ERA Firewall Events

[BDeep 7]

In ERA, the following events get reported to the console:

Detected ARP cache poisoning attack

Duplicate IP addresses detected in network

 

What settings control these events? Can I add more? Can I exclude these? I'm not sure why just these two get reported to ERA and how they are controlled.

[MartinK 376]

ERA receives only events from pre-defined firewall rules (not from custom rules) mostly from IDS. Configuration on endpoint is located here: Personal Firewall -> Basic -> IDS and advanced options -> Intrusion detection

[21jags 0]

https://forum.eset.com/topic/1494-arp-poisoning-attack/check the forum

For duplicate IP address contact your IT admin.

[BDeep 7]

ERA receives only events from pre-defined firewall rules (not from custom rules) mostly from IDS. Configuration on endpoint is located here: Personal Firewall -> Basic -> IDS and advanced options -> Intrusion detection

 

Gotcha. So the information received from ERA is from pre-defined rules. Anything that I want to specifically monitor for (custom rules) won't be reported to ERA.

[avatar42 0]

Is there any way to get the mac address of the device causing the problem? I see these randomly. Generally with one of the router IPs which might indicate someone trying to divert routing. Or could be a sign a router is having issues. Logs only seem to give you the IP with the issue. Mac would let me be able to track back to a device to fix or disable it.