[Snort-users] Alert on new IP in use?

Matt Kettler mkettler at ...4108...
Mon Aug 1 18:35:32 EDT 2005


Rich Adamson wrote:
>>Rich Adamson wrote:
>>
>>>Looking for a way to monitor a small banking network and generate
>>>an alert when an unused IP address is observed. The current IP's are
>>>not consecutive.
>>>
>>>Example: we have 26 static IP addresses assigned to workstations and
>>>servers. If a 27th (or greater) address appears on the wire, generate
>>>an alert. (Note: not very interested in watching MAC addresses as some
>>>of the IP's are behind another layer-3 device.)
>>>
>>>Thoughts?
>>
>>Arpwatch.
> 
> 
> Isn't arpwatch oriented around MAC addresses? I've assumed it probably
> wouldn't cut it since some of the IP's are located behind another layer-3
> device thus creating multiple IP's associated with a single MAC.
> 
> Am I off base here?

Whoops, missed the "behind another layer-3 device" part..




More information about the Snort-users mailing list