SLIDE 1
DHCP Rework in Bro 2.6
Seth Hall Corelight
DHCP Rework in Bro 2.6 Seth Hall Corelight Why Tackled? Why - - PowerPoint PPT Presentation
DHCP Rework in Bro 2.6 Seth Hall Corelight Why Tackled? Why - - PowerPoint PPT Presentation
DHCP Rework in Bro 2.6 Seth Hall Corelight Why Tackled? Why Tackled? Log wasnt great. Purely based on DHCP ACK messages. No tie together between assigned IP address and MAC address. Load balancing issues Mix of broadcast
SLIDE 2
SLIDE 3
Why Tackled?
- Log wasn’t great.
- Purely based on DHCP ACK messages.
- No tie together between assigned IP address and MAC
address.
- Load balancing issues
- Mix of broadcast and unicast packets is a nightmare for
load balancing.
SLIDE 4
Design Approach Novel BinPAC Structure
Refine and extend case (switch) Define a case with no values up front
SLIDE 5
Design Approach Simplify Event Structure
SLIDE 6
Design Approach Centralize DHCP messages
Worker Worker Worker Worker Worker Worker Manager DHCP::aggregate_msgs
SLIDE 7
Design Approach Log DHCP “Conversation”
Client Server discover
- ffer
request ack
One Log Entry!
SLIDE 8
What’s in the log?
SLIDE 9
Regrets & Mistakes
- Blindly changed the DHCP event structure!
- Thanks to Vlad Grigorescu for jumping in and writing a
compatibility script for scripts that haven’t been updated.
- @load protocols/dhcp/deprecated_events
- No DHCPv6!
SLIDE 10
Fun Stuff IP Forwarding option (19)
SLIDE 11
Fun Stuff Client FQDN option (81)
SLIDE 12
Fun Stuff Client FQDN option (81)
- BAHRxHxxxx.resource.ds.bah.com
- PLxxxxxx-NB.corp.tangoe.com
- sysxxxl.meachamapel.com
- ussfmblxxxx.na.watson.com
- L01OHxxxxxxxxxQ.cardinalhealth.net
SLIDE 13
Fun Stuff Auto Proxy Config option (252)
SLIDE 14