Monitor ARP table on ASA 5505 with MARS v6.0

panderson25 · ‎09-13-2010

The goal is to catch people accidentally plugging an unauthorized device into a 5505. Can MARS monitor the 5505 ARP table or something else and trigger based on a MAC not being in a pre-defined list?

mikecrowe4ICS_2 · ‎09-13-2010

If you are running in transparent mode, ARP inspection might do what you're looking for.

From the ASA "Configuration Guide using the CLI" for 8.2:

When you enable ARP inspection, the adaptive security appliance compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:

If the IP address, MAC address, and source interface match an ARP entry, the packet is passed through.
If there is a mismatch between the MAC address, the IP address, or the interface, then the adaptive security appliance drops the packet.
If the ARP packet does not match any entries in the static ARP table, then you can set the adaptive security appliance to either forward the packet out all interfaces (flood), or to drop the packet

In addition to the action listed above, there are matching syslog messages. If MARS does not already trigger events based on those messages, you could add them using a custom parser.

This only works in transparent mode, though. Not sure what would work for routed mode.

panderson25 · ‎09-14-2010

Routed mode. Also, this "accident" wouldn't necessarily generate an alert since it could be a new static IP. I was hoping MARS could dig into the ARP table somehow and parse it periodically as opposed to wait for an alert.