Dave wrote: > arpwatch does something like that, keeps an eye on what mac addresses > are active using what IP on the local subnet, sends an alert when a > new mac address appearrs or some change occurs in the pairs of active > MAC/IP pairs. > > Currently there is no integration between arpwatch and nagios. > arpwatch sends email alerts, maybe outputs to the log or console? > > I don't think it is a good fit, since nagios assumes that all the > hosts it cares about are pre-defined in its config file. > > > On Dec 9, 2007 2:56 AM, sachin kumar <[EMAIL PROTECTED]> wrote: > >> Hi list >> >> I want to configure nagios in such a way that if unknown mac-address enters >> into network to access resources , that system will be displayed in nagios.I >> want to create a list of mac-addresses which are in our network , and link >> it with nagios and if any other mac-address (out of this list)connects to >> network, it will be displayed in the nagios . >> >> >> >> - sachin kumar (sachin1361
Although not a complete fit, one thing I do is run a check of all dhcpd leases that were handed out by all of my Isc Dhcpd servers using a plugin I wrote: http://www.nagiosexchange.org/Check_Plugins.21.0.html?&tx_netnagext_pi1[p_view]=1164&tx_netnagext_pi1[page]=20%3A10 This can use whitelists, so you can whitelist your Mac addresses and it will raise a critical alert in Nagios if a lease is given out to any non recognized Mac. Since spoofing the Mac is obvious, it can also take a list of hostnames since this is less obvious to spoof. If you use both, chances are that anyone jumping on your network and being issued a dhcp lease from dhcpd will trip it and alert you. It's not a complete solution but is nice from the defense in depth point of view of multiple layers. It's also just nice to see at a glance in Nagios who has leases on your dhcpd server and the output is fairly flexible. Of course, someone who gets on your network may not use dhcp at all but this is just a small piece of the puzzle. I also use arpwatch which can indeed alert on mac changes or additions, or you can use it's logging to alert from a central place... Arpwatch will not integrate directly into Nagios, but since arpwatch can log to syslog, you could use a nagios log check to alert on any logged Mac additions. -h -- Hari Sekhon ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
