| Main page |
| Modules pages |
| Downloads |
| Man arpalert |
| Howto install |
| Links & Doc |
| List archives |
| Contact |
| Donate ? |
| Advertisements |
|
|
|
Mailinglist archives
Re: [Re: [list-arpalert] Receiving alerts even if ip_change specified]
Date: Mon, 5 Oct 2009 15:35:25 +0200
Hello,
The script send_alert.sh is not up-to-date. Can you test with this new
script (in attachment) ?
With the script not up-to-date, the "Type Of Alert" field contain the
intarface in place of the alert code.
After replacing the script, can you send me the new alerts ?
Thierry
> Hello,
>
> sorry, this was a typo - I have defined correct IP in maclist.allow but
> anyway still receiving alerts from time to time...
>
> maclist.allow :
> 00:1e:c1:57:87:c0 192.168.0.199 rl0 ip_change
>
> 1st alert :
> Intrusion time stamp : Fri, 2 Oct 2009 07:05:54 +0200
>
> Intruder FQDN :
> Intruder IP Address : 169.254.135.192
> Intruder MAC Address : 00:1e:c1:57:87:c0
> Type of alert : rl0
>
>
> 2nd alert...after while (DHCP assign IP) :
>
> /!\ Intruder Detected /!
>
> Intrusion time stamp : Fri, 2 Oct 2009 07:10:18 +0200
>
> Intruder FQDN : 3comswitch.priv.domain.com
> Intruder IP Address : 192.168.0.199
> Intruder MAC Address : 00:1e:c1:57:87:c0
> Type of alert : rl0
>
>
>
>
>
> ARPALERT INFOS wrote:
>> Hello,
>>
>> with the flag "ip_change", the ip address is not checked, and the alert
>> ip_change is not send.
>>
>> if this mac address is in the maclist.allow, the detection alerts are
>> disabled for this ip.
>>
>> in your logs (at the end of your mail), I do not see the mac adress
>> '00:1b:fc:34:09:35'.
>>
>> if you want to disable alerts for the mac '00:1b:fc:34:09:35', you must
>> add it into the maclist.allow.
>>
>>
>> Thierry
>>
>>
>>
>>
>>> Hello,
>>>
>>> I have in my maclist.allow following entries like this one :
>>> 00:1b:fc:34:09:35 192.168.0.215 rl0 ip_change
>>>
>>> ...but I'm receiving notifications about "Intrusion detection"
>>>
>>> Am I missing something ? Strange is that for others entries is working,
>>> but today I just received warning for 3 IPs, maybe due to the DHCP
>>> lease
>>> timeout....
>>>
>>> Thank you.
>>>
>>> BK
>>>
>>> /!\ Intruder Detected /!
>>>
>>> Intrusion time stamp : Fri, 2 Oct 2009 07:05:54 +0200
>>>
>>> Intruder FQDN :
>>> Intruder IP Address : 169.254.135.192
>>> Intruder MAC Address : 00:1e:c1:57:87:c0
>>> Type of alert : rl0
>>>
>>>
>>> ...after while (DHCP assign IP) :
>>>
>>> /!\ Intruder Detected /!
>>>
>>> Intrusion time stamp : Fri, 2 Oct 2009 07:10:18 +0200
>>>
>>> Intruder FQDN : 3comswitch.priv.domain.com
>>> Intruder IP Address : 192.168.0.199
>>> Intruder MAC Address : 00:1e:c1:57:87:c0
>>> Type of alert : rl0
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> To unsubscribe send a mail to list+unsubscribe_at_arpalert.org
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
-- To unsubscribe send a mail to list+unsubscribe_at_arpalert.org
- application/x-shellscript attachment: send_alert.sh