logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Checks for ARP anomalies from the host's viewpoint

Status: Approved Submitted by on ‎06-26-2019 12:31 AM

Description: Looks for ARP anomalies from the host's side.

What The Data Shows: Shows all ARP entries as well as the total entries on a host.

SQL: 

SELECT address, mac, COUNT(mac) AS mac_count 
FROM arp_cache 
WHERE mac NOT LIKE '01:00:5E%' 
AND mac NOT LIKE 'ff:ff:ff%'
GROUP BY mac HAVING count(mac) > 1;
Tags (1)
Comment
7 Comments
jnelson
Carbon Black Employee
‎06-26-2019 02:04 PM
‎06-26-2019 02:04 PM
Status changed to: Under Review

@mjomha what about filtering our multicast IPs and/or broadcast MACs?

mjomha
Contributor
‎06-26-2019 02:06 PM
‎06-26-2019 02:06 PM

Good idea. Let me give that a go and update the query. I was filtering within the Live Ops Gui, let me try adding that to the query.

mjomha
Contributor
‎06-26-2019 03:06 PM
‎06-26-2019 03:06 PM

Updated the query now it filters out broadcast and multicast addresses.

jnelson
Carbon Black Employee
‎06-27-2019 12:58 PM
‎06-27-2019 12:58 PM
Status changed to: Under Review

@mjomha you left off the HAVING count(mac) > 1 from your original query. Was this on purpose?

jnelson
Carbon Black Employee
‎06-27-2019 01:02 PM
‎06-27-2019 01:02 PM
Status changed to: Under Review

@mjomha you left off the HAVING count(mac) > 1 from your original query. Was this on purpose?

mjomha
Contributor
‎06-27-2019 01:03 PM
‎06-27-2019 01:03 PM

Thanks Jneslon for noticing. Accidentally deleted the last line.

 

Re-added it.


Thanks!

jnelson
Carbon Black Employee
‎06-27-2019 01:13 PM
‎06-27-2019 01:13 PM
Status changed to: Approved
 
logo