a clear view of the
network to run it (ie, it works behind a switch). You DO have to be within
broadcast range, which usually means on the same subnet as the DHCP server.
In some cases scaning port 68 (67?) on every machine may be the better
answer to finding dhcp servers, but with this program, as apposed to a
passive one like snort, you do not have to be able to see traffic not
destined for you."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20070710/2da6fd05/attachment.html>
-------------- next part --------------
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


More information about the Users mailing list