ArpAlert on Ubuntu

This post is related to the ARPWatch . ArpAlert does almost the same …

It listens on a network interface (without using ‘promiscuous’ mode) and catches all conversations of MAC address to IP request. It then compares the mac addresses it detected with a pre-configured list of authorized MAC addresses. If the MAC is not in list, arpalert launches a pre-defined user script with the MAC address and IP address as parameters. This software can run in daemon mode; it’s very fast (low CPU and memory consumption). It responds at signal SIGHUP (configuration reload) and at signals SIGTERM, SIGINT, SIGQUIT and SIGABRT (arpalert stops itself).

If you need to use a list of authorized MAC addresses, this package should suit your needs, otherwise arpwatch may be also fine.

1. The configuration

Edit /etc/arpalert/arpalert.conf

/etc/arpalert/maclist.allow

Sample
00:11:88:08:37:0c       11.123.254.2   eth0    ip_change
00:11:88:08:37:0c       12.23.0.1      eth0    ip_change
00:00:5e:00:01:96       11.123.254.229 eth0    ip_change
00:00:5e:00:01:96       12.23.140.27   eth0    ip_change

/etc/arpalert/maclist.deny

2. Where are the scripts

/usr/share/arpalert/send_alert.pl
/usr/share/doc/arpalert/examples/scripts/contribs/add_allowed_arpalert_address.sh
/usr/share/doc/arpalert/examples/scripts/contribs/dns_leases.sh
/usr/share/doc/arpalert/examples/scripts/contribs/send_alert.sh
/usr/share/doc/arpalert/examples/scripts/test/broadping.sh
/usr/share/doc/arpalert/examples/scripts/test/just_one_arp_request.sh
/usr/share/doc/arpalert/examples/scripts/test/send_flood_local
/usr/share/doc/arpalert/examples/scripts/test/testcharge.sh

3. Keep it up to date :

cd /etc/arpalert/
mv oui.txt oui.txt.old
wget http://standards.ieee.org/regauth/oui/oui.txt
ls -lsah
/etc/init.d/arpalert restart

4. Don’t forget to update you logrotate

Create a file /etc/logrotate.d/arpalert
/var/log/arpalert.log {
 rotate 60
 daily
 missingok
 notifempty
 compress
 postrotate
 /etc/init.d/arpalert restart >/dev/null
 endscript
}

5. References:

http://www.arpalert.org/

Be the first to comment

Leave a Reply

Your email address will not be published.


*


*