using Nagios to detect rogue DHCP servers?

Hari Sekhon hpsekhon at googlemail.com
Wed Jul 11 12:45:50 CEST 2007


This is an interesting program and a very good idea.

In relation to nagios though, the right thing to do is to extend the 
functionality of check_dhcp to do this, so that you do not incur extra 
overhead, network traffic or checks.

It could do the whole thing, get your C skills out if you have the time.

I personally wouldn't want to slap a second check on just for this which 
it can be done in one check if you are already checking your dhcp server(s).

-h

Hari Sekhon



Rogelio Bastardo wrote:
>
>
>     requires a whole new plugin written from scratch, I haven't seen a
>     tcpdump like plugin. Therefore much more difficult and more time
>     required, as well as more computationally intensive to watch all
>     traffic
>     for another dhcpoffer, when actually you'll get the same result.
>
>
>
> What about writing a custom plugin that uses this GPL prog to return 
> the warning/critical/ok/pending values?
>
> https://roguedetect.bountysource.com/
>
> From the website:
>
> Rogue Detect sends DHCPDISCOVER packets to the network and listens for 
> DHCP servers to respond and checks responses against authorized dhcp 
> servers. It�s written in Perl. By default it supports sending 
> reports to syslog, email, standard out or a customer script of your 
> chosing. Each reporting method has it�s own independent reporting level.
>
> Their wiki is here: https://roguedetect.bountysource.com/wiki 
> <https://roguedetect.bountysource.com/wiki>
>
> notes at the bottom of the wiki:
>
> "Sending a DHCPDISCOVER packet causes any DHCPSERVERS listning to 
> allocate an IP address for a few seconds, while they wait for the 
> detector to ACK their offer. Since we never do send an ACK, the IP is 
> not allocated to us. Hence, it should be ok to run this on the 
> network.. but do so at your OWN RISK!!
>
> This package is nice in that you do not have to have a clear view of 
> the network to run it (ie, it works behind a switch). You DO have to 
> be within broadcast range, which usually means on the same subnet as 
> the DHCP server. In some cases scaning port 68 (67?) on every machine 
> may be the better answer to finding dhcp servers, but with this 
> program, as apposed to a passive one like snort, you do not have to be 
> able to see traffic not destined for you."
>
>
>
>
>

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


More information about the Users mailing list