I'm using the default that came with PF. Here's the trigger...
[1100010]
desc=Rogue DHCP
url=/remediation.php?template=roguedhcp
trigger=internal::1100010
actions=email,log,trap
enabled=Y
auto_enable=N
Unfortunately, I'm having a terrible time finding the rule for it. I can keep
looking, but if you know the default location, I'd appreciate the nudge in the
right direction. I've tried searching all the files in /usr/local/pf/conf/snort
_____________________
Thanks and God bless!
Joshua D. Nathan
IT Administrator
Black Forest Academy
+49-7626-916123
________________________________
From: Bulanda, Dave G [[email protected]]
Sent: Monday, October 08, 2012 3:30 PM
To: '[email protected]'
Subject: Re: [PacketFence-users] Rogue DHCP Violations
Ok, on my Rogue DHCP server violation I do not quarantine, just email and log.
So I am wondering if there is an error in your violation record which is
causing it?
What does your trigger look like?
David Bulanda
Network Services Manager
[email protected]<mailto:[email protected]>
Indiana Tech<http://www.indianatech.edu/>
From: Nathan, Josh [mailto:[email protected]]
Sent: Monday, October 08, 2012 9:11 AM
To: [email protected]
Subject: Re: [PacketFence-users] Rogue DHCP Violations
Dave,
Thanks for the response. I can definitely find the laptops that are getting
flagged, and they are not approved for being DHCP servers. But we even have
non-technical teachers getting flagged for it. They'll just be surfing the
Internet and then get quarantined as running a rogue DHCP server for no
apparent reason.
_____________________
Thanks and God bless!
Joshua D. Nathan
IT Administrator
Black Forest Academy
+49-7626-916123
________________________________
From: Bulanda, Dave G [[email protected]]
Sent: Monday, October 08, 2012 2:45 PM
To: '[email protected]'
Subject: Re: [PacketFence-users] Rogue DHCP Violations
Josh,
Make sure that you have all the ip’s of valid dhcp servers listed in the
pf.conf file. Second, in the violation it should show you the mac address of
the system handing out the dhcp addresses, I would look there to see if you can
track it down.
Something I did observe earlier in the semester was a Laptop with an Intel
wireless card in it, which it could become a hotspot as well. That was causing
some rogue dhcp reports and rogue ap reports in my wireless system.
David Bulanda
Network Services Manager
[email protected]<mailto:[email protected]>
Indiana Tech<http://www.indianatech.edu/>
From: Nathan, Josh
[mailto:[email protected]]<mailto:[mailto:[email protected]]>
Sent: Monday, October 08, 2012 7:46 AM
To:
[email protected]<mailto:[email protected]>
Subject: [PacketFence-users] Rogue DHCP Violations
Hello,
We're getting a lot of Rogue DHCP server violations, but I'm not seeing what
the cause could be. We're running PacketFence version 3.3.2. I've looked at
some of the laptops that are getting these, but there doesn't seem to be
anything amiss.
Any suggestions on what to look for? Sometime it will be a week or more between
reports of the computer having this problem.
_____________________
Thanks and God bless!
Joshua D. Nathan
IT Administrator
Black Forest Academy
+49-7626-916123
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
