| Main page |
| Modules pages |
| Downloads |
| Man arpalert |
| Howto install |
| Links & Doc |
| List archives |
| Contact |
| Donate ? |
| Advertisements |
|
|
|
Mailinglist archives
Re: [Re: [list-arpalert] Receiving alerts even if ip_change specified]
Date: Mon, 05 Oct 2009 15:09:06 +0200
Hello,
sorry, this was a typo - I have defined correct IP in maclist.allow but
anyway still receiving alerts from time to time...
maclist.allow :
00:1e:c1:57:87:c0 192.168.0.199 rl0 ip_change
1st alert :
Intrusion time stamp : Fri, 2 Oct 2009 07:05:54 +0200
Intruder FQDN :
Intruder IP Address : 169.254.135.192
Intruder MAC Address : 00:1e:c1:57:87:c0
Type of alert : rl0
2nd alert...after while (DHCP assign IP) :
/!\ Intruder Detected /!
Intrusion time stamp : Fri, 2 Oct 2009 07:10:18 +0200
Intruder FQDN : 3comswitch.priv.domain.com
Intruder IP Address : 192.168.0.199
Intruder MAC Address : 00:1e:c1:57:87:c0
Type of alert : rl0
ARPALERT INFOS wrote:
> Hello,
>
> with the flag "ip_change", the ip address is not checked, and the alert
> ip_change is not send.
>
> if this mac address is in the maclist.allow, the detection alerts are
> disabled for this ip.
>
> in your logs (at the end of your mail), I do not see the mac adress
> '00:1b:fc:34:09:35'.
>
> if you want to disable alerts for the mac '00:1b:fc:34:09:35', you must
> add it into the maclist.allow.
>
>
> Thierry
>
>
>
>
>> Hello,
>>
>> I have in my maclist.allow following entries like this one :
>> 00:1b:fc:34:09:35 192.168.0.215 rl0 ip_change
>>
>> ...but I'm receiving notifications about "Intrusion detection"
>>
>> Am I missing something ? Strange is that for others entries is working,
>> but today I just received warning for 3 IPs, maybe due to the DHCP lease
>> timeout....
>>
>> Thank you.
>>
>> BK
>>
>> /!\ Intruder Detected /!
>>
>> Intrusion time stamp : Fri, 2 Oct 2009 07:05:54 +0200
>>
>> Intruder FQDN :
>> Intruder IP Address : 169.254.135.192
>> Intruder MAC Address : 00:1e:c1:57:87:c0
>> Type of alert : rl0
>>
>>
>> ...after while (DHCP assign IP) :
>>
>> /!\ Intruder Detected /!
>>
>> Intrusion time stamp : Fri, 2 Oct 2009 07:10:18 +0200
>>
>> Intruder FQDN : 3comswitch.priv.domain.com
>> Intruder IP Address : 192.168.0.199
>> Intruder MAC Address : 00:1e:c1:57:87:c0
>> Type of alert : rl0
>>
>>
>>
>>
>>
>>
>>
>> --
>> To unsubscribe send a mail to list+unsubscribe_at_arpalert.org
>>
>>
>>
>
>
>
>
>
-- To unsubscribe send a mail to list+unsubscribe_at_arpalert.orgReceived on Mon Oct 05 2009 - 15:09:48 CEST