arpalert ...

with DHCP range exceptions, libnotify and mail alerting (based on ubuntu-linux)


	
1) install

	aptitude install arpalert
	aptitude install libnotify-bin
	aptitude install postfix (MTA)	# config not covered here


2) configure arpalert (/etc/arpalert/arpalert.conf)
	
	[...]
	user = root		# dismiss privilege separation on your own risk (for X notify)
	daemon = true		# run in background/daemon mode
	interface = eth0,eth1 	# in my case eth1.123,eth1.456 (VLAN interfaces)
	action on detect = "/var/lib/arpalert/arpalert"		# see 3)
	# [ change log, alert and mod config lines ]
	log file = "/var/log/arpalert.log"	# touch file and modify access rights
	[...]


3) configure arpalert script /var/lib/arpalert/arpalert

    #!/bin/bash
    
    # handle only IPs from our nets 
    if [[ "$2" =~ .*192.168.* ]]; then STATUS=OK; else exit 0; fi	# var $STATUS is a dummy
    
    # DHCP exclude
    for ip in {20..200}; do 
    	if [ $2 == "192.168.1.$ip" ]; then exit 0; fi			# DHCP range 192.168.1.20-200
    	if [ $2 == "192.168.2.$ip" ]; then exit 0; fi			# DHCP range 192.168.2.20-200
    done
    
    # router mac address / more than one IP per MAC / false positives
    if [ $1 == "00:08:00:11:22:33" ] && [ $5 -eq 0 ]; then exit 0; fi

    # computers with virt. ip-addresses
    for f in `cat /etc/arpalert/maclist.dup`; do
        if [[ $f =~ .*:.* ]]; then MAC="$f"; continue; else IP="$f"; fi;
        if [ $1 == $MAC ] && [ $2 == $IP ]; then exit 0; fi
    done 
    
    case $5 in
      0 )
        AlertType="IP change";;
      1 )
        AlertType="MAC address already detected but not in white list";;
      2 )
        AlertType="MAC address in black list";;
      3 )
        AlertType="New MAC address";;
      4 )
        AlertType="Unauthorized ARP request";;
      5 )
        AlertType="Abusive number of ARP request detected";;
      6 )
        AlertType="Ethernet MAC address different from ARP MAC address";;
      7 )
        AlertType="Flood detected";;
      8 )
        AlertType="New MAC address whithout IP address";;
      9 )
        AlertType="MAC change";;
      * )
        AlertType="unknown";;
    esac
    
    # mail 
    MAILBODY="$(date), Intruder IP: $2, Intruder MAC: $1, IF: $4, Type of alert: $AlertType"
    echo $MAILBODY | mail -s "ARP-Alert" ToMe@mydomain.tld
    
    # libnotify
    beep			# make noise
    export DISPLAY=:0
    notify-send "ARPALERT" "Time: $(date) \n Intruder IP: $2 \n Intruder MAC: $1 \n  Network-Interface: $4 \n Type of alert : $AlertType" -i /path/to/my/icons/alert.jpg
    


4)  edit /etc/arpalert/maclist.allow based on your network
   	
	# hint: take data from /var/log/arpalert.log

	# MAC			IP		INTERFACE
	11:11:11:11:11:11	192.168.1.1	eth0
	22:22:22:22:22:22	192.168.2.2	eth1


5)  edit /etc/arpalert/maclist.dup

	06:ba:ce:11:22:33    192.168.1.10    192.168.11.10
	58:b0:35:11:22:33    192.168.1.14    192.168.11.14 

	
5) start / autostart

	service arpalert start
	update-rc.d arpalert defaults

	
*) pre tests

	tail -f /var/log/arpalert.log					
	echo "testmail" | mail -s "testsubject" ToMe@mydomain.tld		# mail
	notify-send "testsubject" "testbody"					# libnotify
	/var/lib/arpalert/arpalert 00:11:22:33:44:55 192.168.1.5 arg3 eth0 9	# arpalert script (mail and libnotify)


*) final tests / arp spoofing

	arpspoof -i eth0 -t 192.168.1.1 192.168.1.5		# arpspoof [-i interface] [-t target] host
	ettercat -T -M arp /192.168.1.1/ /192.168.1.5/		# Man-In-The-Middle Attack with ettercap
		



by Markus Sesser