Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Alert on new IP in use?

From: Jeff Coppock <jcoppock1 () comcast net>
Date: Tue, 02 Aug 2005 15:09:39 -0700
Rich Adamson wrote:

Looking for a way to monitor a small banking network and generate
an alert when an unused IP address is observed. The current IP's are
not consecutive.

Example: we have 26 static IP addresses assigned to workstations and
servers. If a 27th (or greater) address appears on the wire, generate
an alert. (Note: not very interested in watching MAC addresses as some
of the IP's are behind another layer-3 device.)

Thoughts?
Perhaps you could set these static IP's as the $HOME_NET and then alert for anything !$HOME_NET. I don't know if/how this would work, but it's a thought. 

jc


--
Jeff Coppock            Systems Engineer
Diggin' Debian             Admin and User


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: