File: arpalert.conf.in

package info (click to toggle)
arpalert 2.0.3-1
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 2,332 kB
  • ctags: 415
  • sloc: ansic: 4,185; sh: 447; makefile: 153; perl: 28
file content (168 lines) | stat: -rw-r--r-- 4,588 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
 
#
# Copyright (c) 2005-2010 Thierry FOURNIER
# $Id: arpalert.conf.in 384 2006-10-27 09:32:12Z thierry $
# 
# Default config file
# 

# white list
maclist file = "@config_dir@/maclist.allow"

# black list
maclist alert file = "@config_dir@/maclist.deny"

# dump file
maclist leases file = "@leases_dir@/arpalert.leases"

# list of authorized request
#auth request file = @config_dir@/authrq.conf

# log file
#log file = "@log_dir@/arpalert.log"

# pid file
lock file = "@lock_dir@/arpalert.pid"

# log level
use syslog = true

# log level
log level = 6

# user for privilege separation
user = arpalert

# rights for file creation
umask = 177

# only for debugging: this dump paquet received on standard outpu
dump paquet = false

# run the program as daemon ?
daemon = false

# minimun time to wait between two leases dump
dump inter = 5

#Configure the network for catch only arp request.
#The detection type "new_mac" is desactived.
#This mode is used for CPU saving if Arpalert is running on a router
catch only arp = true

# comma separated interfaces to lesson
# if not precised, the soft select the first interface.
# by default select the first interface encontered
#interface = eth0

# script launched on each detection
# parameters are: "mac adress of requestor" "ip of requestor" "supp. parm." "type of alert"
# type of alert:
# 0: ip change
# 1: mac address only detected but not in whithe list
# 2: mac address in black list
# 3: new mac address
# 4: unauthorized arp request
# 5: abusive number of arp request detected 
# 6: ethernet mac address different from arp mac address
# 7: global flood detection
# 8: new mac adress without ip
# 9: mac change
action on detect = ""

# module launched on each detection
mod on detect = ""
# this chain is transfered to the init function of module loaded
mod config = ""

# script execution timeout (seconds)
execution timeout = 10

# maximun simultaneous lanched script
max alert = 20

# what data are dumped in leases file
dump black list = false
dump white list = false
dump new address = true

# after this time a mac adress is removed from memory (seconds) (default 1 month)
mac timeout = 259200

# after this limit the memory hash is cleaned (protect to arp flood)
max entry = 1000000

# this permit to send only one mismatch alert in this time (in seconds)
anti flood interval = 5  

# if the number of arp request in seconds exceed this value, all alerts are ignored for 
# "anti flood interval" time
anti flood global = 50

# vendor name
mac vendor file = "@config_dir@/oui.txt"
log mac vendor = true
alert mac vendor = true
mod mac vendor = true

# log if the adress is referenced in hash but is not in white list
log referenced address = false
alert on referenced address = false
mod on referenced address = false

# log if the mac adress is in black list
log deny address = true
alert on deny address = true
mod on deny address = true

# log if the adress isn't referenced
log new address = true
alert on new address = true
mod on new address = true

# log if the adress isn't referenced (for mac adress only)
log new mac address = true
alert on new mac address = true
mod on new mac address = true

# log if the ip adress id different from the last arp request with the same mac adress
log ip change = true
alert on ip change = true
mod on ip change = true

# log if the ip adress id different from the last arp request with the same mac adress
log mac change = true
alert on mac change = true
mod on mac change = true

# unauthorized arp request:
# log all the request not authorized in auth file
log unauth request = false
alert on unauth request = false
mod on unauth request = false
# dont analyse arp request for unknow hosts (not in white list)
ignore unknown sender = false
# ignore arp request with mac adresse of the lessoned interfaces for the authorizations checks
ignore me = true
# ignore windows self test
ignore self test = false
# suspend time method:
# 1: ignore all unauth alerts during "anti flood interval" time
# 2: ignore only tuple (mac address, ip address) during "anti flood interval" time
unauth ignore time method = 2

# log if the number of request per seconds are > "max request"
log request abus = true
alert on request abus = true
mod on request abus = true
# maximun request authorized by second
Max request = 1000000

# log if the ethernet mac address are different than the arp amc address (only for requestor)
log mac error = true
alert on mac error = true
mod on mac error = true

# log if have too many arp request per seconds
log flood = true
alert on flood	= true
mod on flood = true