I am on a college network and keep on logging "ARP cache poisoning attack." Could this be a false positive? It keeps on logging it at least once every 20 seconds. I might have to notify the IT department.

Is some snoop trying to see what other people are doing on my network? Hell, they might be looking at this message right now.

Maybe another PC on the network has some bot/trojan on it. Maybe is your NIC that is malfunctioning.
It happened to me that I kept getting DNS cache poisoning attack, it was not an attack neither was ESS, it was My router that was sending the wrong information.
Sory I can't be more especific but i'm no expert in the matter.

I also notice that there is no IP or port information for the ARP attack, so I really don't know where it is coming from. Are there any IT experts at Eset who know how the firewall and local networks work? How would my NIC be malfunctioning? The NIC driver maybe?

I read that many network sniffers use this poisoning.

I still got that during my short evaluation of ESS. I'm waiting until the problem with images is fixed to consider trying it again. I would get the ARP cache poisoning alert, and there was no info. except for 0 for the port (I think it was that at least.) I also have a router.

Are you on a local network, or do you use an ISP, broadband or not?

ARP is sent on a broadcast address in the format following from http://www.erg.abdn.ac.uk/users/gorry/eg3561/inet-pages/arp.html:{QUOTE-> The arp request message ("who is X.X.X.X tell Y.Y.Y.Y", where X.X.X.X and Y.Y.Y.Y are IP addresses) is sent using the Ethernet broadcast address, and an Ethernet protocol type of value 0x806. Since it is broadcast, it is received by all systems in the same collision domain (LAN). This is ensures that is the target of the query is connected to the network, it will receive a copy of the query. Only this system responds. The other systems discard the packet silently.

The target system forms an arp response ("X.X.X.X is hh:hh:hh:hh:hh:hh", where hh:hh:hh:hh:hh:hh is the Ethernet source address of the computer with the IP address of X.X.X.X). This packet is unicast to the address of the computer sending the query (in this case Y.Y.Y.Y). Since the original request also included the hardware address (Ethernet source address) of the requesting computer, this is already known, and doesn't require another arp message to find this out.

<-QUOTE}If any of the information in the request is seen to be incorrect for the segment then this could be seen as an attack attempt.

Maybe your router is forwarding ARP requests from the internet?

HTH

Cheers :)

I don't have a router though. Apparently, there are two possibilities with me being on a college network: the ESS firewall is giving a false positive or there is someone on my local network snooping around. I even got an inbound connection request (svchost.exe) for the port used by llmnr (Link-Local Multicast Name Resolution) from a local user on my network, not a designated DNS server or anything like that. Since I am in interactive mode, I just blocked that particular address. Still, does that show there is anything wrong?

So far as I can see from the information you have provided here it seems your ESS is working well and doing it's job :)

Cheers :)

11/6/2007 11:59:50 PM Communication denied by rule *.*.*.*:54746 239.255.255.250:1900 UDP Deny traffic for svchost.exe(2) c:\windows\system32\svchost.exe NT AUTHORITY\LOCAL SERVICE

I don't quite understand this. When I got the dialogue it said it was attempting to connect to my pc, but the address says "239.255.255.250," which is not my pc. Am I blocking something routine?

The "*.*.*.*" is another user on my network.

{QUOTE-> Am I blocking something routine?

The "*.*.*.*" is another user on my network. <-QUOTE}

Probably, yes.

239.255.255.250 is a broadcast (multicast) address and it is common for a PC to listen on this address but that doesn't mean necessarily that you want all of the traffic sent on it.

Cheers :)

I'm on broadband and on a home network. Since there's hardly any info., I don't know what ESS is picking up.

{QUOTE-> I'm on broadband and on a home network. Since there's hardly any info., I don't know what ESS is picking up. <-QUOTE}

You should send a ticket to Eset Support. If you have wireshark you could capture some packets and send them too. That is what they asked me to do when I had a similar problem with RC1 of ESS

So what was the problem in your case? I'm afraid I only know how to send Eset a description of the issue.

My problem was that ESS detected a repeated DNS cache poisoning attack coming from my router's IP. I asumed it was ESS since I had been using Kerio (which has its own IDS system and never saw that kind of mesage).
Result was that after sending Eset a support ticket and capturing some packets with wireshark they found out that the problem was my router that was handling bad DNS responses.
That is why I would advice you to contact support, maybe is your own NIC that is the problem and ESS is telling you.
That is also why I like the firewall, no other software firewall I ever used was able to tell me this and now I have managed to solve the problem with my router and everything works just fine.