Probe: arp_bogon#
Monitors ARP requests for IP addresses in non-whitelisted networks. This can be used to trigger events when the source or destination IP address in an ARP request does not belong to the connected network(s).
Inspected Packets#
This probe looks for packets with the following characteristics:
- EtherType: ARP
- ARP operaration (OPER): ARP request
Configuration#
probes:
arp_bogon:
# enable this probe
enable: true
# list of prefixes that are connected
prefixes:
- 192.0.2.0/24
See also: schema description
Events#
| Name | Description |
|---|---|
ARP_BOGON_SOURCE | the source IP address is not covered by prefixes |
ARP_BOGON_TARGET | the target IP address is not covered by prefixes |