Jump to content

ARP Cache Poisoning/Duplicate IP addresses on network


Recommended Posts

getting this detection on all endpoints >>

Rule/worm name;Application;SHA1;User
10/15/2020 4:36:11 PM;ARP Cache Poisoning attack;Blocked;10.4.2.1 [00:09:0f:97:54:78];10.4.2.1 [00:16:6c:9a:0d:25];ARP;;;0000000000000000000000000000000000000000;

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;SHA1;User
10/12/2020 11:58:26 AM;Duplicate IP addresses on network;Blocked;10.4.2.1 [00:09:0f:97:54:78];10.4.2.1 [00:16:6c:9a:0d:25];ARP;;;0000000000000000000000000000000000000000;
 

NOTE: the 10.4.2.1 is the IP Address of the router. Is this likely a false detection coming from the ESET IDS? Router has latest firmware. Is it possible the routers firmware has been compromised? 

 

 

Link to comment
Share on other sites

  • Administrators

There are 2 devices with the same IP address in the network. A pcap log should show them as well. Please enable advanced network protection logging in the adv. setup -> tools -> diagnostics, reboot the machine and wait for the detection to trigger.

Then disable logging, collect logs with ESET Log Collector and upload the generated zip file here.

Link to comment
Share on other sites

  • Administrators

Because it's detected by the firewall and the information is logged in the firewall log. In logs the titles of columns are static.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...