Hi,

thank you for your answer.
Actually problem is, that host 00:40:af:81:9a:99 is printer (TOSHIBA
e-STUDIO230 ) with only one IP adress defined, static IP address.
As you can see, from time to time I'm receiving alerts for already known
MAC addresses, each time different, sometimes those are Static IP,
sometimes leased by DHCP. Sometimes even if I configured ip_change.
With new notification script maybe we will know more, I will send in
next days others samples.
However I was unfortunately not able to find any pattern yet.

Bretislav

Thierry FOURNIER wrote:
> Hi,
>
> Your machine 00:40:af:81:9a:99 have two ip addresses. Arpalert consider for
> each arp packet a ip change address for this mac. The flag ip_change
> disable this alert.
>
> Intruder Ip Address : is the ip address currently known
> Intruder Extra info : is the ip address wiewed
>
> you can set the flag ip_change for each computer with more than one IP
> address.
>
> The goal of this new script is to identifie the cause (type of alert) of
> alerts contained in your precedent e-mail.
>
>
> Thierry
>
>
>
>
>> Hi,
>>
>> I had to replace .PL script by the .SH you provided me, but now alerts
>> are even more strange for me :
>>
>> Entry in maclist.allow :
>> 00:40:af:81:9a:99 192.168.0.197 rl0
>>
>> Alert :
>> /!\ Intruder Detected /!
>> Intrusion time stamp : Tue Oct 6 08:21:02 CEST 2009
>>
>> Intruder Ip Address : 0.0.1.104
>> Intruder MAC Address : 00:40:af:81:9a:99 (DIGITAL PRODUCTS, INC.)
>> Intruder Extra info : 192.168.0.197
>> Intruder Interface : rl0
>> Type of alert : 0
>>
>> /!\ Intruder Detected /!
>> Intrusion time stamp : Tue Oct 6 08:29:13 CEST 2009
>>
>> Intruder Ip Address : 192.168.0.197
>> Intruder MAC Address : 00:40:af:81:9a:99 (DIGITAL PRODUCTS, INC.)
>> Intruder Extra info : 0.0.1.104
>> Intruder Interface : rl0
>> Type of alert : 0
>>
>>
>> I know there is no "ip_change" option, but anyway, isn't it "strange"
>> alert ? I'm not sure if I understand correctly "Intruder Ip Address" and
>> "Intruder Extra info"...
>>
>> Thank you.
>>
>> Bretislav
>>
>> ARPALERT INFOS wrote:
>>
>>> Hello,
>>>
>>> with the flag "ip_change", the ip address is not checked, and the alert
>>> ip_change is not send.
>>>
>>> if this mac address is in the maclist.allow, the detection alerts are
>>> disabled for this ip.
>>>
>>> in your logs (at the end of your mail), I do not see the mac adress
>>> '00:1b:fc:34:09:35'.
>>>
>>> if you want to disable alerts for the mac '00:1b:fc:34:09:35', you must
>>> add it into the maclist.allow.
>>>
>>>
>>> Thierry
>>>
>>>
>>>
>>>
>>>
>>>> Hello,
>>>>
>>>> I have in my maclist.allow following entries like this one :
>>>> 00:1b:fc:34:09:35 192.168.0.215 rl0 ip_change
>>>>
>>>> ...but I'm receiving notifications about "Intrusion detection"
>>>>
>>>> Am I missing something ? Strange is that for others entries is working,
>>>> but today I just received warning for 3 IPs, maybe due to the DHCP
>>>> lease
>>>> timeout....
>>>>
>>>> Thank you.
>>>>
>>>> BK
>>>>
>>>> /!\ Intruder Detected /!
>>>>
>>>> Intrusion time stamp : Fri, 2 Oct 2009 07:05:54 +0200
>>>>
>>>> Intruder FQDN :
>>>> Intruder IP Address : 169.254.135.192
>>>> Intruder MAC Address : 00:1e:c1:57:87:c0
>>>> Type of alert : rl0
>>>>
>>>>
>>>> ...after while (DHCP assign IP) :
>>>>
>>>> /!\ Intruder Detected /!
>>>>
>>>> Intrusion time stamp : Fri, 2 Oct 2009 07:10:18 +0200
>>>>
>>>> Intruder FQDN : 3comswitch.priv.domain.com
>>>> Intruder IP Address : 192.168.0.199
>>>> Intruder MAC Address : 00:1e:c1:57:87:c0
>>>> Type of alert : rl0
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe send a mail to list+unsubscribe_at_arpalert.org
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>
>
>
>
>

-- 
To unsubscribe send a mail to list+unsubscribe_at_arpalert.org