When a denied arp request is receive, arpalert doesn't send an alert.
The output shows "type=unknow_address". And it should be
"type=black_listed", I think. How can I fix it?

arpalert version: 2.0.9

$ cat /etc/arpalert/maclist.deny
00:0A:EB:94:45:91 192.168.6.1 eth0
00:1B:FC:27:00:57 192.168.6.1 eth0
00:04:80:FA:3C:00 192.168.6.1 eth0
00:13:20:DA:C5:7F 192.168.6.1 eth0
00:0B:2F:1B:77:60 192.168.6.1 eth0

$ cat /etc/arpalert/arpalert.conf
#
# Copyright (c) 2005-2010 Thierry FOURNIER
# : arpalert.conf.in 667 2007-11-17 14:26:13Z $
#
# Default config file
#

# white list
maclist file = "/etc/arpalert/maclist.allow"

# black list
maclist alert file = "/etc/arpalert/maclist.deny"

# dump file
maclist leases file = "/var/lib/arpalert/arpalert.leases"

# list of authorized request
#auth request file = /etc/arpalert/authrq.conf

# log file
#log file = "/var/log/arpalert.log"

# pid file
lock file = "/var/run/arpalert.pid"

# log level
use syslog = true

# log level
log level = 6

# user for privilege separation
user = arpalert

# rights for file creation
umask = 177

# only for debugging: this dump paquet received on standard output
dump packet = false

# run the program as daemon ?
daemon = false

# minimun time to wait between two leases dump
dump inter = 5

#Configure the network for catch only arp request.
#The detection type "new_mac" is desactived.
#This mode is used for CPU saving if Arpalert is running on a router
catch only arp = true

# comma separated interfaces to lesson
# if not precised, the soft select the first interface.
# by default select the first interface encontered
interface = eth0

# script launched on each detection
# parameters are:
# - "mac adress of requestor"
# - "ip of requestor"
# - "supp. parm."
# - "ethernet device listening on"
# - "type of alert"
# - optional : "ethernet vendor"
# type of alert:
# 0: ip change
# 1: mac address only detected but not in whithe list
# 2: mac address in black list
# 3: new mac address
# 4: unauthorized arp request
# 5: abusive number of arp request detected
# 6: ethernet mac address different from arp mac address
# 7: global flood detection
# 8: new mac adress without ip
# 9: mac change
action on detect = "/usr/local/sbin/arpdef.pl"

# module launched on each detection
mod on detect = ""
# this chain is transfered to the init function of module loaded
mod config = ""

# script execution timeout (seconds)
execution timeout = 10

# maximun simultaneous lanched script
max alert = 100

# what data are dumped in leases file
dump black list = true
dump white list = true
dump new address = true

# after this time a mac adress is removed from memory (seconds) (default
1 month)
mac timeout = 259200

# after this limit the memory hash is cleaned (protect to arp flood)
max entry = 1000000

# this permit to send only one mismatch alert in this time (in seconds)
anti flood interval = 0

# if the number of arp request in seconds exceed this value, all alerts
are ignored for
# "anti flood interval" time
anti flood global = 50

# vendor name
# add the mac vendor field in logs, alerts script and/or module execution
mac vendor file = "/etc/arpalert/oui.txt"
log mac vendor = true
alert mac vendor = false
mod mac vendor = false

# log if the adress is referenced in hash but is not in white list
log referenced address = true
alert on referenced address = false
mod on referenced address = false

# log if the mac adress is in black list
log deny address = true
alert on deny address = true
mod on deny address = false

# log if the adress isn't referenced
log new address = true
alert on new address = false
mod on new address = false

# log if the adress isn't referenced (for mac adress only)
log new mac address = true
alert on new mac address = false
mod on new mac address = false

# log if the ip adress id different from the last arp request with the
same mac adress
log ip change = true
alert on ip change = true
mod on ip change = false

# log if the ip adress id different from the last arp request with the
same mac adress
log mac change = true
alert on mac change = true
mod on mac change = false

# unauthorized arp request:
# log all the request not authorized in auth file
log unauth request = true
alert on unauth request = false
mod on unauth request = false
# dont analyse arp request for unknow hosts (not in white list)
ignore unknown sender = false
# ignore arp request with mac adresse of the lessoned interfaces for the
authorizations checks
ignore me = true
# ignore windows self test
ignore self test = false
# suspend time method:
# 1: ignore all unauth alerts during "anti flood interval" time
# 2: ignore only tuple (mac address, ip address) during "anti flood
interval" time
unauth ignore time method = 2

# log if the number of request per seconds are > "max request"
log request abus = true
alert on request abus = false
mod on request abus = false
# maximun request authorized by second
max request = 1000000

# log if the ethernet mac address are different than the arp amc address
(only for requestor)
log mac error = true
alert on mac error = false
mod on mac error = false

# log if have too many arp request per seconds
log flood = true
alert on flood = false
mod on flood = false

-- 
To unsubscribe send a mail to list+unsubscribe_at_arpalert.org