One of our windows servers was compromised, causing us to start having ARP cache issues. The switch port that that machine was on is now off. We are still (slowly) getting this error:
Jun 4 18:17:54 CDT: %IP-4-ZERO_ADDR: Zero MAC address for 10.1.0.1 in ARP cache
But the interfaces to which they show up are only interfaces on the router itself. We have configured Snort to try to resolve some of these issues, but do not know where to look when the interfaces that are listed are only the ones on the router itself.