Link-layer IDS for home and SOHO


Today I got acquainted with recent years wi-fi penetration techniques (e.g. brutefrocing WPS pin). I realized that the strongest security measures at my home are set for WAN side at the Internet gateway. For years I considered my LAN absolutely safe. But WPA PSK with long random key-phrase turned out to be not enough.

Taking measures, after disabling WPS at my access point I decided to add lightweight intrusion detection for LAN (as setting up such heavy intrusion detection systems like Snort is overkill for my home environment. I think the same is true for most of the home and SOHO (small office home office) environments). Link layer seemed the most appropriate level to monitor as almost every intruder action will touch it.

I desired to monitor arp and IPv6 neighbourhood tables at my Internet gateway as primary goal for me is preventing the intruder from doing illegal actions using my connection.
To monitor the tables I wrote a script which notifies me upon unknown PC connects to my home LAN. It polls the tables comparing the records with known PCs MAC addresses.
The script is at github:

Now I fill more safe =)
Deploy the script in your homes. Let’s control our networks =)