Techniques
Sample rules
Detect Rogue DHCP Server
- source: splunk
- technicques:
- T1200
- T1498
- T1557
Description
By enabling DHCP Snooping as a Layer 2 Security measure on the organization’s network devices, we will be able to detect unauthorized DHCP servers handing out DHCP leases to devices on the network (Man in the Middle attack).
Detection logic
`cisco_networks` facility="DHCP_SNOOPING" mnemonic="DHCP_SNOOPING_UNTRUSTED_PORT"
| stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac BY host
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `detect_rogue_dhcp_server_filter`