======
Description
======
This backend watches for mis-configured machines being brought up on 
the wrong networks or potential strange homing's of nets.

The package looks for arp requests asking the response be sent to an IP
address not expected to be seen on the 'internal' network(s) [ie
who-has foo, tell not-the-ip-you-expected-to-see]

The theory is that when the system first comes live it will attempt to
gratuitously arp for itself (although Solaris is one of the few systems
that does not do this). If it was configured for the wrong network you
will see this.

If another network stub is mis-attached, potentially between network legs
that are treated at disparate security levels, you might see arps for
a different net's router with an external network IP in the arp packet.

IDS is one thing but many times it's finding the problems after the fact
that still saves your butt.

note: the list of networks that are considered internal is kept in a global
variable called my_networks inside of $NFRHOME/library/values.nfr
 simply create
      my_networks = [ 192.168.1.0:255.255.255.0 ]; 
 or whatever your internal networks are.


mudge@l0pht.com