Hi,

thanks for the bug repport.

arpalert log deny adresses into leases file
when arpalert start, it load the leases file.
this replace deny adresses into unknown adresses.

is a stupid bug.
I corecct this into the next release.

you can replace this lines:
dump black list = true
dump white list = true

by this lines:
dump black list = false
dump white list = false

and arpalert run correctly.

Thierry FOURNIER

> When a denied arp request is receive, arpalert doesn't send an alert.
> The output shows "type=unknow_address". And it should be
> "type=black_listed", I think. How can I fix it?
>
> arpalert version: 2.0.9
>
> $ cat /etc/arpalert/maclist.deny
> 00:0A:EB:94:45:91 192.168.6.1 eth0
> 00:1B:FC:27:00:57 192.168.6.1 eth0
> 00:04:80:FA:3C:00 192.168.6.1 eth0
> 00:13:20:DA:C5:7F 192.168.6.1 eth0
> 00:0B:2F:1B:77:60 192.168.6.1 eth0
>
> $ cat /etc/arpalert/arpalert.conf
> #
> # Copyright (c) 2005-2010 Thierry FOURNIER
> # : arpalert.conf.in 667 2007-11-17 14:26:13Z $
> #
> # Default config file
> #
>
> # white list
> maclist file = "/etc/arpalert/maclist.allow"
>
> # black list
> maclist alert file = "/etc/arpalert/maclist.deny"
>
> # dump file
> maclist leases file = "/var/lib/arpalert/arpalert.leases"
>
> # list of authorized request
> #auth request file = /etc/arpalert/authrq.conf
>
> # log file
> #log file = "/var/log/arpalert.log"
>
> # pid file
> lock file = "/var/run/arpalert.pid"
>
> # log level
> use syslog = true
>
> # log level
> log level = 6
>
> # user for privilege separation
> user = arpalert
>
> # rights for file creation
> umask = 177
>
> # only for debugging: this dump paquet received on standard output
> dump packet = false
>
> # run the program as daemon ?
> daemon = false
>
> # minimun time to wait between two leases dump
> dump inter = 5
>
> #Configure the network for catch only arp request.
> #The detection type "new_mac" is desactived.
> #This mode is used for CPU saving if Arpalert is running on a router
> catch only arp = true
>
> # comma separated interfaces to lesson
> # if not precised, the soft select the first interface.
> # by default select the first interface encontered
> interface = eth0
>
> # script launched on each detection
> # parameters are:
> # - "mac adress of requestor"
> # - "ip of requestor"
> # - "supp. parm."
> # - "ethernet device listening on"
> # - "type of alert"
> # - optional : "ethernet vendor"
> # type of alert:
> # 0: ip change
> # 1: mac address only detected but not in whithe list
> # 2: mac address in black list
> # 3: new mac address
> # 4: unauthorized arp request
> # 5: abusive number of arp request detected
> # 6: ethernet mac address different from arp mac address
> # 7: global flood detection
> # 8: new mac adress without ip
> # 9: mac change
> action on detect = "/usr/local/sbin/arpdef.pl"
>
> # module launched on each detection
> mod on detect = ""
> # this chain is transfered to the init function of module loaded
> mod config = ""
>
> # script execution timeout (seconds)
> execution timeout = 10
>
> # maximun simultaneous lanched script
> max alert = 100
>
> # what data are dumped in leases file
> dump black list = true
> dump white list = true
> dump new address = true
>
> # after this time a mac adress is removed from memory (seconds) (default
> 1 month)
> mac timeout = 259200
>
> # after this limit the memory hash is cleaned (protect to arp flood)
> max entry = 1000000
>
> # this permit to send only one mismatch alert in this time (in seconds)
> anti flood interval = 0
>
> # if the number of arp request in seconds exceed this value, all alerts
> are ignored for
> # "anti flood interval" time
> anti flood global = 50
>
> # vendor name
> # add the mac vendor field in logs, alerts script and/or module execution
> mac vendor file = "/etc/arpalert/oui.txt"
> log mac vendor = true
> alert mac vendor = false
> mod mac vendor = false
>
> # log if the adress is referenced in hash but is not in white list
> log referenced address = true
> alert on referenced address = false
> mod on referenced address = false
>
> # log if the mac adress is in black list
> log deny address = true
> alert on deny address = true
> mod on deny address = false
>
> # log if the adress isn't referenced
> log new address = true
> alert on new address = false
> mod on new address = false
>
> # log if the adress isn't referenced (for mac adress only)
> log new mac address = true
> alert on new mac address = false
> mod on new mac address = false
>
> # log if the ip adress id different from the last arp request with the
> same mac adress
> log ip change = true
> alert on ip change = true
> mod on ip change = false
>
> # log if the ip adress id different from the last arp request with the
> same mac adress
> log mac change = true
> alert on mac change = true
> mod on mac change = false
>
> # unauthorized arp request:
> # log all the request not authorized in auth file
> log unauth request = true
> alert on unauth request = false
> mod on unauth request = false
> # dont analyse arp request for unknow hosts (not in white list)
> ignore unknown sender = false
> # ignore arp request with mac adresse of the lessoned interfaces for the
> authorizations checks
> ignore me = true
> # ignore windows self test
> ignore self test = false
> # suspend time method:
> # 1: ignore all unauth alerts during "anti flood interval" time
> # 2: ignore only tuple (mac address, ip address) during "anti flood
> interval" time
> unauth ignore time method = 2
>
> # log if the number of request per seconds are > "max request"
> log request abus = true
> alert on request abus = false
> mod on request abus = false
> # maximun request authorized by second
> max request = 1000000
>
> # log if the ethernet mac address are different than the arp amc address
> (only for requestor)
> log mac error = true
> alert on mac error = false
> mod on mac error = false
>
> # log if have too many arp request per seconds
> log flood = true
> alert on flood = false
> mod on flood = false
>
>
> --
> To unsubscribe send a mail to list+unsubscribe_at_arpalert.org
>
>

-- 
To unsubscribe send a mail to list+unsubscribe_at_arpalert.org