cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Level 10
Report Inappropriate Content
Message 1 of 7

ARP Spoofing Detected

Jump to solution

Good Afternoon,

This is the situation, I have Windows servers configured with broadcom network teaming for network load balancing, in Network Security Manager Threat Analyzer im receiving numerous alerts for ARP: ARP Spoofing Detected reported from Solaris Servers.

Its there a way to mark this as false positive on the Network Security Manager, or, its there a way to fix this on the broadcom teaming configuration?

Regards.

1 Solution

Accepted Solutions
Highlighted

Re: ARP Spoofing Detected

Jump to solution

Hello Maximo,


Yes you can exclude this alert if they are generated from your solaris servers. For this you will have to create an attack filter. Take a look at page number 84 of the attached document which might help you.

Regards,

Bruno

View solution in original post

6 Replies
Highlighted

Re: ARP Spoofing Detected

Jump to solution

Hello Maximo,


Yes you can exclude this alert if they are generated from your solaris servers. For this you will have to create an attack filter. Take a look at page number 84 of the attached document which might help you.

Regards,

Bruno

View solution in original post

Re: ARP Spoofing Detected

Jump to solution

I got an error while trying to upload this document since its about 7MB. Please take a look at https://mysupport.mcafee.com/Eservice/productdocuments.aspx?strPage=2&pl=0 and look for IPS Configuration Guide (NSP_IPS_Configuration_6.0_EN.pdf).

Highlighted

Re: ARP Spoofing Detected

Jump to solution

Hi Bruno,

I am seeing lots of this incident triggered internally. Mind to share in what situation it will trigger as false alarm?

Regards

Haikal

Highlighted
Level 10
Report Inappropriate Content
Message 5 of 7

Re: ARP Spoofing Detected

Jump to solution

Usually this is a false positive on an internal network, please consider that Cisco STP (Spanning Tree Protocol) can trigger this alert a lot.

Verify that the IP src and dest. reported at trusted, also do packet capture with a sniffer to validate traffic.

Regards.

Highlighted

Re: ARP Spoofing Detected

Jump to solution

Hi!

Do you have any advice for me what to do with hundreds of thousands ARP-spoofing alerts without an 0.0.0.0 srcIP and dstIP? Don't know how to tune that?!

Also I'm not really sure how to find out what crappy device is the source of that.

Thanks guys!

Highlighted

Re: ARP Spoofing Detected

Jump to solution

@radiomoskau -> Perhaps those are just the suppressed events and are directly related to ARP spoofing events that occurred at the same time? Check your event suppression settings; roll-up events are just summaries that don't include all of the details and associated pcaps in order to save performance and storage space.

See here about suppression/throttling - https://kc.mcafee.com/corporate/index?page=content&id=KB55472

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community