Joeteck
asked on
DHCP security..
I'm trying to monitor DHCP requests for security purposes. I set DHCP server up to write out logs, but I need it to be listed in the event viewer. I have a program that can monitor pretty much anything, except read log files. Does anyone know how this can be changed so I can know when someone plugs into my network and an IP is assigned to them.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't know of a way to write dhcp requests to the Event Logs, but you might be able to use LogParser to analyze the dhcp logs, which are just comma delimited text files. See:
http://www.microsoft.com/technet/community/columns/profwin/pw0505.mspx
http://articles.techrepublic.com.com/5100-6350_11-6105922.html
http://www.microsoft.com/technet/community/columns/profwin/pw0505.mspx
http://articles.techrepublic.com.com/5100-6350_11-6105922.html
ASKER
I found this vb script, but it does not seem to work... I have it setup as a scheduled event.
'**** DHCP Server Log Checking Script (Version 2.0)
'**** Copyright © 2005 Chris Pratt
'**** You may use this script free of charge but may not make any changes except to the variables to meet your needs
'**** without the permission of the author.
'****
'****
'**** The script is best set-up to run as a scheduled task. It can check for any event ID in the DHCP Server logs.
'**** It does not need to run on the DHCP server but you will need the full UNC path and the user that the script
'**** is set to run as will need rights to the servers log file areas.
'****
'**** The interval is configurable and your scheduled task running time should be set to match that so areas of the
'**** logs don't go unchecked.
'****
'**** Version 2.0 - Now for Windows Server 2003 DHCP (Use version 1.0 for 2000)
'****
'****
'On Error resume next
'Variables
strOSversion = "2000" ' Choose 2000 or 2003 to match your version of Windows Server - This is your DHCP Server version
strDHCPServer = "appserver" ' Change to the name of your DHCP server
strfindtime = dateadd("n", -10, Time) ' Change this figure (-30) to set interval between checking (in minutes)
intfindtime = 10 ' Change this value to match the one above
strtoday = (WeekdayName(Weekday(Date) ,true))
if strOSversion = "2003" then
strlogfile = "\\" & strDHCPServer & "\c$\windows\system32\dhcp \dhcpsrvlo g-" & strtoday & ".log"
else
strlogfile = "\\" & strDHCPServer & "\c$\winnt\system32\dhcp\D hcpSrvlog. " & strtoday
End if
streventid = "10" ' Change to meet what event you want to check for - See the beginning of a log to see a definition list of the Event ID's
Dim strTo, strSubject, strBody, i
Dim objCDOMail
strTo = "user@domain.com" ' Who the e-mail goes to
strSubject = "DHCP IP Alert" 'subject of the e-mail
set objCDOMail = CreateObject("CDONTS.NewMa il")
objCDOMail.From = "admin@domain.com" ' who the e-mail is from
objCDOMail.From = "SYSTEM <Administrator@domain.com> " ' who the e-mail is from
foundentry = 0
strBody = ""
const forreading = 1
set objfso = createobject("Scripting.fi lesystemob ject")
set objtextfile = objfso.opentextfile(strlog file, forreading)
do while objtextfile.atendofstream <> True
ceventid = ""
posfind = 0
strline = objtextfile.readline
if instr(strline, "ID Date,Time,Description,IP Address,Host Name,MAC Address") then
strline = objtextfile.readline
else
end if
if instr(strline, ",") then
arrdhcprecord = split(strline, ",", 7)
ceventid = arrdhcprecord(0)
ceventdte = arrdhcprecord(1)
ceventtime = arrdhcprecord(2)
ceventdesc = arrdhcprecord(3)
ceventip = arrdhcprecord(4)
ceventhost = arrdhcprecord(5)
ceventmac = arrdhcprecord(6)
else
End if
i=i+1
findtime = datediff("n", ceventtime, strfindtime)
if findtime < intfindtime then
posfind = posfind + 1
else
end if
if ceventid = streventid then
posfind = posfind + 1
else
end if
if findtime > 0 then
posfind = posfind + 1
else
end if
if posfind = 3 then
strBody = strBody & "===================" & vbCrLf
strBody = strBody & " DHCP Server Alert" & vbCrLf
strBody = strBody & "===================" & vbCrLf
strBody = strBody & vbCrLf
strBody = strBody & "Event ID: " & ceventid & vbCrLf
strBody = strBody & "Date: " & ceventdte & vbCrLf
strBody = strBody & "Time: " & ceventtime & vbCrLf
strBody = strBody & "Desc: " & ceventdesc & vbCrLf
strBody = strBody & "IP: " & ceventip & vbCrLf
strBody = strBody & "Host: " & ceventhost & vbCrLf
strBody = strBody & "Mac: " & ceventmac & vbCrLf
strBody = strBody & "FindTime: " & findtime & vbCrLf
strBody = strBody & vbCrLf
foundentry = 1
else
end if
loop
if foundentry = 1 then
objCDOMail.To = strTo
objCDOMail.Subject = strSubject
objCDOMail.Body = strBody
objCDOMail.Send
Set objCDOMail = Nothing
else
end if
objtextfile.close
'**** DHCP Server Log Checking Script (Version 2.0)
'**** Copyright © 2005 Chris Pratt
'**** You may use this script free of charge but may not make any changes except to the variables to meet your needs
'**** without the permission of the author.
'****
'****
'**** The script is best set-up to run as a scheduled task. It can check for any event ID in the DHCP Server logs.
'**** It does not need to run on the DHCP server but you will need the full UNC path and the user that the script
'**** is set to run as will need rights to the servers log file areas.
'****
'**** The interval is configurable and your scheduled task running time should be set to match that so areas of the
'**** logs don't go unchecked.
'****
'**** Version 2.0 - Now for Windows Server 2003 DHCP (Use version 1.0 for 2000)
'****
'****
'On Error resume next
'Variables
strOSversion = "2000" ' Choose 2000 or 2003 to match your version of Windows Server - This is your DHCP Server version
strDHCPServer = "appserver" ' Change to the name of your DHCP server
strfindtime = dateadd("n", -10, Time) ' Change this figure (-30) to set interval between checking (in minutes)
intfindtime = 10 ' Change this value to match the one above
strtoday = (WeekdayName(Weekday(Date)
if strOSversion = "2003" then
strlogfile = "\\" & strDHCPServer & "\c$\windows\system32\dhcp
else
strlogfile = "\\" & strDHCPServer & "\c$\winnt\system32\dhcp\D
End if
streventid = "10" ' Change to meet what event you want to check for - See the beginning of a log to see a definition list of the Event ID's
Dim strTo, strSubject, strBody, i
Dim objCDOMail
strTo = "user@domain.com" ' Who the e-mail goes to
strSubject = "DHCP IP Alert" 'subject of the e-mail
set objCDOMail = CreateObject("CDONTS.NewMa
objCDOMail.From = "admin@domain.com" ' who the e-mail is from
objCDOMail.From = "SYSTEM <Administrator@domain.com>
foundentry = 0
strBody = ""
const forreading = 1
set objfso = createobject("Scripting.fi
set objtextfile = objfso.opentextfile(strlog
do while objtextfile.atendofstream <> True
ceventid = ""
posfind = 0
strline = objtextfile.readline
if instr(strline, "ID Date,Time,Description,IP Address,Host Name,MAC Address") then
strline = objtextfile.readline
else
end if
if instr(strline, ",") then
arrdhcprecord = split(strline, ",", 7)
ceventid = arrdhcprecord(0)
ceventdte = arrdhcprecord(1)
ceventtime = arrdhcprecord(2)
ceventdesc = arrdhcprecord(3)
ceventip = arrdhcprecord(4)
ceventhost = arrdhcprecord(5)
ceventmac = arrdhcprecord(6)
else
End if
i=i+1
findtime = datediff("n", ceventtime, strfindtime)
if findtime < intfindtime then
posfind = posfind + 1
else
end if
if ceventid = streventid then
posfind = posfind + 1
else
end if
if findtime > 0 then
posfind = posfind + 1
else
end if
if posfind = 3 then
strBody = strBody & "===================" & vbCrLf
strBody = strBody & " DHCP Server Alert" & vbCrLf
strBody = strBody & "===================" & vbCrLf
strBody = strBody & vbCrLf
strBody = strBody & "Event ID: " & ceventid & vbCrLf
strBody = strBody & "Date: " & ceventdte & vbCrLf
strBody = strBody & "Time: " & ceventtime & vbCrLf
strBody = strBody & "Desc: " & ceventdesc & vbCrLf
strBody = strBody & "IP: " & ceventip & vbCrLf
strBody = strBody & "Host: " & ceventhost & vbCrLf
strBody = strBody & "Mac: " & ceventmac & vbCrLf
strBody = strBody & "FindTime: " & findtime & vbCrLf
strBody = strBody & vbCrLf
foundentry = 1
else
end if
loop
if foundentry = 1 then
objCDOMail.To = strTo
objCDOMail.Subject = strSubject
objCDOMail.Body = strBody
objCDOMail.Send
Set objCDOMail = Nothing
else
end if
objtextfile.close
ASKER
Cllose this question please, and give back my points
You can post a 0-point question in the support area (link at upper-right corner of this page) and ask them to close the question.
MAC address spoofing is possible, but that issue depends on the complexity of attack that you need to worry about.
Overall it sound like you might want to look into a IDS.