Log Analysis PBQs: CompTIA Network+ (N10-009)
easyQuestion 1 of 3
You are a network administrator who just received an alert from the managed switch on VLAN 10. Multiple workstations are reporting intermittent connectivity issues. The switch management console is showing ARP table warnings about duplicate IP-to-MAC mappings. Review the network logs, flag all entries related to the ARP anomaly, and classify the incident.
Objectives
- •Review switch and IDS logs for ARP anomalies on VLAN 10
- •Flag all log entries related to the ARP spoofing activity
- •Classify the type of network security incident
- •Identify the attacker's MAC address
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 13:00:00 | INFO | system | Switch SW-CORE-01 VLAN 10: port Gi0/1 link up -- workstation 192.168.10.20 (MAC: aa:bb:cc:11:22:33) | |
| 13:02:00 | INFO | system | DHCP lease renewed: 192.168.10.20 to MAC aa:bb:cc:11:22:33 -- lease time 8 hours | |
| 13:05:30 | WARN | system | ARP table conflict on SW-CORE-01: IP 192.168.10.1 (gateway) mapped to MAC dd:ee:ff:44:55:66 -- expected MAC: 00:11:22:33:44:55 | |
| 13:05:35 | ALERT | ids | ARP spoofing detected: gratuitous ARP from MAC dd:ee:ff:44:55:66 claiming IP 192.168.10.1 on VLAN 10 | |
| 13:06:00 | WARN | system | ARP table conflict on SW-CORE-01: IP 192.168.10.1 flapping between MAC 00:11:22:33:44:55 and dd:ee:ff:44:55:66 | |
| 13:06:30 | INFO | system | Uplink check: SW-CORE-01 trunk port to router R1 operating normally | |
| 13:07:15 | WARN | firewall | Traffic redirection detected: packets from 192.168.10.20 to 10.0.0.5 being routed through 192.168.10.50 (MAC dd:ee:ff:44:55:66) | |
| 13:08:00 | INFO | system | Spanning tree: SW-CORE-01 VLAN 10 root bridge stable, no topology changes | |
| 13:09:00 | ALERT | ids | Man-in-the-middle risk: ARP spoof from MAC dd:ee:ff:44:55:66 (port Gi0/5) impersonating gateway 192.168.10.1 | |
| 13:10:30 | INFO | system | NTP sync completed: SW-CORE-01 synchronized to 10.0.0.2 | |
| 13:11:00 | WARN | system | Client 192.168.10.35 reporting DNS resolution failures -- default gateway MAC mismatch | |
| 13:13:00 | INFO | system | Port Gi0/8 link up: printer 192.168.10.100 (MAC: 11:22:33:aa:bb:cc) online | |
| 13:15:00 | INFO | system | SNMP polling: SW-CORE-01 CPU 12%, memory 45% -- within normal parameters |
13 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 7 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete