Jump to content

ARP Cache Poisoning Attack


Recommended Posts

I am getting Firewall Detections only on a couple of the 250 PC in my environment - ARP Cache Poisoning Attack.  The problem lies with the ESET server is doing it.  It is a Linux VIrtual server (deployed from the OVA provided by ESET).  How can I create a policy or rule to stop this?

  • Infringing socket
    10.xxx.##242:0  (THIS IS THE IP ADDRESS OF THE ESET PROTECT SERVER)
  • Old MAC address
    ##-##-##-80-2E-04  (THIS IS THE MAC THAT IS ON THE VIRTUAL INTERFACE)
  • New MAC address
    ##-##-##-38-32-30 (THIS IS THE MAC OF THE ESX SERVER IN OUR CLUSTER THAT THE ESET SERVER IS CURRENTLY ON)
Link to comment
Share on other sites

  • Administrators

You could create a policy with an IDS rule for ARP cache poisoning attack detection:

image.png

Set the actions to No and add the IP address of the server to confine the exception to the server only.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...