[Snort-users] Alert on new IP in use?

Rich Adamson radamson at ...2127...
Mon Aug 1 15:07:34 EDT 2005


> Rich Adamson wrote:
> > Looking for a way to monitor a small banking network and generate
> > an alert when an unused IP address is observed. The current IP's are
> > not consecutive.
> > 
> > Example: we have 26 static IP addresses assigned to workstations and
> > servers. If a 27th (or greater) address appears on the wire, generate
> > an alert. (Note: not very interested in watching MAC addresses as some
> > of the IP's are behind another layer-3 device.)
> > 
> > Thoughts?
> 
> Arpwatch.

Isn't arpwatch oriented around MAC addresses? I've assumed it probably
wouldn't cut it since some of the IP's are located behind another layer-3
device thus creating multiple IP's associated with a single MAC.

Am I off base here?






More information about the Snort-users mailing list