This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spoofing being reported... ???

I've seen 92 spoofing attemptes reported in the logs in March.
Here is a section of the logs that look particularly suspect.
At the very same second, two different interfaces are seeing the same source MAC address attempting to spoof two interfaces in my environment.

Important note: the interfaces reporting the spoof are the Astaro interfaces on two of my protected networks.

Can anyone make sense of this?
see 2007:03:16-11:27:12

2007:03:16-11:27:12 (none) ulogd[2533]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth3" dstmac="00:0c:76:5e:00:b0" srcmac="40:00:40:11:26:99" srcip="10.3.0.1" dstip="10.3.255.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="32870" dstport="137"
2007:03:16-11:27:12 (none) ulogd[2533]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth3" dstmac="00:0c:76:5e:00:b0" srcmac="40:00:40:11:26:99" srcip="10.3.0.1" dstip="10.3.255.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="32870" dstport="137"
2007:03:16-11:27:12 (none) ulogd[2533]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth3" dstmac="00:0c:76:5e:00:b0" srcmac="40:00:40:11:26:99" srcip="10.3.0.1" dstip="10.3.255.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="32870" dstport="137"
2007:03:16-11:27:12 (none) ulogd[2533]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" dstmac="00:13:46:e6:13:5e" srcmac="40:00:40:11:25:9c" srcip="10.1.1.2" dstip="10.1.255.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="32870" dstport="137"
2007:03:16-11:27:13 (none) ulogd[2533]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" dstmac="00:13:46:e6:13:5e" srcmac="40:00:40:11:25:9c" srcip="10.1.1.2" dstip="10.1.255.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="32870" dstport="137"
2007:03:20-11:47:12 (none) ulogd[2533]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth3" dstmac="00:0c:76:5e:00:b0" srcmac="40:00:40:11:26:99" srcip="10.3.0.1" dstip="10.3.255.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="32973" dstport="137"
2007:03:20-11:47:12 (none) ulogd[2533]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth3" dstmac="00:0c:76:5e:00:b0" srcmac="40:00:40:11:26:99" srcip="10.3.0.1" dstip="10.3.255.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="32973" dstport="137"
2007:03:20-11:47:12 (none) ulogd[2533]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth3" dstmac="00:0c:76:5e:00:b0" srcmac="40:00:40:11:26:99" srcip="10.3.0.1" dstip="10.3.255.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="32973" dstport="137"
2007:03:20-11:47:13 (none) ulogd[2533]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" initf="eth0" dstmac="00:13:46:e6:13:5e" srcmac="40:00:40:11:25:9c" srcip="10.1.1.2" dstip="10.1.255.255" proto="17" length="78" tos="0x00" prec="0x00" ttl="64" srcport="32973" dstport="137"

Thanks for any insight.

This thread was automatically locked due to age.