Last active
February 16, 2024 12:44
-
-
Save 1nn3/0dfd6c261a67f867b37cd8c23c160e94 to your computer and use it in GitHub Desktop.
ARP alert action on detect script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env sh | |
| # ARP alert action | |
| # grep "action on detect" /etc/arpalert/arpalert.conf | |
| # action on detect = "/usr/local/sbin/arpalert-action-on-detect" | |
| mac="$1" | |
| ip="$2" | |
| extras="$3" | |
| device="$4" | |
| type_of_alert="$5" | |
| vendor="$6" | |
| case "$type_of_alert" in | |
| 0) | |
| text="IP change $ip ($vendor)" | |
| ;; | |
| 1) | |
| text="MAC already detected but not in white list" | |
| ;; | |
| 2) | |
| text="MAC in black list" | |
| ;; | |
| 3) | |
| text="New MAC $mac ($vendor)" | |
| ;; | |
| 4) | |
| text="Unauthorized arp request" | |
| ;; | |
| 5) | |
| text="Abusive number of arp request detected" | |
| ;; | |
| 6) | |
| text="Ethernet MAC different from ARP MAC" | |
| ;; | |
| 7) | |
| text="Flood detected" | |
| ;; | |
| 8) | |
| text="New MAC whithout IP $mac ($vendor)" | |
| ;; | |
| 9) | |
| text="MAC change $mac ($vendor)" | |
| ;; | |
| 10) | |
| text="MAC expiere $mac ($vendor)" | |
| ;; | |
| *) | |
| text="" | |
| ;; | |
| esac | |
| mail -s "$text" root <<! | |
| $device $ip $mac $vendor | |
| $text ($type_of_alert) | |
| $extras | |
| $([ $ip ] && nmap -Pn -A $ip) | |
| ! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment