The config file contains 3 types of data: integer, string and boolean. The boolean type can take values
'oui', 'true', 'yes', '1' for the true values or 'non', 'no', 'false', '0' for the falses values.
user = arpalert
Use privileges separation with this user
umask = 177
Uses this umask for file creation.
chrootdir = /home/thierry/arp_test/
Use this directory for program jail
If this option is commented out, the program does not use chroot.
The program read the config file and open the syslog socket before the chroot:
The kill -HUP does not work with chroot.
If the syslog program is restarted, the socket change and the arpalert syslog system can't be
connect to the new socket: the logs with syslog are disabled. Prefere to use the log file.
The file paths are relative to the chroot dir (except the config file)
logfile = /var/log/arpalert.log
The program log into this file
If this option is commented out, the internal system log is not used.
The internal system logs can be used in same time that syslog.
loglevel = 6
The level logged. The levels are between 0 (emergency) and 7 (debug). If 3 is selected all levels
between 0 and 3 are logged.
usesyslog = true
If this option is false, the syslog system is disabled
maclistfile = /etc/arpalert/maclist.allow
White list
maclistalertfile = /etc/arpalert/maclist.deny
Black list
maclistleasesfile = /var/lib/arpalert/arpalert.leases
Dump file
dumpinter = 5
Minimum time to wait between two leases dump
authrequestfile = /etc/arpalert/authrq.conf
List of authorized request
lockfile = /var/run/arpalert.pid
pid file
dumppacket = false
Only for debugging: this dump packet received on standard output. The syntax "dumppaquet" is also
avalaible, but is deprecated
daemon = false
If is set to true, run the program as daemon
interface = ""
Comma separated network interfaces leisten to. If this value is not specified, the soft select the
first interface.
catchonlyarp = TRUE
Configure the network for catch only arp request. The detection type "new_mac" is deactived.
This mode is used for CPU saving if Arpalert is running on a router
modondetect = ""
Module file loaded by arpalert. This module is launched on each valid alert. This system avoids a
costly fork/exec
modconfig = ""
This chain is transferred to the init function of module loaded
actionondetect = ""
Script launched on each detection. Parameters are:
- macaddressofrequestor,
- ipofrequestor,
- supp.parm.,
- ethernetdevicelisteningon
- typeofalert,
- optional: ethernetvendor
type of alert:
0: IP change
1: Mac address already detected but not in white list
2: Mac address in black list
3: New mac address
4: Unauthorized arp request
5: Abusive number of arp request detected
6: Ethernet mac address different from arp mac address
7: Flood detected
8: New mac address without ip address
executiontimeout = 10
Script execution timeout (seconds)
maxalert = 20
Maximun simultaneous lanched script
dumpblacklist = false
Dump the black listed mac address in leases file
dumpwhitelist = false
Dump the white listed mac address in leases file
dumpnewaddress = true
Dump the new mac address in leases file
mactimeout = 259200
After this time a mac address is removed from memory (seconds) (default 1 month)
maxentry = 1000000
After this limit the memory hash is cleaned (protect to arp flood)
antifloodinterval = 10
This sends only one mismatch alert in this time (in seconds)
antifloodglobal = 50
If the number of arp request in seconds exceeds this value, all alerts are ignored for "anti flood
interval" time
macvendorfile = ""
This file contain the association from mac address to vendor name. This file can be downloaded
here: http://standards.ieee.org/regauth/oui/oui.txtlogmacvendor = false
Log vendor name
alertmacvendor = false
Give vendor name to script
modmacvendor = false
Give vendor name to module
logreferencedaddress, alertonreferencedaddress, modonreferencedaddress = false
Log/launch script/call module if the address is referenced in hash but is not in white list
logdenyaddress, alertondenyaddress, modondenyaddress = true
Log/launch script/call module if the mac address is in black list
lognewaddress, alertonnewaddress, modonnewaddress = true
Log/launch script/call module if the address isn't referenced
logmacchange, alertonmacchange, modonmacchange = true
Log/launch script/call module if the mac address is different from the last arp request with the
same ip address
logipchange, alertonipchange, modonipchange = true
Log/launch script/call module if the ip address is different from the last arp request with the
same mac address
logunauthrequest, alertonunauthrequest, modonunauthrequest = true
Unauthorized arp request: launch if the request is not authorized in auth file
ignoreunknownsender = true
Don't analyse arp request for unknown hosts (not in white list)
ignoreselftest = true
Ignore ARP self test generated by windows dhcp for unauthorized request detection
ignoreme = true
Ignore arp request with mac addresse of the listing interfaces for the authorizations checks
unauthignoretimemethod = 2
Select suspend time method:
1: ignore all unauth alerts during "anti flood interval" time
2: ignore only tuple (mac address, ip address) during "anti flood interval" time
logrequestabus, alertonrequestabus, modonrequestabus = true
Log/launch script/call module if the number of request per seconds are > "max request"
maxrequest = 1000000
Maximun request authorized by second
logmacerror, alertonmacerror, modonmacerror = true
Log/launch script/call module if the ethernet mac address is different than the arp mac address
(only for requestor)
logflood = true, alertonflood = true, modonflood = true
Log/launch script/call module if have too many arp request per seconds
logexpiremacaddress = true, alertonexpiremacaddress = true, modonexpiremacaddress = true
Log/launch script/call module if the ethernet mac address expire
expireauthorizedmacaddresses = true
Allow authorized mac addresses to expire
Install Now
PNG Icons
