I am looking for a arpwatch and/or arpalert package for Turris Omnia. Does someone know if it is available? If not, maybe one of you maybe have an idea for my problem:
I want to get an immediate message (email, push) when a new station / mac address connects (associates) to one of my wifi networks. In the past I solved a similar requirement with arpwatch. I know that mac addresses can be manipulated and that it is far from being perfect but in my case it would help.
On the Turris routers, Pakon can do this. First in Foris under Maintenance, ensure “Send news” is selected and hit “Save”. The Pakon notifications of new devices are sent as News notifications.
Then in Foris, under “Updater” choose “Device detection”. New devices to the network will show up in the Foris Notifications tab, and to the email you configured for “Send News”
I suggest if you use this feature, you use the storage plugin in Foris as well. (Storage tab in Foris) You’ll need to plug in some external USB storage to the Turris to use the storage plugin. Once that’s configured, any process on the Turris that by default writes to /srv (such as Pakon) will write to your external USB storage instead, saving wear on the internal flash of your Turris and preventing early failure.
Thanks. That sounds like a good suggestion. Can you tell me from your experience what is the performance footprint of Pakon? Can I disable all signatures so that I just detect new devices?
I also have Pakon enabled to monitor all the outbound requests of devices on my network. I haven’t personally seen noticeable performance impacts of using it. I’m not sure if it can be configured only for new device monitoring, one of the Turris developers on here may be able to comment on that.
Surricata / Snort / Bro are quite performance hungry if you check for too many things. At the meantime I configured small satellites based on RPi with arpalert. But now I’ll check out Pakon.
the default configuration that Turris installs for Surricata doesn’t seem to be putting noticeable load on. Let me know if there’s something specific you’re looking for.
Do you know which algorithms are used to identify new hosts?
which protocols
when is a host a new host
I hope it is not just for DHCP traffic. That wouldn’t address my requirement.
At the moment I do not get an email (send news activated and reporting works fine). Now I am wondering if it is because all stations are in a “known” state or if something is not working properly.
I activated Pakon+Surricata on all needed interfaces.
Performance wise it has an impact but at the moment it is ok.
I tested it yesterday and was receiving mail for new hosts. from the "news’ configuration page as I recall there’s a way to send a test mail and make sure you are receiving it. In my case I have it configured so that the mails are sent by nic.cz, there are options to do it that way or by using your own mail server.
as far as how Pakon/Surricata are implemented, I have no idea. A developer for Pakon would have to answer. https://gitlab.labs.nic.cz/mpetracek worked on it most recently. At least in my tests though, they were detecting hosts even when they were not requesting DHCP.
Thanks again @tonyquan . I already had the email news configured correctly. In the meanwhile the system reported me some new hosts but I am still figuring out on which decision base. Further I generated some traffic which is not visible in Pakon but I think this is due to a potential heavy performance impact if you analyze any protocol.
For my specific use case arpalert seems to be more lightweight but coming from snort I already had plans to deal with surricata - maybe it is a good starting point.
Maybe @mpetracek can tell us something about the algorithms and base configuration regarding the identification of new devices.
