[Snort-users] Alert on new IP in use?
mkettler at ...4108...
Mon Aug 1 18:35:32 EDT 2005
Rich Adamson wrote:
>>Rich Adamson wrote:
>>>Looking for a way to monitor a small banking network and generate
>>>an alert when an unused IP address is observed. The current IP's are
>>>Example: we have 26 static IP addresses assigned to workstations and
>>>servers. If a 27th (or greater) address appears on the wire, generate
>>>an alert. (Note: not very interested in watching MAC addresses as some
>>>of the IP's are behind another layer-3 device.)
> Isn't arpwatch oriented around MAC addresses? I've assumed it probably
> wouldn't cut it since some of the IP's are located behind another layer-3
> device thus creating multiple IP's associated with a single MAC.
> Am I off base here?
Whoops, missed the "behind another layer-3 device" part..
More information about the Snort-users