IPS/MARS message help

Unanswered Question
Nov 25th, 2007

We are seeing a simalr message as stated below. It seems to be coming from our Cisco AP. What could be causing this and is it a false positive?


192.168.x.x/0 --> 192.168.x.x/0 N/A ARP Reply-to-Broadcast,NR-7102/0,Time:1192307707,Risk Rating:30,VLAN:x


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mhellman Mon, 11/26/2007 - 06:32

There are products that use ARP broadcasts as a component of heartbeat/failover...so yes, you may see false positives for this signature. Cisco ASA is one example of many. Enable the trigger packet and you should be able to track down the "offending" device.

Actions

This Discussion