IPS/MARS message help

Unanswered Question
Nov 25th, 2007
User Badges:

We are seeing a simalr message as stated below. It seems to be coming from our Cisco AP. What could be causing this and is it a false positive?


192.168.x.x/0 --> 192.168.x.x/0 N/A ARP Reply-to-Broadcast,NR-7102/0,Time:1192307707,Risk Rating:30,VLAN:x


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mhellman Mon, 11/26/2007 - 06:32
User Badges:
  • Blue, 1500 points or more

There are products that use ARP broadcasts as a component of heartbeat/failover...so yes, you may see false positives for this signature. Cisco ASA is one example of many. Enable the trigger packet and you should be able to track down the "offending" device.

Actions

This Discussion