Spoof Detection

<< Click to Display Table of Contents >>

Navigation:  Monitoring with EventSentry > Network Services > ARP Daemon >

Spoof Detection

ARP spoof detect can alert you when a device on the network attempts to silently redirect traffic away from a legitimate host (usually a router) to an illegitimate host, usually for the purpose of capturing confidential information or disrupting normal operations. See ARP spoofing for more information.


Some legitimate network traffic can appear to be an ARP Spoofing attempt,  as such it is important to customize this feature to avoid false positives.


White-Listed MAC Addresses

MAC addresses of legitimate network devices such as routers and gateways should be white-listed as they usually associate their MAC addresses with non-local IP addresses. Also white-list the MAC address of any other network device, after proper investigation, that may cause false alerts on a regular basis.


Authorized IP Ranges

Hosts with dynamic IP addresses (DHCP) can often cause false positives. As such, all IP ranges used by DHCP servers should be added to the "Authorized IP Ranges" list to avoid false positives. This is generally not a security concern since gateways and servers usually do not have IP addresses assigned via DHCP.