07-10-2010 05:35 PM - edited 03-10-2019 05:03 AM
Hello,
Im seeing a Huge amount of events related with the signature ARP Reply-to-Broadcast 7102.
The sensor saw an ARP Reply packet with its payload Destination MAC containing a broadcast address. This is not normal traffic and can indicate an ARP poisioning attack. Note: This signature is only available in Cisco IDS versions 4.0 and greater.
Benign Triggers |
No known triggers. |
It says that there are not Benign triggers. Im Dropping the packets related with this signature.... Should I Drop the packets to avoid ARP Poisioning??
I do not want to drops benign packets but it seems that this signature will not fire with benign packets. Any advise will be really appreciated.
07-11-2010 04:45 AM
Is the traffic coming from your network or the outside? If inside, I'd track it down and investigate the device sending the packets. If outside, contact the admin of that network and discuss with them.
07-13-2010 08:06 AM
This can be caused by devices that perform an unsolicited, or Gratuitous ARP replies.
Load balancers, High Availbility pairs (dual NICs in a host, dual firewalls, etc) will send a broad cast ARP reply to update everyones ARP table so that know what MAC to send frames for the shared IP address.
Here's some reading on the subject:
http://linux-ip.net/html/ether-arp.html
http://fixunix.com/tcp-ip/66247-arp-behaviour.html
You should trace down the device by i's MAC address to determine if this is the case or not.
- Bob
07-13-2010 08:18 AM
Bob's answer regarding gratuitous ARP from clustering/HA is spot on. I'll look into getting the SIO entry updated to reflect the fact that these are known benign triggers.
-juteixei
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide