How to implement detection of unauthorized network connection in Zabbix?

M

morfair2018-03-06 22:28:41

Zabbix

morfair, 2018-03-06 22:28:41

I understand that you need to move towards SNMP and SNMP Traps, with the help of which a notification of a new entry in the FDB / ARP table of the switch would arrive, then confirm "your" poppies as authorized and receive notification of left addresses, but I would like to know good practice, so to speak, or a link to a ready-made solution.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Dmitry, 2018-03-06
@Tabletko

Zabbix is a monitoring system, not ids/ips. You need to look towards specialized solutions, and already display their logs / alerts in zabbix

S

Sergey, 2018-03-07
@feanor7

1000 years ago, when zabbix was still developing, I did something like the following:
1. On the managed switch, a certain address table was allowed to pass
2. The new phone / PC was manually entered into the table from where everything was copied to dhcp.conf
there is a nuance, the switch should be able to do this in principle - on hp - port security
The simplest thing is parsing the dhtsp log for requests, more precisely for DHCPNACK responses (does not save from connections with a pre-known address)