Duplication detection of IPs detected by DHCP serv...

christianubeda · ‎05-08-2019

Hi team!

I want to detect Duplication detection of IPs detected by DHCP server.

I have no Idea what to check...

Have this
Windows EventID code = 13. Possible indication of IP Spoofing

Do You have done something similar?

koshyk · ‎05-08-2019

Firstly you do to
1. Collect data from DHCP server (sourcetype=DhcpSrvLog)
2. To do this, you can create an "app" MY_dhcp_inputs and put "copy" contents of Windows TA dhcp into this

###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = your_windows_index

Install the Windows Addon in your Search Head

This will automatically extract fields from DHCP servers.
Then do some search do logic like

index=<your_index> sourcetype=DhcpSrvLog | stats count by signature

you can learn which all signatures are important and just write use-case for it

christianubeda · ‎05-08-2019

Hi koshyk,

I installed the app Windows Addon in the DHCP server, then I copy this in te inputs.conf

###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt =
sourcetype = DhcpSrvLog
index = main

But still it doesn't work.

I recibe event from CPU, network, windows events but no from dhcp.

koshyk · ‎05-08-2019

Please check with your Expert in DHCP, if they have logging enabled correctly.

Duplication detection of IPs detected by DHCP server | Splunk alert

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms