Detect ARP spoofing with Malcolm #653
Replies: 2 comments 2 replies
-
|
At the moment Malcolm doesn't do any logging ARP traffic at all. There's actually a parser for an OT protocol call ethercat that has sort of a side effect of logging all arp traffic, although we disable that as it usually ends up being just a huge volume of logs. If you wanted to try turning that back on to see if that would help you, you could edit your local As far as detecting the mismatch of MAC and IP, I'm not exactly sure how you could do that: for example, when a router or NAT device forwards a packet, it typically replaces the source MAC address with its own MAC address for the outgoing segment. How would you tell the difference? But I'm a coder not an analyst, so maybe somebody else would have a better idea than me. |
Beta Was this translation helpful? Give feedback.
-
|
So you are right about the router issue. But this situation only occurs, when the traffic is sent in another subnet. |
Beta Was this translation helpful? Give feedback.
-
|
No, I'm afraid it doesn't. At the moment the only thing the MAC addresses are used for with regards to NetBox is attempting to identify the hardware manufacturer. |
Beta Was this translation helpful? Give feedback.
-
|
Ok, I think we will work on this topic in the up coming weeks and I will update this thread when we've got a solution. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi there,
is it possible to detect ARP spoofing with Malcolm? We would like to demonstrate ARP spoofing and detection for educational purposes. Therefore we are spoofing the mac addresses of two known devices in a training environment. Is there an option to define suricata or zeek rules to detect the mismatch of mac and ip? Currently it seems that ARP messages can not be detected or seen in the dashboards or arkime.
P.S.: I originally posted this question in r/Malcolm.
Beta Was this translation helpful? Give feedback.
All reactions