1 Reply Latest reply on Aug 17, 2017 3:49 PM by jrouviere

    Broadcast Poisoning Monitoring

    jhemphill@easternsavingsbank.com

      Has anyone setup LEM rules to monitor for broadcast poisoning?

      I am unable to find canned rules in LEM, and would like to see how others are addressing this.  Perhaps I'm just missing something that should be there...

       

      Thanks!

        • Re: Broadcast Poisoning Monitoring
          jrouviere

          Rules (including the built in Templates) live under Build -> Rules in the web console.

           

          Add a rule to LEM - SolarWinds Worldwide, LLC. Help and Support

           

          I don't see any existing rules relating to Broadcast Poisoning specifically, so a couple of things:

           

          1)  You will want to know/keep in mind that rules for the LEM are event driven.

          2)  For networking nodes the information is going to be sent to the LEM via a Syslog or SNMP trap.

           

          If you have a device in your environment that will log an event and send it to the LEM about Broadcast Poisoning it should be an easy thing to help set up the rule.  Do you have this data already and can find it in nDepth?

           

          If it's not event driven, what information are you looking for to determine this situation exists in your environment?

           

          Depending on what you're trying to monitor for in the first place, you could find other related issues by using existing Template rules, for example the Suspicious DNS Traffic rule could help you capture machines that are talking to an unapproved DNS server which could be one of the components of an attack like this.

          1 of 1 people found this helpful