this search might be prone to high false positives if dhcp snooping has been incorrectly configured or in the unlikely event that the dhcp server has been moved to another network interface.

t1200
t1498
t1557
infrastructure
splunk

Techniques

T1200
T1498
T1557

Sample rules

Detect Rogue DHCP Server

source: splunk
technicques:
- T1200
- T1498
- T1557

Description

By enabling DHCP Snooping as a Layer 2 Security measure on the organization’s network devices, we will be able to detect unauthorized DHCP servers handing out DHCP leases to devices on the network (Man in the Middle attack).

Detection logic

`cisco_networks` facility="DHCP_SNOOPING" mnemonic="DHCP_SNOOPING_UNTRUSTED_PORT" 
| stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac BY host 
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `detect_rogue_dhcp_server_filter`