Mailinglist archives

Re: [list-arpalert] Receiving alerts even if ip_change specified

From: INFOS ARPALERT <info_at_arpalert.org>
Date: Fri, 23 Oct 2009 20:34:23 +0200

Hi,

Is curious. alert 6 is "Ethernet mac address different from arp mac
address":

the arp packet contain 4 mac adress:

* 2 in ethernet headers (mac source and mac destination)

* 2 in arp data (Sender hardware address and Target hardware
address)

This alert is launched when the source addresses of ethernet headers
and arp data are different.

you can remove this alert with
log mac error = false
alert on mac error = false
mod on mac error =false

theses arp packet are very strange.

Ing. Bc. Břetislav Kubesa a écrit :
> Hi,
>
> new problem occuered after I upgraded drivers on Windows host, which
> has two NICs for load balancing...
>
> maclist.allow contains following:
> 00:1a:92:1d:57:1d 192.168.2.4 bge1 mac_change
>
> However I'm spammend by following messages...
>
> /!\ Intruder Detected /!
> Intrusion time stamp : Wed Oct 21 07:20:01 CEST 2009
>
> Intruder Ip Address : 192.168.2.4
> Intruder MAC Address : 00:1a:92:1d:57:e5 (ASUSTek COMPUTER INC.)
> Intruder Extra info : 00:1a:92:1d:57:1d
> Intruder Interface : bge1
> Type of alert : 6
>
> /!\ Intruder Detected /!
> Intrusion time stamp : Wed Oct 21 07:18:01 CEST 2009
>
> Intruder Ip Address : 192.168.2.4
> Intruder MAC Address : 00:1a:92:1d:57:e5 (ASUSTek COMPUTER INC.)
> Intruder Extra info : 00:1a:92:1d:57:1d
> Intruder Interface : bge1
> Type of alert : 6
>
> /!\ Intruder Detected /!
> Intrusion time stamp : Wed Oct 21 07:10:01 CEST 2009
>
> Intruder Ip Address : 192.168.2.4
> Intruder MAC Address : 00:1a:92:1d:57:e5 (ASUSTek COMPUTER INC.)
> Intruder Extra info : 00:1a:92:1d:57:1d
> Intruder Interface : bge1
> Type of alert : 6
>
> Any tip please, maybe switching MAC in maclist ?
>
> Thank you.
>
> Bretislav
>
> ----- Original Message ----- From: "INFOS ARPALERT" <info_at_arpalert.org>
> To: ""Ing. Břetislav Kubesa"" <webmaster_at_zippbrno.cz>
> Cc: <list_at_arpalert.org>
> Sent: Thursday, October 08, 2009 2:06 AM
> Subject: Re: [list-arpalert] Receiving alerts even if ip_change specified
>
>
>> Hi,
>>
>> I do not understand.
>>
>> The new notification can not resolve your problem, just provide more
>> information for the alert.
>> The value of field "type of alert" are very important for resolving
>> the problem.
>>
>> Arpalert can detect many events, the "type of alert" describe the
>> event detected.
>> A mac address already know can generate alerts in few cases.
>>
>> Send me new "valid" alert generated with the new script.
>>
>> Thierry
>>
>>
>>
>>
>> Ing. Břetislav Kubesa a écrit :
>>> Hi,
>>>
>>> thank you for your answer.
>>> Actually problem is, that host 00:40:af:81:9a:99 is printer
>>> (TOSHIBA e-STUDIO230 ) with only one IP adress defined, static IP
>>> address.
>>> As you can see, from time to time I'm receiving alerts for already
>>> known MAC addresses, each time different, sometimes those are Static
>>> IP, sometimes leased by DHCP. Sometimes even if I configured ip_change.
>>> With new notification script maybe we will know more, I will send in
>>> next days others samples.
>>> However I was unfortunately not able to find any pattern yet.
>>>
>>> Bretislav
>>>
>>> Thierry FOURNIER wrote:
>>>> Hi,
>>>>
>>>> Your machine 00:40:af:81:9a:99 have two ip addresses. Arpalert
>>>> consider for
>>>> each arp packet a ip change address for this mac. The flag ip_change
>>>> disable this alert.
>>>>
>>>> Intruder Ip Address : is the ip address currently known
>>>> Intruder Extra info : is the ip address wiewed
>>>>
>>>> you can set the flag ip_change for each computer with more than one IP
>>>> address.
>>>>
>>>> The goal of this new script is to identifie the cause (type of
>>>> alert) of
>>>> alerts contained in your precedent e-mail.
>>>>
>>>>
>>>> Thierry
>>>>
>>>>
>>>>
>>>>
>>>>> Hi,
>>>>>
>>>>> I had to replace .PL script by the .SH you provided me, but now
>>>>> alerts
>>>>> are even more strange for me :
>>>>>
>>>>> Entry in maclist.allow :
>>>>> 00:40:af:81:9a:99 192.168.0.197 rl0
>>>>>
>>>>> Alert :
>>>>> /!\ Intruder Detected /!
>>>>> Intrusion time stamp : Tue Oct 6 08:21:02 CEST 2009
>>>>>
>>>>> Intruder Ip Address : 0.0.1.104
>>>>> Intruder MAC Address : 00:40:af:81:9a:99 (DIGITAL PRODUCTS, INC.)
>>>>> Intruder Extra info : 192.168.0.197
>>>>> Intruder Interface : rl0
>>>>> Type of alert : 0
>>>>>
>>>>> /!\ Intruder Detected /!
>>>>> Intrusion time stamp : Tue Oct 6 08:29:13 CEST 2009
>>>>>
>>>>> Intruder Ip Address : 192.168.0.197
>>>>> Intruder MAC Address : 00:40:af:81:9a:99 (DIGITAL PRODUCTS, INC.)
>>>>> Intruder Extra info : 0.0.1.104
>>>>> Intruder Interface : rl0
>>>>> Type of alert : 0
>>>>>
>>>>>
>>>>> I know there is no "ip_change" option, but anyway, isn't it "strange"
>>>>> alert ? I'm not sure if I understand correctly "Intruder Ip
>>>>> Address" and
>>>>> "Intruder Extra info"...
>>>>>
>>>>> Thank you.
>>>>>
>>>>> Bretislav
>>>>>
>>>>> ARPALERT INFOS wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> with the flag "ip_change", the ip address is not checked, and the
>>>>>> alert
>>>>>> ip_change is not send.
>>>>>>
>>>>>> if this mac address is in the maclist.allow, the detection alerts
>>>>>> are
>>>>>> disabled for this ip.
>>>>>>
>>>>>> in your logs (at the end of your mail), I do not see the mac adress
>>>>>> '00:1b:fc:34:09:35'.
>>>>>>
>>>>>> if you want to disable alerts for the mac '00:1b:fc:34:09:35',
>>>>>> you must
>>>>>> add it into the maclist.allow.
>>>>>>
>>>>>>
>>>>>> Thierry
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I have in my maclist.allow following entries like this one :
>>>>>>> 00:1b:fc:34:09:35 192.168.0.215 rl0 ip_change
>>>>>>>
>>>>>>> ...but I'm receiving notifications about "Intrusion detection"
>>>>>>>
>>>>>>> Am I missing something ? Strange is that for others entries is
>>>>>>> working,
>>>>>>> but today I just received warning for 3 IPs, maybe due to the DHCP
>>>>>>> lease
>>>>>>> timeout....
>>>>>>>
>>>>>>> Thank you.
>>>>>>>
>>>>>>> BK
>>>>>>>
>>>>>>> /!\ Intruder Detected /!
>>>>>>>
>>>>>>> Intrusion time stamp : Fri, 2 Oct 2009 07:05:54 +0200
>>>>>>>
>>>>>>> Intruder FQDN :
>>>>>>> Intruder IP Address : 169.254.135.192
>>>>>>> Intruder MAC Address : 00:1e:c1:57:87:c0
>>>>>>> Type of alert : rl0
>>>>>>>
>>>>>>>
>>>>>>> ...after while (DHCP assign IP) :
>>>>>>>
>>>>>>> /!\ Intruder Detected /!
>>>>>>>
>>>>>>> Intrusion time stamp : Fri, 2 Oct 2009 07:10:18 +0200
>>>>>>>
>>>>>>> Intruder FQDN : 3comswitch.priv.domain.com
>>>>>>> Intruder IP Address : 192.168.0.199
>>>>>>> Intruder MAC Address : 00:1e:c1:57:87:c0
>>>>>>> Type of alert : rl0
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe send a mail to list+unsubscribe_at_arpalert.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>>
>

-- 
To unsubscribe send a mail to list+unsubscribe_at_arpalert.org

Received on Fri Oct 23 2009 - 20:34:24 CEST

This message: [ Message body ]
Next message: Ing. Bc. Břetislav Kubesa: "Re: [list-arpalert] Receiving alerts even if ip_change specified"
Previous message: Fumiyuki Shimizu: "[list-arpalert] Re: arpalert.c invald argument on FreeBSD"
In reply to: Ing. Bc. Břetislav Kubesa: "Re: [list-arpalert] Receiving alerts even if ip_change specified"
Next in thread: Ing. Bc. Břetislav Kubesa: "Re: [list-arpalert] Receiving alerts even if ip_change specified"
Reply: Ing. Bc. Břetislav Kubesa: "Re: [list-arpalert] Receiving alerts even if ip_change specified"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]