[Snort-users] Alert on new IP in use?
jcoppock1 at ...5068...
Tue Aug 2 15:13:28 EDT 2005
Rich Adamson wrote:
> Looking for a way to monitor a small banking network and generate
> an alert when an unused IP address is observed. The current IP's are
> not consecutive.
> Example: we have 26 static IP addresses assigned to workstations and
> servers. If a 27th (or greater) address appears on the wire, generate
> an alert. (Note: not very interested in watching MAC addresses as some
> of the IP's are behind another layer-3 device.)
Perhaps you could set these static IP's as the $HOME_NET and then alert for
anything !$HOME_NET. I don't know if/how this would work, but it's a thought.
Jeff Coppock Systems Engineer
Diggin' Debian Admin and User
More information about the Snort-users