ArpAlert on Ubuntu

This post is related to the ARPWatch . ArpAlert does almost the same …

It listens on a network interface (without using ‘promiscuous’ mode) and catches all conversations of MAC address to IP request. It then compares the mac addresses it detected with a pre-configured list of authorized MAC addresses. If the MAC is not in list, arpalert launches a pre-defined user script with the MAC address and IP address as parameters. This software can run in daemon mode; it’s very fast (low CPU and memory consumption). It responds at signal SIGHUP (configuration reload) and at signals SIGTERM, SIGINT, SIGQUIT and SIGABRT (arpalert stops itself).

If you need to use a list of authorized MAC addresses, this package should suit your needs, otherwise arpwatch may be also fine.

1. The configuration

Edit /etc/arpalert/arpalert.conf


00:11:88:08:37:0c   eth0    ip_change
00:11:88:08:37:0c      eth0    ip_change
00:00:5e:00:01:96 eth0    ip_change
00:00:5e:00:01:96   eth0    ip_change


2. Where are the scripts


3. Keep it up to date :

cd /etc/arpalert/
mv oui.txt oui.txt.old
ls -lsah
/etc/init.d/arpalert restart

4. Don’t forget to update you logrotate

Create a file /etc/logrotate.d/arpalert
/var/log/arpalert.log {
 rotate 60
 /etc/init.d/arpalert restart >/dev/null

5. References:

Be the first to comment

Leave a Reply

Your email address will not be published.