# THUNDER PRM LIBRARY
# Copyright 2004 Tenable Network Security
#
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME:
# DHCP event library
#
# DESCRIPTION:
#
# These signatures look for a variety of events. They can 
# be used by a Thunder server receiving SYLOG messages from a
# DHCP Server running 'dhcpd' or from a Windows server with
# a DHCP server enabled. It also processes events from the ISC's
# dhclient for UNIX systems. 
#
# For UNIX SYSLOG messages, the message must be sent via SYSLOG 
# to Thunder or read by a Thunder client. 
#
# For Windows, the Windows Client must specifically be configured 
# to enable the DHCP server logs, which are normally contained in 
# multiple daily log files located in: "C:\Windows\System32\dhcp". 
# The Thunder Windows client should be configured to monitor the 
# entire directory and not the current log file. 
#
# LAST UPDATE: $Date: 2011/08/24 12:14:17 $

id=2955
name=A DHCP request was logged by the dhcpd process.
match=cp
match=dhcp
match=DHCPREQUEST
match=ST
match= DHCPREQUEST for
match=!udhcpd
match=!event=dhcp_request
regex=DHCPREQUEST for ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) from
log=type:dhcp event:DHCP-Request dstip:$1

NEXT

id=2956
name=A Windows DHCP Server logged a DHCP request.
match=10,
match=ss
match=,Assign,
regex=,Assign,([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+),.*
log=type:dhcp event:DHCP-Request_Windows dstip:$1 

NEXT

id=2957
name=A DHCP request was logged by the dhcpd process.
match=cp
match=dhcp
match=dhcpd:
match=!udhcpd
match=DHCPREQUEST
match=ST
match=DHCPREQUEST for
regex=dhcpd: DHCPREQUEST for ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\)
log=type:dhcp event:DHCP-Request srcip:$1 dstip:$2

NEXT

id=2958
name=A DHCP IP address lease request was received by the udhcpd process.
match=cp
match=dhcp
match=udhcpd
match=ST
match=DHCPREQUEST
match=DHCPREQUEST for
regex=udhcpd:.*DHCPREQUEST for ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) from ..\:..\:..\:..\:..\:..
log=type:dhcp event:DHCP-Request dstip:$1

NEXT

# NOT - 2960 starts the Microsoft firewall ID range, so we will jump to 3600

id=3600
name=The UNIX dhcpclient has not received any DHCP offers. At least one interface may not have an IP address.
match=ent
match=client
match=dhclient:
match=ce
match=ed
match= No DHCPOFFERS received.
match=ER
log=type:error event:DHCPCLIENT-No_Offers

NEXT

id=3601
name=The dhcpclient has no working DHCP leases. At least one interface may not have an IP address.
match=ent
match=client
match=dhclient:
match=ing
match=le
match= No working leases in persistent database
log=type:error event:DHCPCLIENT-No_Working_Leases

NEXT

id=3602
name=The dhcpclient has made a cuccessful DHCP lease and now has an IP address.
match=ent
match=client
match=dhclient:
match= bound to
match= renewal in
regex=.*bound to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) --
log=type:dhcp event:DHCPCLIENT-Address_Leased srcip:$1

NEXT

id=3603
name=A DHCP request was logged by the dhcpd process.
match=cp
match=dhcp
match=ST
match=DHCPREQUEST
match=msg=DHCPREQUEST for
match=ent
match=est
match=event=dhcp_request
match=event
match=request
regex=DHCPREQUEST for ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) from
log=type:dhcp event:DHCP-Request dstip:$1

NEXT

id=3604
name=DHCP has issued an error of a packet too small. This could indicate network scanning or network connectivity issues.
match=cp
match=dhcp
match= dhcpd[
match=ack
match= debugDHCP packet too small
match=debug
regex=.*srcIP: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dstIP: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) srcPort: ([0-9]+) dstPort: ([0-9]+)
log=type:error event:DHCP-Packet_Too_Small srcip:$1 dstip:$2 srcport:$3 dstport:$4

NEXT

id=3605
name=A DHCP Discover was issued.
match=cp
match=dhcp
match=rom
match= dhcpd: DHCPDISCOVER from
match=ER
log=type:dhcp event:DHCP-Discover

NEXT

id=3606
name=A DHCP Offfer was issued.
match=cp
match=dhcp
match=dhcpd: DHCPOFFER on
match=ER
regex=DHCPOFFER on ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to
log=type:dhcp event:DHCP-Offer srcip:$1

NEXT

id=3607
name=A DHCP inform was issued.
match=cp
match=dhcp
match=rom
match=dhcpd: DHCPINFORM from
match=IN
match=FO
regex=DHCPINFORM from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=type:dhcp event:DHCP-Inform srcip:$1 dstip:$2

NEXT

id=3608
name=A DHCP ACK was issued to an IP.
match=cp
match=dhcp
match=dhcpd: DHCPACK to 
regex=DHCPACK to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=type:dhcp event:DHCP-Ack dstip:$1

NEXT

id=3609
name=A DHCP has added a reverse map.
match=cp
match=dhcp
match=rom
match=ed
match=dhcpd: added reverse map from
regex= dhcpd: added reverse map from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=type:dhcp event:DHCP-Reverse_Map_Added srcip:$1

NEXT

id=3610
name=A DHCP lease is a duplicate.
match=cp
match=dhcp
match=le
match=dhcpd: uid lease
match=ent
match=for client
match=ate
match=is duplicate on
regex= dhcpd: uid lease ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*is duplicate on
log=type:dhcp event:DHCP-Lease_Duplicate srcip:$1

NEXT

id=3611
name=A DHCP request is unable to add reverse map and timed out.
match=cp
match=dhcp
match=rom
match=le
match=dhcpd: unable to add reverse map from
match=ed
match=timed out
regex= dhcpd: unable to add reverse map from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\..*timed out
log=type:error event:DHCP-Timed_Out srcip:$1

NEXT

id=3612
name=A DHCP BOOTREQUEST from a dynamic client and no dynamic leases.
match=cp
match=dhcp
match=OT
match=OOT
match=TR
match=ST
match=rom
match=dhcpd: BOOTREQUEST from
match=ent
match=TP
match=le
match=BOOTP from dynamic client and no dynamic leases
match=an
log=type:dhcp event:DHCP-BOOTREQUEST 

NEXT

id=3613
name=A DHCP ACK was issued on an IP.
match=cp
match=dhcp
match=dhcpd: DHCPACK on
regex=dhcpd: DHCPACK on ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to
log=type:dhcp event:DHCP-ACK srcip:$1

NEXT

id=3614
name=A DHCP has forwarded a map and has failed, it has an A record but no DHCID.
match=cp
match=dhcp
match=rom
match=ar
match=dhcpd: Forward map from
match=FAILED: Has an A record but no DHCID, not mine
match=an
regex=dhcpd: .* to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) FAILED: Has an A record but no DHCID
log=type:error event:DHCP-No_DHCID srcip:$1

NEXT

id=3615
name=The Windows DHCP server is nearing a limit of available IP address leases. 
match=percent full with only
match=IP addresses remaining.
match=DhcpServer
match=,1020,
match=arn
match=address
match=System
match=ar
match=tem
match=in
match=ystem
match=17
match=ce
match=IP
match=rem
match=,Warning,
match=System,
match=ent
match=Warning
match=ing
match=,Warning
match=ss
match=cp
regex=Scope, ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), is
log=type:error event:DHCP-Leases_Running_Out srcip:$1

NEXT

id=3616
name=A DHCP inform was issued.
match=cp
match=dhcp
match=rom
match=dhcpd: DHCPINFORM from
match=IN
match=FO
regex=DHCPINFORM from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) via
log=type:dhcp event:DHCP-Inform srcip:$1

NEXT

id=3617
name=A DHCP has dynamic and static leases present.
match=cp
match=dhcp
match=dhcpd: Dynamic and static
match=stati
regex=Dynamic and static leases present for ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=type:dhcp event:DHCP-Leases_Present srcip:$1