Mailinglist archives

Re: [list-arpalert] Receiving alerts even if ip_change specified

From: Ing. Břetislav Kubesa <webmaster_at_zippbrno.cz>
Date: Tue, 06 Oct 2009 08:35:03 +0200

Hi,

I had to replace .PL script by the .SH you provided me, but now alerts
are even more strange for me :

Entry in maclist.allow :
00:40:af:81:9a:99 192.168.0.197 rl0

Alert :
/!\ Intruder Detected /!
Intrusion time stamp : Tue Oct 6 08:21:02 CEST 2009

Intruder Ip Address : 0.0.1.104
Intruder MAC Address : 00:40:af:81:9a:99 (DIGITAL PRODUCTS, INC.)
Intruder Extra info : 192.168.0.197
Intruder Interface : rl0
Type of alert : 0

/!\ Intruder Detected /!
Intrusion time stamp : Tue Oct 6 08:29:13 CEST 2009

Intruder Ip Address : 192.168.0.197
Intruder MAC Address : 00:40:af:81:9a:99 (DIGITAL PRODUCTS, INC.)
Intruder Extra info : 0.0.1.104
Intruder Interface : rl0
Type of alert : 0

I know there is no "ip_change" option, but anyway, isn't it "strange"
alert ? I'm not sure if I understand correctly "Intruder Ip Address" and
"Intruder Extra info"...

Thank you.

Bretislav

ARPALERT INFOS wrote:
> Hello,
>
> with the flag "ip_change", the ip address is not checked, and the alert
> ip_change is not send.
>
> if this mac address is in the maclist.allow, the detection alerts are
> disabled for this ip.
>
> in your logs (at the end of your mail), I do not see the mac adress
> '00:1b:fc:34:09:35'.
>
> if you want to disable alerts for the mac '00:1b:fc:34:09:35', you must
> add it into the maclist.allow.
>
>
> Thierry
>
>
>
>
>> Hello,
>>
>> I have in my maclist.allow following entries like this one :
>> 00:1b:fc:34:09:35 192.168.0.215 rl0 ip_change
>>
>> ...but I'm receiving notifications about "Intrusion detection"
>>
>> Am I missing something ? Strange is that for others entries is working,
>> but today I just received warning for 3 IPs, maybe due to the DHCP lease
>> timeout....
>>
>> Thank you.
>>
>> BK
>>
>> /!\ Intruder Detected /!
>>
>> Intrusion time stamp : Fri, 2 Oct 2009 07:05:54 +0200
>>
>> Intruder FQDN :
>> Intruder IP Address : 169.254.135.192
>> Intruder MAC Address : 00:1e:c1:57:87:c0
>> Type of alert : rl0
>>
>>
>> ...after while (DHCP assign IP) :
>>
>> /!\ Intruder Detected /!
>>
>> Intrusion time stamp : Fri, 2 Oct 2009 07:10:18 +0200
>>
>> Intruder FQDN : 3comswitch.priv.domain.com
>> Intruder IP Address : 192.168.0.199
>> Intruder MAC Address : 00:1e:c1:57:87:c0
>> Type of alert : rl0
>>
>>
>>
>>
>>
>>
>>
>> --
>> To unsubscribe send a mail to list+unsubscribe_at_arpalert.org
>>
>>
>>
>
>
>

-- 
To unsubscribe send a mail to list+unsubscribe_at_arpalert.org

Received on Tue Oct 06 2009 - 08:35:43 CEST

This message: [ Message body ]
Next message: Thierry FOURNIER: "Re: [list-arpalert] Receiving alerts even if ip_change specified"
Previous message: ARPALERT INFOS: "Re: [Re: [list-arpalert] Receiving alerts even if ip_change specified]"
In reply to: ARPALERT INFOS: "Re: [list-arpalert] Receiving alerts even if ip_change specified"
Next in thread: Thierry FOURNIER: "Re: [list-arpalert] Receiving alerts even if ip_change specified"
Reply: Thierry FOURNIER: "Re: [list-arpalert] Receiving alerts even if ip_change specified"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]