05-16-2016 11:16 AM
I have some DHCP alerts working that find DHCP abusers \ broken clients. However, would like to leverage the DHCP top lease clients report to try and single out the top talkers during a alert.
Today we had a Cisco phone that, due to a miss configuration, came up on a VLAN without the TFTP servers configured for it. The phone then got stuck in a DHCP REQUEST Loop that sent about 2,000 requests per second to our DHCP server. This is obviously a very broken DHCP client, but this is not an uncommon state for a device to get into for us. We seem to track down a phone or printer in this state a few times a month.
Because this was a REQUEST \ ACK only conversation, the MAC and IP never came up on the DHCP top clients reports because the "ACTION" field in "sourcetype=ib:dhcp:lease_history" doesn't ever seem capture this traffic.
Is there another way to get to this, stuck \ partial conversation and provide it as part of a report \ alert?
In the syslog, this sticks out easily, but I can't seem to find where to pull it in splunk.