Suricata possible ARP spoofing detected

This rule is part of a beta feature. To learn more, contact Support.

Set up the suricata integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect ARP spoofing attempts, which could indicate a Man-in-the-Middle (MitM) attack or other malicious activities aimed at intercepting or altering network traffic.

Strategy

Monitor network traffic for ARP spoofing, such as multiple devices claiming the same IP address. This detection rule aims to identify ARP spoofing attempts early, allowing for timely investigation and mitigation to protect network integrity and prevent data interception.

Triage and response

  1. Analyse the Suricata ARP logs to confirm the presence of ARP spoofing. Verify the suspicious activity with additional network monitoring tools like Wireshark.
  2. Analyse {{@arp.src_ip}} and {{@arp.dest_ip}} IPs that might be involved in the spoofing attack.
  3. Isolate the compromised devices from the network to prevent further unauthorized access and damage.
  4. Clear the ARP cache on affected devices to remove any spoofed entries.
  5. Configure static ARP entries on critical devices to prevent ARP spoofing.
  6. Ensure all network devices, including routers, switches, and firewalls, are updated with the latest firmware and security patches.
PREVIEWING: mervebolat/span-id-preprocessing