Build precise queries to find exactly what you need
Press ESC to close
Your review has been submitted and is pending approval.
This will check for duplicate MAC entries in your ARP table on your nagios/linux box. If it finds any, it MAY mean your being attacked via arp spoofing / poisoning.
Current Version
Last Release Date
June 3, 2009
Owner
Nagios Exchange
#! /bin/bash
# THIS SCRIPT IS --VERY-- PARANOID. IT IS ONLY HAPPY WHEN YOU HAVE ONE (1) MAC PER IP ADDRESS. # IF YOU HAVE ONE (1) MACHINE WITH MULTIPLE VIRTUAL INTERFACES, THAT MACHINE MAY TRIGGER A FALSE ALARM. # IF YOU DO HAVE MORE THAN ONE IP PER MAC, ADJUST THE OK, WARNING, & CRITICAL LEVELS BELOW.
gta=`/sbin/arp -n | grep ether | awk '{ print $3 }'` gtl=`echo "$gta" | sort -u | wc -l` tot="0" for s in `echo "$gta" | sort -u` do gts=`echo "$gta" | grep $s | wc -l` tot=`expr $tot + $gts` done ttl=`expr $tot - $gtl` out="$ttl DUPLICATE ARP ENTRIES" if [ $ttl -lt 1 ] then echo "OK - $out" exit 0 fi if [ $ttl -lt 2 ] then echo "WARNING - $out!" exit 1 fi if [ $ttl -gt 1 ] then echo "CRITICAL - $out!!" exit 2 fi
1) for me, at least, the arp command is /usr/sbin/arp 2) it might be better to just replace everything from the gta= line to the ttl= line with something like: ttl=$( /usr/sbin/arp -n | grep ether | awk '{ print $3 }' | sort | uniq -d | wc -l ) This is 10 times faster (on my relatively small net), but only counts 1 for each mac that appears two or more times. If you want a MAC appearing three times to give a count of two, try: gta=`/usr/sbin/arp -n | grep ether | awk '{ print $3 }'` gtl=`echo "$gta" | sort -u | wc -l` tot=`echo "$gta" | wc -l` ttl=$(( $tot - $gtl ))
Please guide how to use this script with Nagios ?. Ideally i want this script to give me alarm in Nagios for any duplicate IP address detected in network. Secondly I have tried testing the script on a linux machine and simulated a duplicate IP address machine, but it doesn't work. Many thanks in advance.
You must be logged in to submit a review.
To:
From: