arpalert - ARP traffic monitoring
Arpalert uses ARP protocol monitoring to prevent unauthorized
connections on the local network. If an illegal connection is
detected, a program or script could be launched, which could be used to
send an alert message, for example.
Specify the config file.
Comma separated network interfaces listen to.
Use this pid file. this file containis a pid number of the
arpalert session. If the file exist and his locked, the deamon
do not run.
Script launched when an alert is send.
The level logged. The levels are between 0 (emergency) and 7
(debug). If 3 is selected all levels bitween 0 and 3 are logged.
This file contain a dump of the mac address in memory (see
-m module file
Specify a module file to load
-d Run as daemon.
-F Run in foreground.
-v Watch on screen all the option selected (the options specified
in config file and the default options)
-h The help command line.
-w Debug option: print a dump of packets captured.
-P Set the interface in promiscuous mode (don’t set this if only
the arp analyse is used).
-V Print version and quit.
The config file contains 3 types of data: integer, string and boolean.
The boolean type can take values ’oui’, ’true’, ’yes’, ’1’ for the true
values or ’non’, ’no’, ’false’, ’0’ for the falses values.
user = arpalert
Use privileges separation with this user
umask = 177
Uses this umask for file creation.
chroot dir = /home/thierry/arp_test/
Use this directory for program jail
If this option is commented out, the program does not use
The program read the config file and open the syslog socket
before the chroot:
The kill -HUP does not work with chroot.
If the syslog program is restarted, the socket change and the
arpalert syslog system can’t be connect to the new socket: the
logs with syslog are disabled. Prefere to use the log file.
The file pathes are relative to the chroot dir (except the
log file = /var/log/arpalert.log
The program log into this file
If this option is commented out, the internal system log is not
The internal system logs can be used in same time that syslog.
log level = 6
The level logged. The levels are between 0 (emergency) and 7
(debug). If 3 is selected all levels between 0 and 3 are logged.
use syslog = true
If this option is false, the syslog system is disabled
maclist file = /etc/arpalert/maclist.allow
maclist alert file = /etc/arpalert/maclist.deny
maclist leases file = /var/lib/arpalert/arpalert.leases
dump inter = 5
Minimun time to wait between two leases dump
auth request file = /etc/arpalert/authrq.conf
List of authorized request
lock file = /var/run/arpalert.pid
dump packet = false
Only for debugging: this dump packet received on standard
output. The syntax "dump paquet" is also avalaible, but is
daemon = false
If is set to true, run the program as daemon
interface = ""
Comma separated network interfaces leisten to. If this value is
not specified, the soft select the first interface.
catch only arp = TRUE
Configure the network for catch only arp request. The detection
type "new_mac" is deactived. This mode is used for CPU saving
if Arpalert is running on a router
mod on detect = ""
Module file loaded by arpalert. This module is launched on each
valid alert. This system permit to avoid a costly fork/exec
mod config = ""
This chain is transfered to the init function of module loaded
action on detect = ""
Script launched on each detection. Parameters are:
- mac address of requestor,
- ip of requestor,
- supp. parm.,
- ethernet device listening on
- type of alert,
- optional: ethernet vendor
type of alert:
0: IP change
1: Mac address already detected but not in white list
2: Mac address in black list
3: New mac address
4: Unauthorized arp request
5: Abusive number of arp request detected
6: Ethernet mac address different from arp mac address
7: Flood detected
8: New mac address whithout ip address
execution timeout = 10
Script execution timeout (seconds)
max alert = 20
Maximun simultaneous lanched script
dump black list = false
Dump the black listed mac address in leases file
dump white list = false
Dump the white listed mac address in leases file
dump new address = true
Dump the new mac address in leases file
mac timeout = 259200
After this time a mac address is removed from memory (seconds)
(default 1 month)
max entry = 1000000
After this limit the memory hash is cleaned (protect to arp
anti flood interval = 10
This permit to send only one mismatch alert in this time (in
anti flood global = 50
If the number of arp request in seconds exceeds this value, all
alerts are ignored for "anti flood interval" time
mac vendor file = ""
This file contain the association from mac address to vendor
name. This file can be downloaded here:
log mac vendor = false
Log vendor name
alert mac vendor = false
Give vendor name to script
mod mac vendor = false
Give vendor name to module
log referenced address, alert on referenced address, mod on referenced
address = false
Log/launch script/call module if the address is referenced in
hash but is not in white list
log deny address, alert on deny address, mod on deny address = true
Log/launch script/call module if the mac address is in black
log new address, alert on new address, mod on new address = true
Log/launch script/call module if the address isn’t referenced
log mac change, alert on mac change, mod on mac change = true
Log/launch script/call module if the mac address is different
from the last arp request with the same ip address
log ip change, alert on ip change, mod on ip change = true
Log/launch script/call module if the ip address is different
from the last arp request with the same mac address
log unauth request, alert on unauth request, mod on unauth request =
Unauthorized arp request: launch if the request is not
authorized in auth file
ignore unknown sender = true
Dont analyse arp request for unknow hosts (not in white list)
ignore self test = true
Ignore ARP self test generated by windows dhcp for unauthorized
ignore me = true
Ignore arp request with mac addresse of the listing interfaces
for the authorizations checks
unauth ignore time method = 2
Select suspend time method:
1: ignore all unauth alerts during "anti flood interval" time
2: ignore only tuple (mac address, ip address) during "anti
flood interval" time
log request abus, alert on request abus, mod on request abus = true
Log/launch script/call module if the number of request per
seconds are > "max request"
max request = 1000000
Maximun request authorized by second
log mac error, alert on mac error, mod on mac error = true
Log/launch script/call module if the ethernet mac address is
different than the arp mac address (only for requestor)
log flood = true
alert on flood = true mod on flood = true Log/launch script/call
module if have too many arp request per seconds
DATA FILES FORMATS
/etc/arpalert/maclist.allow and /etc/arpalert/maclist.deny:
All the line with # as a first caracter are ignored
The data on this file take this form
<MAC_ADRESS> <IP_ADDRESS> <DEVICE> [<FLAG> <FLAG> <FLAG> ...]
The available flags are:
ip_change: Ignore ip change alert for this mac address
black_listed: Ignore black list alerts for this mac address
unauth_rq: Ignore unauthorized requests for this mac address
rq_abus: Ignore request abuse for this mac address
mac_error: Ignore mac error for this mac address
mac_change: Ignore mac change for this mac address
All the words after # character are ignored
All the blank characters are ignored
The authorisations list for one mac address begins by the mac
address into brackets
All the next values are ip hosts addresses or ip networks
addresses (with /xx notion)
[<MAC_ADRESS> <DEVICE>] <IP_ADRESS>
sbin/arpalert: binary file
etc/arpalert/arpalert.conf: default config file
var/run/arpalert.pid: pid file
var/state/arpalert.leases: leases file