Hi,

this problem occuered after Broadcast drivers update and during high load,
when others users are connected.
If you wish, I can do some tcpdumps for arp only.

Those settings proposed - they will stop all related alerts, not only for
given hosts, no ? Unfortunatelly that's the reason why I'm using arpalert...

Thank you.

Bretislav

----- Original Message -----
From: "INFOS ARPALERT" <info_at_arpalert.org>
To: ""Ing. Bc. Břetislav Kubesa"" <webmaster_at_zippbrno.cz>;
<list_at_arpalert.org>
Sent: Friday, October 23, 2009 8:34 PM
Subject: Re: [list-arpalert] Receiving alerts even if ip_change specified

> Hi,
>
> Is curious. alert 6 is "Ethernet mac address different from arp mac
> address":
>
> the arp packet contain 4 mac adress:
>
> * 2 in ethernet headers (mac source and mac destination)
>
> * 2 in arp data (Sender hardware address and Target hardware
> address)
>
> This alert is launched when the source addresses of ethernet headers
> and arp data are different.
>
> you can remove this alert with
> log mac error = false
> alert on mac error = false
> mod on mac error =false
>
> theses arp packet are very strange.
>
>
>
>
> Ing. Bc. Břetislav Kubesa a écrit :
>> Hi,
>>
>> new problem occuered after I upgraded drivers on Windows host, which has
>> two NICs for load balancing...
>>
>> maclist.allow contains following:
>> 00:1a:92:1d:57:1d 192.168.2.4 bge1 mac_change
>>
>> However I'm spammend by following messages...
>>
>> /!\ Intruder Detected /!
>> Intrusion time stamp : Wed Oct 21 07:20:01 CEST 2009
>>
>> Intruder Ip Address : 192.168.2.4
>> Intruder MAC Address : 00:1a:92:1d:57:e5 (ASUSTek COMPUTER INC.)
>> Intruder Extra info : 00:1a:92:1d:57:1d
>> Intruder Interface : bge1
>> Type of alert : 6
>>
>> /!\ Intruder Detected /!
>> Intrusion time stamp : Wed Oct 21 07:18:01 CEST 2009
>>
>> Intruder Ip Address : 192.168.2.4
>> Intruder MAC Address : 00:1a:92:1d:57:e5 (ASUSTek COMPUTER INC.)
>> Intruder Extra info : 00:1a:92:1d:57:1d
>> Intruder Interface : bge1
>> Type of alert : 6
>>
>> /!\ Intruder Detected /!
>> Intrusion time stamp : Wed Oct 21 07:10:01 CEST 2009
>>
>> Intruder Ip Address : 192.168.2.4
>> Intruder MAC Address : 00:1a:92:1d:57:e5 (ASUSTek COMPUTER INC.)
>> Intruder Extra info : 00:1a:92:1d:57:1d
>> Intruder Interface : bge1
>> Type of alert : 6
>>
>> Any tip please, maybe switching MAC in maclist ?
>>
>> Thank you.
>>
>> Bretislav
>>
>> ----- Original Message ----- From: "INFOS ARPALERT" <info_at_arpalert.org>
>> To: ""Ing. Břetislav Kubesa"" <webmaster_at_zippbrno.cz>
>> Cc: <list_at_arpalert.org>
>> Sent: Thursday, October 08, 2009 2:06 AM
>> Subject: Re: [list-arpalert] Receiving alerts even if ip_change specified
>>
>>
>>> Hi,
>>>
>>> I do not understand.
>>>
>>> The new notification can not resolve your problem, just provide more
>>> information for the alert.
>>> The value of field "type of alert" are very important for resolving the
>>> problem.
>>>
>>> Arpalert can detect many events, the "type of alert" describe the event
>>> detected.
>>> A mac address already know can generate alerts in few cases.
>>>
>>> Send me new "valid" alert generated with the new script.
>>>
>>> Thierry
>>>
>>>
>>>
>>>
>>> Ing. Břetislav Kubesa a écrit :
>>>> Hi,
>>>>
>>>> thank you for your answer.
>>>> Actually problem is, that host 00:40:af:81:9a:99 is printer (TOSHIBA
>>>> e-STUDIO230 ) with only one IP adress defined, static IP address.
>>>> As you can see, from time to time I'm receiving alerts for already
>>>> known MAC addresses, each time different, sometimes those are Static
>>>> IP, sometimes leased by DHCP. Sometimes even if I configured ip_change.
>>>> With new notification script maybe we will know more, I will send in
>>>> next days others samples.
>>>> However I was unfortunately not able to find any pattern yet.
>>>>
>>>> Bretislav
>>>>
>>>> Thierry FOURNIER wrote:
>>>>> Hi,
>>>>>
>>>>> Your machine 00:40:af:81:9a:99 have two ip addresses. Arpalert
>>>>> consider for
>>>>> each arp packet a ip change address for this mac. The flag ip_change
>>>>> disable this alert.
>>>>>
>>>>> Intruder Ip Address : is the ip address currently known
>>>>> Intruder Extra info : is the ip address wiewed
>>>>>
>>>>> you can set the flag ip_change for each computer with more than one IP
>>>>> address.
>>>>>
>>>>> The goal of this new script is to identifie the cause (type of alert)
>>>>> of
>>>>> alerts contained in your precedent e-mail.
>>>>>
>>>>>
>>>>> Thierry
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I had to replace .PL script by the .SH you provided me, but now
>>>>>> alerts
>>>>>> are even more strange for me :
>>>>>>
>>>>>> Entry in maclist.allow :
>>>>>> 00:40:af:81:9a:99 192.168.0.197 rl0
>>>>>>
>>>>>> Alert :
>>>>>> /!\ Intruder Detected /!
>>>>>> Intrusion time stamp : Tue Oct 6 08:21:02 CEST 2009
>>>>>>
>>>>>> Intruder Ip Address : 0.0.1.104
>>>>>> Intruder MAC Address : 00:40:af:81:9a:99 (DIGITAL PRODUCTS, INC.)
>>>>>> Intruder Extra info : 192.168.0.197
>>>>>> Intruder Interface : rl0
>>>>>> Type of alert : 0
>>>>>>
>>>>>> /!\ Intruder Detected /!
>>>>>> Intrusion time stamp : Tue Oct 6 08:29:13 CEST 2009
>>>>>>
>>>>>> Intruder Ip Address : 192.168.0.197
>>>>>> Intruder MAC Address : 00:40:af:81:9a:99 (DIGITAL PRODUCTS, INC.)
>>>>>> Intruder Extra info : 0.0.1.104
>>>>>> Intruder Interface : rl0
>>>>>> Type of alert : 0
>>>>>>
>>>>>>
>>>>>> I know there is no "ip_change" option, but anyway, isn't it "strange"
>>>>>> alert ? I'm not sure if I understand correctly "Intruder Ip Address"
>>>>>> and
>>>>>> "Intruder Extra info"...
>>>>>>
>>>>>> Thank you.
>>>>>>
>>>>>> Bretislav
>>>>>>
>>>>>> ARPALERT INFOS wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> with the flag "ip_change", the ip address is not checked, and the
>>>>>>> alert
>>>>>>> ip_change is not send.
>>>>>>>
>>>>>>> if this mac address is in the maclist.allow, the detection alerts
>>>>>>> are
>>>>>>> disabled for this ip.
>>>>>>>
>>>>>>> in your logs (at the end of your mail), I do not see the mac adress
>>>>>>> '00:1b:fc:34:09:35'.
>>>>>>>
>>>>>>> if you want to disable alerts for the mac '00:1b:fc:34:09:35', you
>>>>>>> must
>>>>>>> add it into the maclist.allow.
>>>>>>>
>>>>>>>
>>>>>>> Thierry
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I have in my maclist.allow following entries like this one :
>>>>>>>> 00:1b:fc:34:09:35 192.168.0.215 rl0 ip_change
>>>>>>>>
>>>>>>>> ...but I'm receiving notifications about "Intrusion detection"
>>>>>>>>
>>>>>>>> Am I missing something ? Strange is that for others entries is
>>>>>>>> working,
>>>>>>>> but today I just received warning for 3 IPs, maybe due to the DHCP
>>>>>>>> lease
>>>>>>>> timeout....
>>>>>>>>
>>>>>>>> Thank you.
>>>>>>>>
>>>>>>>> BK
>>>>>>>>
>>>>>>>> /!\ Intruder Detected /!
>>>>>>>>
>>>>>>>> Intrusion time stamp : Fri, 2 Oct 2009 07:05:54 +0200
>>>>>>>>
>>>>>>>> Intruder FQDN :
>>>>>>>> Intruder IP Address : 169.254.135.192
>>>>>>>> Intruder MAC Address : 00:1e:c1:57:87:c0
>>>>>>>> Type of alert : rl0
>>>>>>>>
>>>>>>>>
>>>>>>>> ...after while (DHCP assign IP) :
>>>>>>>>
>>>>>>>> /!\ Intruder Detected /!
>>>>>>>>
>>>>>>>> Intrusion time stamp : Fri, 2 Oct 2009 07:10:18 +0200
>>>>>>>>
>>>>>>>> Intruder FQDN : 3comswitch.priv.domain.com
>>>>>>>> Intruder IP Address : 192.168.0.199
>>>>>>>> Intruder MAC Address : 00:1e:c1:57:87:c0
>>>>>>>> Type of alert : rl0
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe send a mail to list+unsubscribe_at_arpalert.org
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>
>

-- 
To unsubscribe send a mail to list+unsubscribe_at_arpalert.org