Hi,

Your machine 00:40:af:81:9a:99 have two ip addresses. Arpalert consider for
each arp packet a ip change address for this mac. The flag ip_change
disable this alert.

Intruder Ip Address : is the ip address currently known
Intruder Extra info : is the ip address wiewed

you can set the flag ip_change for each computer with more than one IP
address.

The goal of this new script is to identifie the cause (type of alert) of
alerts contained in your precedent e-mail.

Thierry

> Hi,
>
> I had to replace .PL script by the .SH you provided me, but now alerts
> are even more strange for me :
>
> Entry in maclist.allow :
> 00:40:af:81:9a:99 192.168.0.197 rl0
>
> Alert :
> /!\ Intruder Detected /!
> Intrusion time stamp : Tue Oct 6 08:21:02 CEST 2009
>
> Intruder Ip Address : 0.0.1.104
> Intruder MAC Address : 00:40:af:81:9a:99 (DIGITAL PRODUCTS, INC.)
> Intruder Extra info : 192.168.0.197
> Intruder Interface : rl0
> Type of alert : 0
>
> /!\ Intruder Detected /!
> Intrusion time stamp : Tue Oct 6 08:29:13 CEST 2009
>
> Intruder Ip Address : 192.168.0.197
> Intruder MAC Address : 00:40:af:81:9a:99 (DIGITAL PRODUCTS, INC.)
> Intruder Extra info : 0.0.1.104
> Intruder Interface : rl0
> Type of alert : 0
>
>
> I know there is no "ip_change" option, but anyway, isn't it "strange"
> alert ? I'm not sure if I understand correctly "Intruder Ip Address" and
> "Intruder Extra info"...
>
> Thank you.
>
> Bretislav
>
> ARPALERT INFOS wrote:
>> Hello,
>>
>> with the flag "ip_change", the ip address is not checked, and the alert
>> ip_change is not send.
>>
>> if this mac address is in the maclist.allow, the detection alerts are
>> disabled for this ip.
>>
>> in your logs (at the end of your mail), I do not see the mac adress
>> '00:1b:fc:34:09:35'.
>>
>> if you want to disable alerts for the mac '00:1b:fc:34:09:35', you must
>> add it into the maclist.allow.
>>
>>
>> Thierry
>>
>>
>>
>>
>>> Hello,
>>>
>>> I have in my maclist.allow following entries like this one :
>>> 00:1b:fc:34:09:35 192.168.0.215 rl0 ip_change
>>>
>>> ...but I'm receiving notifications about "Intrusion detection"
>>>
>>> Am I missing something ? Strange is that for others entries is working,
>>> but today I just received warning for 3 IPs, maybe due to the DHCP
>>> lease
>>> timeout....
>>>
>>> Thank you.
>>>
>>> BK
>>>
>>> /!\ Intruder Detected /!
>>>
>>> Intrusion time stamp : Fri, 2 Oct 2009 07:05:54 +0200
>>>
>>> Intruder FQDN :
>>> Intruder IP Address : 169.254.135.192
>>> Intruder MAC Address : 00:1e:c1:57:87:c0
>>> Type of alert : rl0
>>>
>>>
>>> ...after while (DHCP assign IP) :
>>>
>>> /!\ Intruder Detected /!
>>>
>>> Intrusion time stamp : Fri, 2 Oct 2009 07:10:18 +0200
>>>
>>> Intruder FQDN : 3comswitch.priv.domain.com
>>> Intruder IP Address : 192.168.0.199
>>> Intruder MAC Address : 00:1e:c1:57:87:c0
>>> Type of alert : rl0
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> To unsubscribe send a mail to list+unsubscribe_at_arpalert.org
>>>
>>>
>>>
>>
>>
>>
>

-- 
To unsubscribe send a mail to list+unsubscribe_at_arpalert.org