Author Topic: ARP Monitoring with DecaffeinatID 0.09 (Read 4306 times)

polonus · « **on:** June 02, 2013, 11:48:18 AM »

Installed this IDS and ARP Monitor proggie. On ARP Monitoring read: http://www.mynitor.com/2010/02/13/14-useful-arp-monitoring-tools/
Some have experience with this tool from irongeek to monitor the workings of the FW?
Who uses ARP Monitoring?

polonus

polonus · « **Reply #1 on:** June 02, 2013, 07:44:41 PM »

Here we can finf info on the windows event id -> http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4904

I get this alert when doing a SAS scan: Event ID:5038
\Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys
Seems this is because driver is not digitally signed....and might be an older version that has not been removed...
What we have here is a poor man's IDS solution, bur it is rather instructive when we wanr ro learn what is going on on the OS...
consider this posting also: http://forum.avast.com/index.php?topic=96160.0

polonus

polonus · « **Reply #2 on:** June 02, 2013, 09:08:38 PM »

Adjusted specific settings like this in an additional au3 file

Code: [Select]

 alias bond0 bonding
options bond0 mode=1 miimon=100
arp_ip_target=192.168.53.1 arp_interval=5000

File &quot;ifcfg-bond0&quot; was created in
/etc/sysconfig/network-scripts with the following lines:

DEVICE=bond0
BOOTPROTO=none
BROADCAST=192.168.53.255
IPADDR=192.168.53.22
NETMASK=255.255.255.0
NETWORK=192.168.53.0
ONBOOT=yes

polonus

polonus · « **Reply #3 on:** June 04, 2013, 12:38:45 PM »

I have combined the installations of these two tools: ARPCacheWatch together with ARPhound config, so I have a view on all that goes over the wires.
See attached image...

polonus

polonus · « **Reply #4 on:** June 04, 2013, 12:59:20 PM »

Handy dandy tool to go with it: http://www.aqwnet.com/index.php/tools/ip-mac-calculator (courtisy AQW lenowo tool)
for instance this 244.0.0.22.
Multicast IP 224.0.0.22 converts to:
MAC address 01:00:5e:00:00:16

Matched multicast IP group addresses

224.0.0.22
224.128.0.22
225.0.0.22
225.128.0.22
226.0.0.22
226.128.0.22
227.0.0.22
227.128.0.22
228.0.0.22
228.128.0.22
229.0.0.22
229.128.0.22
230.0.0.22
230.128.0.22
231.0.0.22
231.128.0.22
232.0.0.22
232.128.0.22
233.0.0.22
233.128.0.22
234.0.0.22
234.128.0.22
235.0.0.22
235.128.0.22
236.0.0.22
236.128.0.22
237.0.0.22
237.128.0.22
238.0.0.22
238.128.0.22
239.0.0.22
239.128.0.22

pol