tmuster2k 22 Posted October 16, 2020 Share Posted October 16, 2020 getting this detection on all endpoints >> Rule/worm name;Application;SHA1;User 10/15/2020 4:36:11 PM;ARP Cache Poisoning attack;Blocked;10.4.2.1 [00:09:0f:97:54:78];10.4.2.1 [00:16:6c:9a:0d:25];ARP;;;0000000000000000000000000000000000000000; Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;SHA1;User 10/12/2020 11:58:26 AM;Duplicate IP addresses on network;Blocked;10.4.2.1 [00:09:0f:97:54:78];10.4.2.1 [00:16:6c:9a:0d:25];ARP;;;0000000000000000000000000000000000000000; NOTE: the 10.4.2.1 is the IP Address of the router. Is this likely a false detection coming from the ESET IDS? Router has latest firmware. Is it possible the routers firmware has been compromised? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted October 16, 2020 Administrators Share Posted October 16, 2020 There are 2 devices with the same IP address in the network. A pcap log should show them as well. Please enable advanced network protection logging in the adv. setup -> tools -> diagnostics, reboot the machine and wait for the detection to trigger. Then disable logging, collect logs with ESET Log Collector and upload the generated zip file here. Link to comment Share on other sites More sharing options...
tmuster2k 22 Posted October 16, 2020 Author Share Posted October 16, 2020 Why is a duplicate ip address detection being flagged as >> Rule/worm name;Application;SHA1;User? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted October 16, 2020 Administrators Share Posted October 16, 2020 Because it's detected by the firewall and the information is logged in the firewall log. In logs the titles of columns are static. Link to comment Share on other sites More sharing options...
Recommended Posts