This is the situation, I have Windows servers configured with broadcom network teaming for network load balancing, in Network Security Manager Threat Analyzer im receiving numerous alerts for ARP: ARP Spoofing Detected reported from Solaris Servers.
Its there a way to mark this as false positive on the Network Security Manager, or, its there a way to fix this on the broadcom teaming configuration?
Yes you can exclude this alert if they are generated from your solaris servers. For this you will have to create an attack filter. Take a look at page number 84 of the attached document which might help you.
I got an error while trying to upload this document since its about 7MB. Please take a look at https://mysupport.mcafee.com/Eservice/productdocuments.aspx?strPage=2&pl=0 and look for IPS Configuration Guide (NSP_IPS_Configuration_6.0_EN.pdf).
Usually this is a false positive on an internal network, please consider that Cisco STP (Spanning Tree Protocol) can trigger this alert a lot.
Verify that the IP src and dest. reported at trusted, also do packet capture with a sniffer to validate traffic.
Do you have any advice for me what to do with hundreds of thousands ARP-spoofing alerts without an 0.0.0.0 srcIP and dstIP? Don't know how to tune that?!
Also I'm not really sure how to find out what crappy device is the source of that.
@radiomoskau -> Perhaps those are just the suppressed events and are directly related to ARP spoofing events that occurred at the same time? Check your event suppression settings; roll-up events are just summaries that don't include all of the details and associated pcaps in order to save performance and storage space.
See here about suppression/throttling - https://kc.mcafee.com/corporate/index?page=content&id=KB55472