ndpmon-users Mailing List for NDPMon
NDPMon - Neighbor Discovery Protocol Monitor
Brought to you by:
beckf,
thomas-buehring
You can subscribe to this list here.
2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2012 |
Jan
|
Feb
|
Mar
(5) |
Apr
|
May
(1) |
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
From: James S. - N. F. <jam...@no...> - 2013-12-11 20:38:59
|
I have a machine machine with multiple interfaces, looking at 5 different vlans to watch for machines being added. I've configured config_ndpmon.xml to watch the 5 interfaces, and alerts are working on each interface. BUT, I'm wondering if there is a way to include the interface in the alert e-mails. Arpwatch includes an interface in the emails, and was hoping there is a way to do it with ndpmon too. Running ubuntu thanks, James |
From: Karthik S. <kar...@gm...> - 2012-07-18 05:34:54
|
Hi On version 1.4.0 counter measures plugin is experimental.You can enable it by ./configure –enable-countermeasures and not ./configure *-enable-PLUGIN *countermeasures You can get this information from configure.ac. file. Hope this helps, Karthik. On 18 July 2012 17:28, Amit <am...@ni...> wrote: > Hi,**** > > ** ** > > I have just installed ndmon (version 1.4), but on doing ./configure it > shows following :**** > > ** ** > > checking for MAC Resolution... MAC Manufacturer Resolution NOT activated** > ** > > checking for Countermeasures... Countermeasures NOT activated**** > > ** ** > > How can I activate both the above plugins. I have also tried with below > command**** > > ** ** > > ./configure *-enable-PLUGIN *countermeasures**** > > ** ** > > But same issue.**** > > ** ** > > --**** > > Thanks & Regards**** > > ** ** > > Amit Kumar**** > > Scientific Officer**** > > Operation and Routing Group**** > > M/O Communication and IT, NIC A- Block, CGO Complex, New Delhi**** > > Ph. 24305091**** > > ** ** > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ndpmon-users mailing list > Ndp...@li... > https://lists.sourceforge.net/lists/listinfo/ndpmon-users > > |
From: Amit <am...@ni...> - 2012-07-18 05:29:55
|
Hi, I have just installed ndmon (version 1.4), but on doing ./configure it shows following : checking for MAC Resolution... MAC Manufacturer Resolution NOT activated checking for Countermeasures... Countermeasures NOT activated How can I activate both the above plugins. I have also tried with below command ./configure -enable-PLUGIN countermeasures But same issue. -- Thanks & Regards Amit Kumar Scientific Officer Operation and Routing Group M/O Communication and IT, NIC A- Block, CGO Complex, New Delhi Ph. 24305091 |
From: Karthik S. <kar...@gm...> - 2012-05-16 05:52:06
|
I am reviewing the NDPMonitor(Neighbour Discovery Protocol Monitor) /usr/local/etc/ndpmon/config_ndpmon.xml In the documentation I can't seem to find the semantic meaning of some of the fields. I have an Oracle VM virtual box with 3 Virtial Machines(Ubuntu 11.04) installed in bridge mode.One of the machines is configured as a linux router using radvd. My requirement is that i want to monitor ICMP messages related to Neighbour Discovery traffic. I have a sample xml file that I am supposed to populate.shown below.My question is specific to the fields in the XML file. <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE config_ndpmon SYSTEM "/usr/local/etc/ndpmon/config_ndpmon.dtd"> <config_ndpmon> <ignor_autoconf>1</ignor_autoconf> <syslog_facility>LOG_LOCAL1</syslog_facility> <admin_mail>fre...@lo...</admin_mail> <actions_low_pri> <sendmail>1</sendmail> <syslog>1</syslog> <exec_pipe_program>/usr/local/ndpmon/demopipeprogram.pl</exec_pipe_program> </actions_low_pri> <actions_high_pri> <sendmail>1</sendmail> <syslog>1</syslog> <exec_pipe_program>/usr/local/ndpmon/demopipeprogram.pl</exec_pipe_program> </actions_high_pri> <use_reverse_hostlookups>1</use_reverse_hostlookups> <routers> <router> <mac>00:13:72:14:C4:58</mac> <lla>fe80::213:72ff:fe14:c458</lla> <prefixes> <prefix> <address>2001:660:4501:32:</address> <mask>64</mask> </prefix> </prefixes> <addresses> <address>2001:660:4501:32::1</address> </addresses> </router> </routers> </config_ndpmon> The <router> block has a <mac> and <address> . I am assuming that refers to mac address of the router box and refers to IPv6 address of the router box. What does the <prefix> field inside the box indicate? I cannot find any documentation that explains what the semantic meaning of this field is?Also should I run NDPMonitor on the linux router box? Thanks & Regards, Karthik. |
From: Amit <am...@ni...> - 2012-03-02 12:26:55
|
Thanks for giving your time, I have gone through all those documentations and having said configuration in config_ndpmon.xml but still countermeasure is not getting triggered on receiving rouge RA. I am running ndpmon on eth1 interface (ndpmon I eth1), hopefully this might not be the case for not triggering countermeasure. Does it require any other configuration? -- Thanks & Regards Amit Kumar Scientific Officer Operation and Routing Group M/O Communication and IT, NIC A- Block, CGO Complex, New Delhi Ph. 24305091 From: Frederic Beck [mailto:fre...@in...] Sent: Friday, March 02, 2012 1:26 PM To: Amit Cc: ndp...@li...; Thomas Buehring Subject: Re: [Ndpmon-users] Regarding countermeasure plugin in NDPMON Hi Amit, I unfortunately can not test it right now, I won't be able to deploy or test the tool until june, being very busy with other projects and having to access to a testbed I could use. The countermeasures plugin is working for a limited subset of alerts: * wrong prefix * wrong router * mac address flip flop * wrong router parameter (e.g. TTL) In the configuration file, you can tune the plugin, the default parameters being: <!-- Example of countermeasures configuration (If no configuration is present, all countermeasures will be suppressed.) <countermeasures> <kill_illegitimate_router>RESPOND</kill_illegitimate_router> <kill_wrong_prefix>LAUNCH AFTER 10</kill_wrong_prefix> <propagate_router_params>CEASE AFTER 10</propagate_router_params> <indicate_ndpmon_presence>SUPPRESS</indicate_ndpmon_presence> </countermeasures> --> There is an integrated documentation in the code that can be generated via the tool Doxygen. Go to the plugins/countermeasures/ directory and execute 'doxygen countermeasures.dox icmp_lib.dox'. You will obtain a new directory called html with all the generated doc. Open index.html in a browser and all the info is there. We are planning to update the soft and release v2.0 this summer, stay tuned! Best regards Frederic _____ De: "Amit" <am...@ni...> À: ndp...@li... Envoyé: Vendredi 2 Mars 2012 07:47:58 Objet: [Ndpmon-users] Regarding countermeasure plugin in NDPMON Hi, I am using NDPMON version 1.4.0 and it is really fantastic. I have compiled the ndpmon with both the plugin enabled (mac resolve and countermeasure). But I think countermeasure script is not running when any forge RA comes into my LAN. In the logs I can see the wrong RA prefix alert but no countermeasure can be seen. Please help me in using countermeasure with ndpmon. -- Thanks & Regards Amit Kumar Scientific Officer Operation and Routing Group M/O Communication and IT, NIC A- Block, CGO Complex, New Delhi Ph. 24305091 ---------------------------------------------------------------------------- -- Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Ndpmon-users mailing list Ndp...@li... https://lists.sourceforge.net/lists/listinfo/ndpmon-users |
From: Frederic B. <fre...@in...> - 2012-03-02 07:56:02
|
Hi Amit, I unfortunately can not test it right now, I won't be able to deploy or test the tool until june, being very busy with other projects and having to access to a testbed I could use. The countermeasures plugin is working for a limited subset of alerts: * wrong prefix * wrong router * mac address flip flop * wrong router parameter (e.g. TTL) In the configuration file, you can tune the plugin, the default parameters being: <!-- Example of countermeasures configuration (If no configuration is present, all countermeasures will be suppressed.) <countermeasures> <kill_illegitimate_router>RESPOND</kill_illegitimate_router> <kill_wrong_prefix>LAUNCH AFTER 10</kill_wrong_prefix> <propagate_router_params>CEASE AFTER 10</propagate_router_params> <indicate_ndpmon_presence>SUPPRESS</indicate_ndpmon_presence> </countermeasures> --> There is an integrated documentation in the code that can be generated via the tool Doxygen. Go to the plugins/countermeasures/ directory and execute 'doxygen countermeasures.dox icmp_lib.dox'. You will obtain a new directory called html with all the generated doc. Open index.html in a browser and all the info is there. We are planning to update the soft and release v2.0 this summer, stay tuned! Best regards Frederic ----- Mail original ----- > De: "Amit" <am...@ni...> > À: ndp...@li... > Envoyé: Vendredi 2 Mars 2012 07:47:58 > Objet: [Ndpmon-users] Regarding countermeasure plugin in NDPMON > Hi, > I am using NDPMON version 1.4.0 and it is really fantastic. I have > compiled the ndpmon with both the plugin enabled (mac resolve and > countermeasure). But I think countermeasure script is not running when > any forge RA comes into my LAN. In the logs I can see the wrong RA > prefix alert but no countermeasure can be seen. > Please help me in using countermeasure with ndpmon. > -- > Thanks & Regards > Amit Kumar > Scientific Officer > Operation and Routing Group > M/O Communication and IT, NIC A- Block, CGO Complex, New Delhi > Ph. 24305091 > ------------------------------------------------------------------------------ > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > Ndpmon-users mailing list > Ndp...@li... > https://lists.sourceforge.net/lists/listinfo/ndpmon-users |
From: Frederic B. <fre...@in...> - 2012-03-02 07:36:13
|
My mailer did not send it back to the users mailing list... Frederic ----- Mail transféré ----- > De: "Frederic Beck" <fre...@in...> > À: "Amit" <am...@ni...> > Envoyé: Vendredi 2 Mars 2012 08:34:02 > Objet: Re: [Ndpmon-users] Error in sending mail alert > Hi > That is a Python, error telling you that one of the dependencies is > missing. Installing Python 4Suite-XML will solve the problem. > However, this error is not related to mail alerts, it is an > additionnal piped script that treats the alerts alongside the mail > alerts. It can be desactivated in the configuration file if you won't > use it. > Best regards > Frederic > ----- Mail transféré ----- > > De: "Amit" <am...@ni...> > > À: ndp...@li... > > Envoyé: Vendredi 2 Mars 2012 07:53:53 > > Objet: [Ndpmon-users] Error in sending mail alert > > Hi, > > On using npdmon v 1.4.0, it shows an error when sending any mail > > alert. Please find below logs: > > Warning: wrong RA flags: M=1 and O=0 > > Sending mail alert ... > > Traceback (most recent call last): > > File "/usr/local/ndpmon/create_html_table.py", line 8, in ? > > from Ft.Xml.Domlette import implementation, NonvalidatingReader, > > PrettyPrint, Print > > ImportError: No module named Ft.Xml.Domlette > > -- > > Thanks & Regards > > Amit Kumar > > Scientific Officer > > Operation and Routing Group > > M/O Communication and IT, NIC A- Block, CGO Complex, New Delhi > > Ph. 24305091 > > From: Amit [mailto:am...@ni...] > > Sent: Friday, March 02, 2012 12:18 PM > > To: 'ndp...@li...' > > Subject: Regarding countermeasure plugin in NDPMON > > Hi, > > I am using NDPMON version 1.4.0 and it is really fantastic. I have > > compiled the ndpmon with both the plugin enabled (mac resolve and > > countermeasure). But I think countermeasure script is not running > > when > > any forge RA comes into my LAN. In the logs I can see the wrong RA > > prefix alert but no countermeasure can be seen. > > Please help me in using countermeasure with ndpmon. > > -- > > Thanks & Regards > > Amit Kumar > > Scientific Officer > > Operation and Routing Group > > M/O Communication and IT, NIC A- Block, CGO Complex, New Delhi > > Ph. 24305091 > > ------------------------------------------------------------------------------ > > Virtualization & Cloud Management Using Capacity Planning > > Cloud computing makes use of virtualization - but cloud computing > > also focuses on allowing computing to be delivered as a service. > > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > > _______________________________________________ > > Ndpmon-users mailing list > > Ndp...@li... > > https://lists.sourceforge.net/lists/listinfo/ndpmon-users |
From: Amit <am...@ni...> - 2012-03-02 07:26:29
|
Hi, On using npdmon v 1.4.0, it shows an error when sending any mail alert. Please find below logs: Warning: wrong RA flags: M=1 and O=0 Sending mail alert ... Traceback (most recent call last): File "/usr/local/ndpmon/create_html_table.py", line 8, in ? from Ft.Xml.Domlette import implementation, NonvalidatingReader, PrettyPrint, Print ImportError: No module named Ft.Xml.Domlette -- Thanks & Regards Amit Kumar Scientific Officer Operation and Routing Group M/O Communication and IT, NIC A- Block, CGO Complex, New Delhi Ph. 24305091 From: Amit [mailto:am...@ni...] Sent: Friday, March 02, 2012 12:18 PM To: 'ndp...@li...' Subject: Regarding countermeasure plugin in NDPMON Hi, I am using NDPMON version 1.4.0 and it is really fantastic. I have compiled the ndpmon with both the plugin enabled (mac resolve and countermeasure). But I think countermeasure script is not running when any forge RA comes into my LAN. In the logs I can see the wrong RA prefix alert but no countermeasure can be seen. Please help me in using countermeasure with ndpmon. -- Thanks & Regards Amit Kumar Scientific Officer Operation and Routing Group M/O Communication and IT, NIC A- Block, CGO Complex, New Delhi Ph. 24305091 |
From: Amit <am...@ni...> - 2012-03-02 07:02:35
|
Hi, I am using NDPMON version 1.4.0 and it is really fantastic. I have compiled the ndpmon with both the plugin enabled (mac resolve and countermeasure). But I think countermeasure script is not running when any forge RA comes into my LAN. In the logs I can see the wrong RA prefix alert but no countermeasure can be seen. Please help me in using countermeasure with ndpmon. -- Thanks & Regards Amit Kumar Scientific Officer Operation and Routing Group M/O Communication and IT, NIC A- Block, CGO Complex, New Delhi Ph. 24305091 |
From: Bernhard H. <ber...@de...> - 2009-07-09 08:41:40
|
Hi Folks, we are getting a hugh amount of "NA Router Flag" alerts, and I'm not sure about how to handle these. One the one hand these machines inside our network have all disabled RAs, so that they won't act as a router. On the other hand most of them have the router flag set in their NAs. Reading the RFCs I understand, that the router flag is only import on neighbor unreachability detection. So I wonder, if ndpmon is wrong in sending out security alerts only for set router flags or all these IPv6 stacks are doing wrong. I tested this issue on our own gateways and currently found no option (Cisco) to unset the router flag (having RAs disabled). Regards Bernhard -- Bernhard Hahn DE-CIX Management GmbH e-mail: ber...@de... Lindleystr. 12, 60314 Frankfurt Phone: +49 69 1730 902-34 Geschaeftsfuehrer Harald A. Summa Mobile: +40 171 5523643 Registergericht AG Koeln, HRB 51135 Fax: +49 69 4056 2716 Zentrale: Lichtstr. 43i, 50825 Koeln http://www.de-cix.net |
From: Diana V. <xp...@bo...> - 2007-09-03 18:26:22
|
Have you ever hoped to have a high dollar Watch? We have the problem solved for you! We stock all the big names for a low precentage of the expense. www.djeiwllr.com |