[Snort-users] Alert on new IP in use?

James Riden j.riden at ...11179...
Mon Aug 1 18:49:13 EDT 2005


Rich Adamson <radamson at ...2127...> writes:

> Looking for a way to monitor a small banking network and generate
> an alert when an unused IP address is observed. The current IP's are
> not consecutive.
> 
> Example: we have 26 static IP addresses assigned to workstations and
> servers. If a 27th (or greater) address appears on the wire, generate
> an alert. (Note: not very interested in watching MAC addresses as some
> of the IP's are behind another layer-3 device.)
> 
> Thoughts?

I use p0f hooked into a perl script which generates a list of the
active hosts for the day. It also does a DNS lookup, and anything
without valid rDNS gets mailed to me.

The code is actually pretty trivial, but I'm happy to share it if
anyone cares.

cheers,
 Jamie
-- 
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-users mailing list