Arpalert(http://www.arpalert.org/)
This software is used for monitoring ethernet networks.
It listens on a network interface (without using 'promiscuous' mode) and catches all conversations of MAC address to IP request.
It then compares the mac addresses it detected with a pre-configured list of authorized MAC addresses. If the MAC is not in list, arpalert launches a pre-defined user script with the MAC address and IP address as parameters.
This software can run in deamon mode; it's very fast (low CPU and memory consumption).
It responds at signal SIGHUP (configuration reload) and at signals SIGTERM, SIGINT, SIGQUIT and SIGABRT (arpalert stops itself)
剛剛測試了這個軟體,針對 arp 改變可以做告警處理。
例如LAN網段內的Gateway被有心人士竄改,這時候 Arpalert 就可以發揮功效了。
FreeBSD ports 安裝 :
# cd /usr/ports/net-mgmt/arpalert/
# make install
# rehash
Source Code 安裝方式 :
# fetch http://www.arpalert.org/src/arpalert-2.0.11.tar.gz
# tar zxvf arpalert-2.0.11.tar.gz
# cd arpalert-2.0.11
# ./configure --with-syslog --enable-debug --prefix=/usr/local/arpalert && make && make install
修改 arpalert.conf, daemon = true, user = root, interface = fxp0
先執行 arpalert -d, 收集網段內的 MAC 到 arpalert.leases
將資料倒入 awk '{print $1" "$2" "$3}' arpalert.leases > maclist.allow
Run in foreground...
arpalert -D 6 -e exec_script -F
Run as daemon...
arpalert -D 6 -e exec_script -d
產生的 Log 如下 ...
Apr 1 11:24:34 arpalert: Selected device: le0
Apr 1 11:24:36 arpalert: seq=35, mac=00:00:5e:00:01:01, ip=139.175.255.1, reference=192.168.64.222, type=ip_change, dev=le0, vendor="USC INFORMATION SCIENCES INST"
Apr 1 11:24:46 arpalert: seq=276, mac=00:16:36:b4:74:6c, ip=192.168.64.26, type=new, dev=le0, vendor="Quanta Computer Inc."
Apr 1 11:24:47 arpalert: seq=304, mac=00:00:5e:00:01:01, ip=192.168.64.222, reference=139.175.255.1, type=ip_change, dev=le0, vendor="USC INFORMATION SCIENCES INST"
Apr 1 11:24:53 arpalert: seq=471, mac=08:00:20:e6:b9:48, ip=192.168.64.66, type=new, dev=le0, vendor="SUN MICROSYSTEMS INC."
Apr 1 11:24:53 arpalert: seq=477, mac=00:0c:29:1e:2a:21, ip=192.168.65.162, type=new, dev=le0, vendor="VMware, Inc."
Apr 1 11:24:54 arpalert: seq=495, mac=00:00:5e:00:01:01, ip=139.175.254.1, reference=192.168.64.222, type=ip_change, dev=le0, vendor="USC INFORMATION SCIENCES INST"
Apr 1 11:25:00 arpalert: seq=626, mac=00:00:5e:00:01:01, ip=139.175.255.1, reference=139.175.254.1, type=ip_change, dev=le0, vendor="USC INFORMATION SCIENCES INST"
============End============
發表文章
沒有留言:
張貼留言