Hi,

new problem occuered after I upgraded drivers on Windows host, which has two
NICs for load balancing...

maclist.allow contains following:
00:1a:92:1d:57:1d 192.168.2.4 bge1 mac_change

However I'm spammend by following messages...

/!\ Intruder Detected /!
Intrusion time stamp : Wed Oct 21 07:20:01 CEST 2009

Intruder Ip Address : 192.168.2.4
Intruder MAC Address : 00:1a:92:1d:57:e5 (ASUSTek COMPUTER INC.)
Intruder Extra info : 00:1a:92:1d:57:1d
Intruder Interface : bge1
Type of alert : 6

/!\ Intruder Detected /!
Intrusion time stamp : Wed Oct 21 07:18:01 CEST 2009

Intruder Ip Address : 192.168.2.4
Intruder MAC Address : 00:1a:92:1d:57:e5 (ASUSTek COMPUTER INC.)
Intruder Extra info : 00:1a:92:1d:57:1d
Intruder Interface : bge1
Type of alert : 6

/!\ Intruder Detected /!
Intrusion time stamp : Wed Oct 21 07:10:01 CEST 2009

Intruder Ip Address : 192.168.2.4
Intruder MAC Address : 00:1a:92:1d:57:e5 (ASUSTek COMPUTER INC.)
Intruder Extra info : 00:1a:92:1d:57:1d
Intruder Interface : bge1
Type of alert : 6

Any tip please, maybe switching MAC in maclist ?

Thank you.

Bretislav

----- Original Message -----
From: "INFOS ARPALERT" <info_at_arpalert.org>
To: ""Ing. Břetislav Kubesa"" <webmaster_at_zippbrno.cz>
Cc: <list_at_arpalert.org>
Sent: Thursday, October 08, 2009 2:06 AM
Subject: Re: [list-arpalert] Receiving alerts even if ip_change specified

> Hi,
>
> I do not understand.
>
> The new notification can not resolve your problem, just provide more
> information for the alert.
> The value of field "type of alert" are very important for resolving the
> problem.
>
> Arpalert can detect many events, the "type of alert" describe the event
> detected.
> A mac address already know can generate alerts in few cases.
>
> Send me new "valid" alert generated with the new script.
>
> Thierry
>
>
>
>
> Ing. Břetislav Kubesa a écrit :
>> Hi,
>>
>> thank you for your answer.
>> Actually problem is, that host 00:40:af:81:9a:99 is printer (TOSHIBA
>> e-STUDIO230 ) with only one IP adress defined, static IP address.
>> As you can see, from time to time I'm receiving alerts for already known
>> MAC addresses, each time different, sometimes those are Static IP,
>> sometimes leased by DHCP. Sometimes even if I configured ip_change.
>> With new notification script maybe we will know more, I will send in next
>> days others samples.
>> However I was unfortunately not able to find any pattern yet.
>>
>> Bretislav
>>
>> Thierry FOURNIER wrote:
>>> Hi,
>>>
>>> Your machine 00:40:af:81:9a:99 have two ip addresses. Arpalert consider
>>> for
>>> each arp packet a ip change address for this mac. The flag ip_change
>>> disable this alert.
>>>
>>> Intruder Ip Address : is the ip address currently known
>>> Intruder Extra info : is the ip address wiewed
>>>
>>> you can set the flag ip_change for each computer with more than one IP
>>> address.
>>>
>>> The goal of this new script is to identifie the cause (type of alert) of
>>> alerts contained in your precedent e-mail.
>>>
>>>
>>> Thierry
>>>
>>>
>>>
>>>
>>>> Hi,
>>>>
>>>> I had to replace .PL script by the .SH you provided me, but now alerts
>>>> are even more strange for me :
>>>>
>>>> Entry in maclist.allow :
>>>> 00:40:af:81:9a:99 192.168.0.197 rl0
>>>>
>>>> Alert :
>>>> /!\ Intruder Detected /!
>>>> Intrusion time stamp : Tue Oct 6 08:21:02 CEST 2009
>>>>
>>>> Intruder Ip Address : 0.0.1.104
>>>> Intruder MAC Address : 00:40:af:81:9a:99 (DIGITAL PRODUCTS, INC.)
>>>> Intruder Extra info : 192.168.0.197
>>>> Intruder Interface : rl0
>>>> Type of alert : 0
>>>>
>>>> /!\ Intruder Detected /!
>>>> Intrusion time stamp : Tue Oct 6 08:29:13 CEST 2009
>>>>
>>>> Intruder Ip Address : 192.168.0.197
>>>> Intruder MAC Address : 00:40:af:81:9a:99 (DIGITAL PRODUCTS, INC.)
>>>> Intruder Extra info : 0.0.1.104
>>>> Intruder Interface : rl0
>>>> Type of alert : 0
>>>>
>>>>
>>>> I know there is no "ip_change" option, but anyway, isn't it "strange"
>>>> alert ? I'm not sure if I understand correctly "Intruder Ip Address"
>>>> and
>>>> "Intruder Extra info"...
>>>>
>>>> Thank you.
>>>>
>>>> Bretislav
>>>>
>>>> ARPALERT INFOS wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> with the flag "ip_change", the ip address is not checked, and the
>>>>> alert
>>>>> ip_change is not send.
>>>>>
>>>>> if this mac address is in the maclist.allow, the detection alerts are
>>>>> disabled for this ip.
>>>>>
>>>>> in your logs (at the end of your mail), I do not see the mac adress
>>>>> '00:1b:fc:34:09:35'.
>>>>>
>>>>> if you want to disable alerts for the mac '00:1b:fc:34:09:35', you
>>>>> must
>>>>> add it into the maclist.allow.
>>>>>
>>>>>
>>>>> Thierry
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I have in my maclist.allow following entries like this one :
>>>>>> 00:1b:fc:34:09:35 192.168.0.215 rl0 ip_change
>>>>>>
>>>>>> ...but I'm receiving notifications about "Intrusion detection"
>>>>>>
>>>>>> Am I missing something ? Strange is that for others entries is
>>>>>> working,
>>>>>> but today I just received warning for 3 IPs, maybe due to the DHCP
>>>>>> lease
>>>>>> timeout....
>>>>>>
>>>>>> Thank you.
>>>>>>
>>>>>> BK
>>>>>>
>>>>>> /!\ Intruder Detected /!
>>>>>>
>>>>>> Intrusion time stamp : Fri, 2 Oct 2009 07:05:54 +0200
>>>>>>
>>>>>> Intruder FQDN :
>>>>>> Intruder IP Address : 169.254.135.192
>>>>>> Intruder MAC Address : 00:1e:c1:57:87:c0
>>>>>> Type of alert : rl0
>>>>>>
>>>>>>
>>>>>> ...after while (DHCP assign IP) :
>>>>>>
>>>>>> /!\ Intruder Detected /!
>>>>>>
>>>>>> Intrusion time stamp : Fri, 2 Oct 2009 07:10:18 +0200
>>>>>>
>>>>>> Intruder FQDN : 3comswitch.priv.domain.com
>>>>>> Intruder IP Address : 192.168.0.199
>>>>>> Intruder MAC Address : 00:1e:c1:57:87:c0
>>>>>> Type of alert : rl0
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> To unsubscribe send a mail to list+unsubscribe_at_arpalert.org
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>
>>>
>>>
>>>
>>>
>
>

-- 
To unsubscribe send a mail to list+unsubscribe_at_arpalert.org