Snort mailing list archives
Re: Alert on new IP in use?
From: Jason Benway <benwaynet () gmail com>
Date: Wed, 3 Aug 2005 22:58:31 -0400
I would like to see your script. On 02 Aug 2005 13:46:54 +1200, James Riden <j.riden () massey ac nz> wrote:
Rich Adamson <radamson () routers com> writes:Looking for a way to monitor a small banking network and generate an alert when an unused IP address is observed. The current IP's are not consecutive. Example: we have 26 static IP addresses assigned to workstations and servers. If a 27th (or greater) address appears on the wire, generate an alert. (Note: not very interested in watching MAC addresses as some of the IP's are behind another layer-3 device.) Thoughts?I use p0f hooked into a perl script which generates a list of the active hosts for the day. It also does a DNS lookup, and anything without valid rDNS gets mailed to me. The code is actually pretty trivial, but I'm happy to share it if anyone cares. cheers, Jamie -- James Riden / j.riden () massey ac nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert on new IP in use? Rich Adamson (Aug 01)
- Re: Alert on new IP in use? Matt Kettler (Aug 01)
- Re: Alert on new IP in use? Rich Adamson (Aug 01)
- Re: Alert on new IP in use? Matt Kettler (Aug 01)
- Re: Alert on new IP in use? Rich Adamson (Aug 01)
- Re: Alert on new IP in use? James Riden (Aug 01)
- Re: Alert on new IP in use? Jason Benway (Aug 03)
- Re: Alert on new IP in use? James Riden (Aug 03)
- Re: Alert on new IP in use? Jason Benway (Aug 09)
- Re: Alert on new IP in use? Jason Benway (Aug 03)
- Re: Alert on new IP in use? Matt Kettler (Aug 01)
- Re: Alert on new IP in use? Jeff Coppock (Aug 02)
- <Possible follow-ups>
- RE: Alert on new IP in use? Williams Jon (Aug 01)
- Re: Alert on new IP in use? Daniel Cid (Aug 01)
- Re: Alert on new IP in use? Donofrio, Lewis (Aug 04)