TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

Hi Paul,

I'm not sure you can filter this - best bet is probably to track down
what's causing the alerts and see if you can fix that; have a look at
the two mac addresses which have been associated with the ip address
and try to figure out what they are and why they're claiming to be the
right mac for the ip address... If you've changed some kit or whatever
(eg moved a virtual ip address between different servers, where the
virtual ip address becomes assigned a different mac eg the card's
burnt-in address (bia)) you may want to stop/start the sensor
generating the alerts as it could still be using an internal table
based on a previous mac/ip match...

Jason

On Wed, 18 Jul 2001 09:57:35 -0400, you wrote:

>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>majordomoiss.net Contact issforum-owneriss.net for help with any problems!
>----------------------------------------------------------------------------
>
>Hi all.
>
>I am pretty new to this stuff so ...
>
>I am seeing a lot of IP duplicate events, but it seems to be false
>positives. I wanted to set up a filter for this event, but not block the
>entire event. When I go to the filter screen, it allows me to filter IP,
>UDP, and ICMP...Am I missing something??
>
>Could someone help me with creating a rule to keep this event active UNLESS
>the proper combination of Source, Dest with the ARP protocol arises...in
>which case it doesn't record it.
>
>Thanks,
>
>Paul
>
>

Jason.Renard at Mail.Com

Warning - all views expressed are my own.
I cannot guarantee the accuracy of everything
I've said - use it at your own risk.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]