8.22. DHCP keywords

8.22.1. dhcp.leasetime

DHCP lease time (integer).

dhcp.leasetime uses an unsigned 64-bit integer.

Syntax:

dhcp.leasetime:[op]<number>

The time can be matched exactly, or compared using the _op_ setting:

dhcp.leasetime:3    # exactly 3
dhcp.leasetime:<3   # smaller than 3
dhcp.leasetime:>=2  # greater or equal than 2

Signature example:

alert dhcp any any -> any any (msg:"small DHCP lease time (<3)"; dhcp.leasetime:<3; sid:1; rev:1;)

8.22.2. dhcp.rebinding_time

DHCP rebinding time (integer).

dhcp.rebinding_time uses an unsigned 64-bit integer.

Syntax:

dhcp.rebinding_time:[op]<number>

The time can be matched exactly, or compared using the _op_ setting:

dhcp.rebinding_time:3    # exactly 3
dhcp.rebinding_time:<3   # smaller than 3
dhcp.rebinding_time:>=2  # greater or equal than 2

Signature example:

alert dhcp any any -> any any (msg:"small DHCP rebinding time (<3)"; dhcp.rebinding_time:<3; sid:1; rev:1;)

8.22.3. dhcp.renewal_time

DHCP renewal time (integer).

dhcp.renewal_time uses an unsigned 64-bit integer.

Syntax:

dhcp.renewal_time:[op]<number>

The time can be matched exactly, or compared using the _op_ setting:

dhcp.renewal_time:3    # exactly 3
dhcp.renewal_time:<3   # smaller than 3
dhcp.renewal_time:>=2  # greater or equal than 2

Signature example:

alert dhcp any any -> any any (msg:"small DHCP renewal time (<3)"; dhcp.renewal_time:<3; sid:1; rev:1;)