Im seeing a Huge amount of events related with the signature ARP Reply-to-Broadcast 7102.
The sensor saw an ARP Reply packet with its payload Destination MAC containing a broadcast address. This is not normal traffic and can indicate an ARP poisioning attack. Note: This signature is only available in Cisco IDS versions 4.0 and greater.
No known triggers.
It says that there are not Benign triggers. Im Dropping the packets related with this signature.... Should I Drop the packets to avoid ARP Poisioning??
I do not want to drops benign packets but it seems that this signature will not fire with benign packets. Any advise will be really appreciated.
Is the traffic coming from your network or the outside? If inside, I'd track it down and investigate the device sending the packets. If outside, contact the admin of that network and discuss with them.
This can be caused by devices that perform an unsolicited, or Gratuitous ARP replies.
Load balancers, High Availbility pairs (dual NICs in a host, dual firewalls, etc) will send a broad cast ARP reply to update everyones ARP table so that know what MAC to send frames for the shared IP address.