Arpalert

When you configure your Arpalert to send log data to USM Appliance, you can use the Arpalert plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.

Plugin Information
Device Details
Vendor Linux
Device Type Network Access Control
Connection Type Syslog
Data Source Name Arpalert-syslog
Data Source ID 1792

Note: The ArpAlert plugin does not capture arp-spoofing events, so you will need to use other tools such as arpwatch or arping to monitor for those types of events.

Integrating Arpalert

Before you configure the Arpalert integration, you must have the IP Address of the USM Appliance Sensor.

To configure Arpalert to send Syslog messages to USM Appliance

  1. Download the Arpalert archive from the official website, https://www.arpalert.org/arpalert.html and then compile the source code.

    Note: You must compile the source code because packages are not provided.

    A simple make install with root privileges will install the application on your computer.

    ./configure --prefix=/usr/local/arpalert && make &&

    You can specify the install base directory with the --prefix parameter, included after the ./configure command. By default, the base directory is /usr/local/arpalert.

    A default configuration file is located in the /usr/local/arpalert/etc/arpalert/arpalert.conf directory. The default parameter settings specified in this file can be used in most install environments.

  2. Continuing with root privileges, launch the arpalert program using the following command:

    /usr/local/arpalert/sbin/arpalert -d

    The -d option launches the program in daemon mode. If you always want to run Arpalert in daemon mode, you can edit the Arpalert configuration file and replace daemon = false with daemon = true.

  3. Monitor the /var/log/messages file to see all the machines detected on your network. These machines are recorded in the /usr/local/arpalert/var/lib/arpalert/arpalert.leases file.

  4. After all local network machines have been discovered, copy the /usr/local/arpalert/var/lib/arpalert/arpalert.leases file into the maclist.allow file:

    cat /usr/local/arpalert/var/lib/arpalert/arpalert.leases > /usr/local/arpalert/etc/arpalert/maclist.allow

    Note: Don't hesitate to add new mac addresses to this file.

  5. Restart the Arpalert daemon. Now, all new computers detected are probably intruders, so they are logged. You can run Arpalert with a script to alert you by email, for example, when a suspect computer is detected. Sample scripts are provided in the scripts directory.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

https://www.arpalert.org/arpalert.html

For troubleshooting, see the vendor documentation.