Suricata possible ARP spoofing detected

This rule is part of a beta feature. To learn more, contact Support.

Set up the suricata integration.

Goal

Detect ARP spoofing attempts, which could indicate a Man-in-the-Middle (MitM) attack or other malicious activities aimed at intercepting or altering network traffic.

Strategy

Monitor network traffic for ARP spoofing, such as multiple devices claiming the same IP address. This detection rule aims to identify ARP spoofing attempts early, allowing for timely investigation and mitigation to protect network integrity and prevent data interception.

Triage and response

  1. Analyse the Suricata ARP logs to confirm the presence of ARP spoofing. Verify the suspicious activity with additional network monitoring tools like Wireshark.
  2. Analyse {{@arp.src_ip}} and {{@arp.dest_ip}} IPs that might be involved in the spoofing attack.
  3. Isolate the compromised devices from the network to prevent further unauthorized access and damage.
  4. Clear the ARP cache on affected devices to remove any spoofed entries.
  5. Configure static ARP entries on critical devices to prevent ARP spoofing.
  6. Ensure all network devices, including routers, switches, and firewalls, are updated with the latest firmware and security patches.