using Nagios to detect rogue DHCP servers?

Steven Haigh steven_haigh at pacific.net.au
Wed Jul 11 03:56:22 CEST 2007


Indeed. Looking at the source of dhcpdetector.pl (https://svn.bountysource.com/roguedetect/trunk/dhcpdetector.pl) it shouldn't be too hard to modify it into a nagios plugin (trivial even).
 
The relevant code block:
sub send_log { 

	my $severity = shift @_;
	my $message  = shift @_;

	if (!$message) { 
		$message = 'ERROR: No Message Recieved, logging failure';
	}    

	# If the above conditions are met and
	# the send_msg is set then go ahead and
	# log it using the specified log mojo
	if ($syslog_level >= $severity) { 
		syslog('LOG_INFO',$message);
	}
	if ($email_level >= $severity) { 
		send_mail($alert_email,"[RogueDetect] Log Report",$message);
	} 
	if ($page_level >= $severity) { 
		send_mail($page_email,"RogueDetect Failure!",$message);
	}	
	if ($print_level >= $severity) { 
	    print $message . "\n";
	}

Should be fairly easy to hook into this, print the correct message and set an exit code from here....
________________________________

From: nagios-users-bounces at lists.sourceforge.net [mailto:nagios-users-bounces at lists.sourceforge.net] On Behalf Of Rogelio Bastardo
Sent: Wednesday, 11 July 2007 4:12 AM
To: Hari Sekhon
Cc: Nagios Users mailinglist
Subject: Re: [Nagios-users] using Nagios to detect rogue DHCP servers?




	requires a whole new plugin written from scratch, I haven't seen a
	tcpdump like plugin. Therefore much more difficult and more time 
	required, as well as more computationally intensive to watch all traffic
	for another dhcpoffer, when actually you'll get the same result.



What about writing a custom plugin that uses this GPL prog to return the warning/critical/ok/pending values?

https://roguedetect.bountysource.com/

From the website:

Rogue Detect sends DHCPDISCOVER packets to the network and listens for DHCP servers to respond and checks responses against authorized dhcp servers. It’s written in Perl. By default it supports sending reports to syslog, email, standard out or a customer script of your chosing. Each reporting method has it’s own independent reporting level.

Their wiki is here:  https://roguedetect.bountysource.com/wiki 

notes at the bottom of the wiki:

"Sending a DHCPDISCOVER packet causes any DHCPSERVERS listning to allocate an IP address for a few seconds, while they wait for the detector to ACK their offer. Since we never do send an ACK, the IP is not allocated to us. Hence, it should be ok to run this on the network.. but do so at your OWN RISK!!

This package is nice in that you do not have to have a clear view of the network to run it (ie, it works behind a switch). You DO have to be within broadcast range, which usually means on the same subnet as the DHCP server. In some cases scaning port 68 (67?) on every machine may be the better answer to finding dhcp servers, but with this program, as apposed to a passive one like snort, you do not have to be able to see traffic not destined for you."





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20070711/121e0238/attachment.html>
-------------- next part --------------
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


More information about the Users mailing list