To those who have been waiting for this. I'm sorry! I got side tracked with
a bunch of other projects and I forgot to send this to the list. I'm in the
process of setting up a Windows 2008 DHCP Server and I'll check to see that
these rules work for 2008 too. I've tried to provide instructions on how to
add this to your environment. Hopefully I didn't leave out any steps.
1. Modify the ossec.conf file on the DNS server to tell OSSEC to monitor the
DHCP log. These logs rotate daily and then get overwritten weekly.
<ossec_config>
<localfile>
<location>%windir%\system32\dhcp\*.log</location>
<log_format>syslog</log_format>
</localfile>
</ossec_config>
2. Modify the decoder.xml file on the OSSEC server with the following
decoder. It is located in the ossec /etc folder.
<decoder name="ms-dhcp">
<prematch>\d+,\d+/\d+/\d+,\d+\p\d+\p\d+,</prematch>
<regex>(\d+),\d+/\d+/\d+,\d+\p\d+\p\d+,(\.*),(\.*),(\.*),(\.*),(\.*)</regex>
<order>id, action, srcip, system_name, extra_data, user</order>
</decoder>
3. Copy the attached ms_dhcp_rules.xml file in the OSSEC server's /rules
directory.
NOTE: Since the dhcpd rules were 12100 range, I incremented my rule IDs to
12200 and up. Not sure if this is against policy since "user" signature IDs
were supposed to be in the 10K range? I left the rule severity at level 5
until I better understand it and I wasn't completely sure what to put for
the group in the rules. I'll probably change that at some point.
4. Edit the ossec.conf file in your OSSEC server's /etc directory to include
the new rule set.
<include>ms_dhcp_rules.xml</include>
5. Restart ossec and it should now be working.
I've tested this extensively using the ossec-logtest utility and as far as I
can tell, it is working pretty well.
Oh, I've also modified the WUI so I can choose to filter out DHCP messages
only. Edit the ossec_formats.php file in the wui/lib/ folder. You want to
modify the "Microsoft" array to look like this. Not sure how this format is
going to come out after going through email and such, so I'll attach this
email as a .txt file too.
"Microsoft" => array(
"Microsoft (all)" => "windows|msftp|exchange|dhcp"
, "Windows" => "windows"
, "MS Ftp" => "msftp"
, "Exchange" => "exchange"
, "DHCP" => "dhcp"
),
Hope this is helpful for someone else out there. There have been times where
I've had to be able to prove who had a certain IP address at a given time
because they showed up in the proxy log for one reason or another.
Thanks,
phishphreek
On Wed, Mar 25, 2009 at 2:36 PM, Daniel Cid <daniel....@gmail.com> wrote:
> Hey,
>
> Yes, that sounds very interesting. Please share with us :) If you need
> any help, just ask.
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Tue, Mar 17, 2009 at 12:23 AM, <phishphr...@gmail.com> wrote:
> >
> > I've taken some time and created a basic decoder as well as some rules
> > for a Windows Server 2003 DHCP server. I've not yet had an opportunity
> > to test but I plan to as early as tomorrow morning. Would anyone be
> > interested in something like this?
> >
> > I thought this might be useful for tracking which host/machine had
> > which IP address at any given time. I currently use various open
> > source solutions for network mapping (switch ports, routers, etc.) but
> > I am in a m$ environment. I use m$ servers for DHCP and their logs
> > rotate weekly. I needed a better way to prove which machines had which
> > IP addresses at any given time.
> >
> > Disclaimer: I'm a n00b with this project. I've been using it in a lab
> > environment on and off for the past year or so to see what I might be
> > able to do with it. I think it's an awesome project with a lot of
> > potential.
> >
> > phishphreek
> >
>
To those who have been waiting for this. I'm sorry! I got side tracked with a
bunch of other projects and I forgot to send this to the list. I'm in the
process of setting up a Windows 2008 DHCP Server and I'll check to see that
these rules work for 2008 too. I've tried to provide instructions on how to add
this to your environment. Hopefully I didn't leave out any steps.
1. Modify the ossec.conf file on the DNS server to tell OSSEC to monitor the
DHCP log. These logs rotate daily and then get overwritten weekly.
<ossec_config>
<localfile>
<location>%windir%\system32\dhcp\*.log</location>
<log_format>syslog</log_format>
</localfile>
</ossec_config>
2. Modify the decoder.xml file on the OSSEC server with the following decoder.
It is located in the ossec /etc folder.
<decoder name="ms-dhcp">
<prematch>\d+,\d+/\d+/\d+,\d+\p\d+\p\d+,</prematch>
<regex>(\d+),\d+/\d+/\d+,\d+\p\d+\p\d+,(\.*),(\.*),(\.*),(\.*),(\.*)</regex>
<order>id, action, srcip, system_name, extra_data, user</order>
</decoder>
3. Copy the attached ms_dhcp_rules.xml file in the OSSEC server's /rules
directory.
NOTE: Since the dhcpd rules were 12100 range, I incremented my rule IDs to
12200 and up. Not sure if this is against policy since "user" signature IDs
were supposed to be in the 10K range? I left the rule severity at level 5 until
I better understand it. I've disabled the email alerts in my environment and
just view the WUI. You'll probably want to modify it at some point.
4. Edit the ossec.conf file in your OSSEC server's /etc directory to include
the new rule set.
<include>ms_dhcp_rules.xml</include>
5. Restart ossec and it should now be working.
I've tested this extensively using the ossec-logtest utility and as far as I
can tell, it is working pretty well.
Oh, I've also modified the WUI so I can choose to filter out DHCP messages
only. Edit the ossec_formats.php file in the wui/lib/ folder. You want to
modify the "Microsoft" array to look like this. Not sure how this format is
going to come out after going through email and such, so I'll attach this email
as a .txt file too.
"Microsoft" => array(
"Microsoft (all)" => "windows|msftp|exchange|dhcp"
, "Windows" => "windows"
, "MS Ftp" => "msftp"
, "Exchange" => "exchange"
, "DHCP" => "dhcp"
),<!--Microsoft DHCP rules for OSSEC.
- Author: phishphr...@gmail.com
- License: http://www.ossec.net/en/licensing.html
-->
<!--Event ID Meaning
00 The log was started.
01 The log was stopped.
02 The log was temporarily paused due to low disk space.
10 A new IP address was leased to a client.
11 A lease was renewed by a client.
12 A lease was released by a client.
13 An IP address was found to be in use on the network.
14 A lease request could not be satisfied because the scope's address pool was exhausted.
15 A lease was denied.
16 A lease was deleted.
17 A lease was expired.
20 A BOOTP address was leased to a client.
21 A dynamic BOOTP address was leased to a client.
22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
23 A BOOTP IP address was deleted after checking to see it was not in use.
24 IP address cleanup operation has began.
25 IP address cleanup statistics.
30 DNS update request to the named DNS server
31 DNS update failed
32 DNS update successful
50+ Codes above 50 are used for Rogue Server Detection information.
-->
<!--Log Sample
ID,Date,Time,Description,IP Address,Host Name,MAC Address
24,3/10/2009,0:00:46,Database Cleanup Begin,,,,
31,3/10/2009,0:00:46,DNS Update Failed,192.168.10.201,OPS03W034.,2,
30,3/10/2009,0:00:46,DNS Update Request,201.10.168.192,OPS03W034.,,
25,3/10/2009,0:00:46,0 leases expired and 0 leases deleted,,,,
11,3/10/2009,0:01:40,Renew,192.168.10.201,OPS03W034.,001AA0DA3062,
32,3/10/2009,0:01:55,DNS Update Successful,192.168.10.204,ex03.domain.local,,
15,3/10/2009,8:49:10,NACK,192.168.10.205,,000B97A0B7E8,
10,3/10/2009,8:49:10,Assign,192.168.10.205,6ftya92251.domain.local,000B97A0B7E8,
12,3/10/2009,15:52:38,Release,192.168.112.32,6ftya91701.,000B97A0B41D,
18,3/10/2009,19:59:11,Expired,192.168.10.205,,,
17,3/10/2009,23:59:16,DNS record not deleted,192.168.10.205,,,
-->
<group name="ms,dhcp,">
<rule id="12200" level="0">
<decoded_as>ms-dhcp</decoded_as>
<description>Grouping for the MS-DHCP rules.</description>
</rule>
<rule id="12201" level="5">
<if_sid>12200</if_sid>
<match>^00,</match>
<description>The log was started.</description>
<group>service_availability,</group>
</rule>
<rule id="12202" level="5">
<if_sid>12200</if_sid>
<match>^01,</match>
<description>The log was stopped.</description>
<group>service_availability,</group>
</rule>
<rule id="12203" level="5">
<if_sid>12200</if_sid>
<match>^02,</match>
<description>The log was temporarily paused due to low disk space.</description>
<group>service_availability,</group>
</rule>
<rule id="12204" level="5">
<if_sid>12200</if_sid>
<match>^10,</match>
<description>A new IP address was leased to a client.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="12205" level="5">
<if_sid>12200</if_sid>
<match>^11,</match>
<description>A lease was renewed by a client.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="12206" level="5">
<if_sid>12200</if_sid>
<match>^12,</match>
<description>A lease was released by a client.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="12207" level="5">
<if_sid>12200</if_sid>
<match>^13,</match>
<description>An IP address was found to be in use on the network.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="12208" level="5">
<if_sid>12200</if_sid>
<match>^14,</match>
<description>A lease request could not be satisfied because the scope's address pool was exhausted.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="12209" level="5">
<if_sid>12200</if_sid>
<match>^15,</match>
<description>A lease was denied.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="12210" level="5">
<if_sid>12200</if_sid>
<match>^16,</match>
<description>A lease was deleted.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="12211" level="5">
<if_sid>12200</if_sid>
<match>^17,</match>
<description>A lease was expired.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="12212" level="5">
<if_sid>12200</if_sid>
<match>^20,</match>
<description>A BOOTP address was leased to a client.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="12213" level="5">
<if_sid>12200</if_sid>
<match>^21,</match>
<description>A dynamic BOOTP address was leased to a client.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="12214" level="5">
<if_sid>12200</if_sid>
<match>^22,</match>
<description>A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="12215" level="5">
<if_sid>12200</if_sid>
<match>^23,</match>
<description>A BOOTP IP address was deleted after checking to see it was not in use.</description>
<group>dhcp_lease_action,</group>
</rule>
<rule id="12216" level="5">
<if_sid>12200</if_sid>
<match>^24,</match>
<description>IP address cleanup operation has began.</description>
<group>dhcp_maintenance,</group>
</rule>
<rule id="12217" level="5">
<if_sid>12200</if_sid>
<match>^25,</match>
<description>IP address cleanup statistics.</description>
<group>dhcp_maintenance,</group>
</rule>
<rule id="12218" level="5">
<if_sid>12200</if_sid>
<match>^30,</match>
<description>DNS update request to the named DNS server.</description>
<group>dhcp_dns_maintenance,</group>
</rule>
<rule id="12219" level="5">
<if_sid>12200</if_sid>
<match>^31,</match>
<description>DNS update failed.</description>
<group>dhcp_dns_maintenance,</group>
</rule>
<rule id="12220" level="5">
<if_sid>12200</if_sid>
<match>^32,</match>
<description>DNS update successful</description>
<group>dhcp_dns_maintenance,</group>
</rule>
<rule id="12221" level="5">
<if_sid>12200</if_sid>
<match>^5</match>
<description>Codes above 50 are used for Rogue Server Detection information.</description>
<group>dhcp_rogue_server,</group>
</rule>
</group>
