I have a strange issue with a product called AlienVault/Ossim.
For those of you who are unfamiliar with this tool - This machine basically runs a vulnerability tests on whichever network you configure it to be.
Now I have allowed this machine to scan my entire network.. The tool works fine.
However - When I try to run an asset scan(A scan which tells me how many hosts the machine found and resolved its IP to its FQDN) it gives me false positives hits on my DMZ network.
Meaning - In a non DMZ network if I have 5 hosts in a range of 100... It will show in the result only the relevant 5
In the DMZ however - It will show the entire 100 hosts...
In the article of the manufactur it states that this is due to Proxy ARP:
But I do not have any special NAT on my DMZ... Moreover I have a No_Nat rule for all my entire local networks.
From what I can see in the logs, on a non-DMZ network there are only 7 hits(ICMP,80,443)
On the DMZ there are hundreds of logs(For a specific non-existing host) but all of them with the "Connection terminated before detection: Insufficient data passed.
To learn more see sk113479."
I would really appreciate if someone could explain to me what is this weird behavior and how to bypass it... And if I should cancel it all together.