AnsweredAssumed Answered

ARP cache poisoning in a mapping scan?

Question asked by williamdou on Jan 30, 2013

Hi all,

 

We started mapping of our organization recently, and one of our IT team noticed that around the same time as the port scans Symantec is also registering ARP cache poisoning/spoofing attacks. I understand there are situations when this may have legitimate usage, but I don't understand why a Qualys mapping scan would be doing this (I would expect this to be done in a vulnerability scan), or why it would need to do some routing trick with it (we have a single appliance). Could it just be the way the appliance works as it directs packets across our private (and global) network? It's not documented (in the help file) as a discovery technique.

 

Thanks!

Outcomes