Address Resolution Protocol (ARP) is a stateless, communication protocol used within a single network for address resolution. When exchanging requests and responses, ARP does not provide authentication between hosts.

ARP spoof is a type of man-in-the-middle attack using ARP within a Local Area Network (LAN). An attacker alters the communication to a host by intercepting messages intended for a specific host media access control (MAC) address.

The arp_spoof inspector analyzes ARP packets and detects unicast ARP requests. To detect ARP cache overwrite attacks, the ARP Spoof inspector identifies inconsistent Ethernet-to-IP mapping.

If enabled, the arp_spoof inspector:

• Inspects Ethernet addresses and the addresses in the ARP packets. When an inconsistency occurs, the inspector uses rule 112:2 or rule 112:3 to generate alerts, and in an inline deployment, drop offending packets.

• Checks for unicast ARP requests. If a unicast ARP request is detected, the inspector uses rule 112:1 to generate alerts, and in an inline deployment, drop offending packets.

• If the hosts[] parameter is specified, the inspector uses that information to detect ARP cache overwrite attacks. If such an attack is detected, the inspector uses rule 112:4 to generate alerts, and in an inline deployment, drop offending packets.