Indeed. Looking at the source of dhcpdetector.pl
(https://svn.bountysource.com/roguedetect/trunk/dhcpdetector.pl) it shouldn't
be too hard to modify it into a nagios plugin (trivial even).
The relevant code block:
sub send_log {
my $severity = shift @_;
my $message = shift @_;
if (!$message) {
$message = 'ERROR: No Message Recieved, logging failure';
}
# If the above conditions are met and
# the send_msg is set then go ahead and
# log it using the specified log mojo
if ($syslog_level >= $severity) {
syslog('LOG_INFO',$message);
}
if ($email_level >= $severity) {
send_mail($alert_email,"[RogueDetect] Log Report",$message);
}
if ($page_level >= $severity) {
send_mail($page_email,"RogueDetect Failure!",$message);
}
if ($print_level >= $severity) {
print $message . "\n";
}
Should be fairly easy to hook into this, print the correct message and set an
exit code from here....
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogelio Bastardo
Sent: Wednesday, 11 July 2007 4:12 AM
To: Hari Sekhon
Cc: Nagios Users mailinglist
Subject: Re: [Nagios-users] using Nagios to detect rogue DHCP servers?
requires a whole new plugin written from scratch, I haven't seen a
tcpdump like plugin. Therefore much more difficult and more time
required, as well as more computationally intensive to watch all traffic
for another dhcpoffer, when actually you'll get the same result.
What about writing a custom plugin that uses this GPL prog to return the
warning/critical/ok/pending values?
https://roguedetect.bountysource.com/
From the website:
Rogue Detect sends DHCPDISCOVER packets to the network and listens for DHCP
servers to respond and checks responses against authorized dhcp servers. It’s
written in Perl. By default it supports sending reports to syslog, email,
standard out or a customer script of your chosing. Each reporting method has
it’s own independent reporting level.
Their wiki is here: https://roguedetect.bountysource.com/wiki
notes at the bottom of the wiki:
"Sending a DHCPDISCOVER packet causes any DHCPSERVERS listning to allocate an
IP address for a few seconds, while they wait for the detector to ACK their
offer. Since we never do send an ACK, the IP is not allocated to us. Hence, it
should be ok to run this on the network.. but do so at your OWN RISK!!
This package is nice in that you do not have to have a clear view of the
network to run it (ie, it works behind a switch). You DO have to be within
broadcast range, which usually means on the same subnet as the DHCP server. In
some cases scaning port 68 (67?) on every machine may be the better answer to
finding dhcp servers, but with this program, as apposed to a passive one like
snort, you do not have to be able to see traffic not destined for you."
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Nagios-users mailing list
Nagios-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.
::: Messages without supporting info will risk being sent to /dev/null
