[Snort-users] Alert on new IP in use?

Jeff Coppock jcoppock1 at ...5068...
Tue Aug 2 15:13:28 EDT 2005


Rich Adamson wrote:
> Looking for a way to monitor a small banking network and generate
> an alert when an unused IP address is observed. The current IP's are
> not consecutive.
> 
> Example: we have 26 static IP addresses assigned to workstations and
> servers. If a 27th (or greater) address appears on the wire, generate
> an alert. (Note: not very interested in watching MAC addresses as some
> of the IP's are behind another layer-3 device.)
> 
> Thoughts?

Perhaps you could set these static IP's as the $HOME_NET and then alert for 
anything !$HOME_NET.  I don't know if/how this would work, but it's a thought.

jc


-- 
Jeff Coppock		Systems Engineer
Diggin' Debian		Admin and User




More information about the Snort-users mailing list