Tracy Garner 0 Posted June 20, 2022 Share Posted June 20, 2022 I am getting Firewall Detections only on a couple of the 250 PC in my environment - ARP Cache Poisoning Attack. The problem lies with the ESET server is doing it. It is a Linux VIrtual server (deployed from the OVA provided by ESET). How can I create a policy or rule to stop this? Infringing socket 10.xxx.##242:0 (THIS IS THE IP ADDRESS OF THE ESET PROTECT SERVER) Old MAC address ##-##-##-80-2E-04 (THIS IS THE MAC THAT IS ON THE VIRTUAL INTERFACE) New MAC address ##-##-##-38-32-30 (THIS IS THE MAC OF THE ESX SERVER IN OUR CLUSTER THAT THE ESET SERVER IS CURRENTLY ON) Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted June 20, 2022 Administrators Share Posted June 20, 2022 You could create a policy with an IDS rule for ARP cache poisoning attack detection: Set the actions to No and add the IP address of the server to confine the exception to the server only. Link to comment Share on other sites More sharing options...
Tracy Garner 0 Posted June 20, 2022 Author Share Posted June 20, 2022 Thanks, I will try that. Link to comment Share on other sites More sharing options...
Recommended Posts