ARP Guardian is a real-time ARP-spoofing detection and reversible mitigation platform. Distributed Rust sensors, a Go correlator, editorial-grade operator console — and an honest coverage badge on every sensor so you know what you're really seeing.
# single-line sensor install on any Linux host $ curl -fsSL https://your-controller/install-sensor.sh \ | sudo bash -s -- \ --controller https://your-controller \ --token CEE6-4HH6-RK36-2VBD [install] downloading sensor binary ... ✓ [install] running enroll ... ✓ [install] running 15s coverage check ... ============================================================ Frames seen : 14482 unicast to OTHERS : 10195 ← decisive signal Unique source MACs : 10 ============================================================ verdict : FULL coverage ✓ Sees unicast between other hosts. Likely cause: vSwitch promisc / SPAN port / TAP.
Deterministic baseline checks (Tier 1), bind-flip + protected-IP rules (Tier 2), and entropy / storm anomaly windows (Tier 3). Each tier produces independent evidence so the correlator can rate confidence honestly.
L1 corrective ARP restores the truth binding on every observer; L2 NAC quarantine kicks the attacker off the switch port. Every action has a TTL and a one-click revert.
Every sensor reports what it actually sees — full / partial / broadcast-only / silent — so you know whether your unicast-dependent rules even run. No silent degradation when SPAN breaks.
One small host-agent per protected node. No SPAN port required, no managed switch required, works on cloud VPCs where promiscuous mode is forbidden. Centralized SPAN deployment also supported.
Pick the widgets that matter to your role — SOC overview, network health, compliance. Layouts persist per browser. Or write your own widget.
Every action by every user — login, role change, policy edit, mitigation — is universal-audited and CSV-exportable. Incident forensics bundles are HMAC-signed.
attacker (lab-only) ─► ens33 ─► Rust sensor (AF_PACKET, Tier 1/2/3)
│
▼ detection NDJSON
NATS JetStream
▼
Go correlator (entity graph + multi-evidence)
▼
Mitigation (L0 alert · L1 corrective ARP · L2 NAC)
▼
PostgreSQL ── Go API ── React/TS operator console
└─► Telegram · SIEM (CEF + ECS)
For any Ubuntu/Debian host. The installer downloads the binary, runs enrollment with a one-time token, and runs a 15-second coverage check so you know what your sensor actually sees.
curl -fsSL https://arpguardian.meirlan.ru/install-sensor.sh \
| sudo bash -s -- \
--controller https://YOUR-CONTROLLER \
--token YOUR-TOKEN
View installer script
The Go API + embedded React console + Postgres + NATS. Single Docker Compose for the lab; bare-metal / Kubernetes for production.
git clone https://github.com/<org>/arpocalypse-2.0 cd arpocalypse-2.0 make controller-upSource on GitHub
Standalone Rust binary. Hand-rolled HMAC-SHA-256, AF_PACKET via libc only, no pcap dependency. ~700 KB.
MIT licensed. Rust sensor, Go API + correlator + mitigation, React/TypeScript SPA, Python control tools.
Stand up the controller and one sensor in about 10 minutes.
System diagram, data flow, components, schema, ports.
One-liner installer reference, what each command does, what to check.
Distributed / SPAN / hybrid models with Cisco, Aruba, Juniper, VMware, KVM, Hyper-V configs.
SOC workflows — triage, contain, recover, post-mortem.
RBAC, threat model, safety invariants, audit trail.
Every endpoint, every payload, every auth requirement.
How to extend — new detection rules, new mitigation actuators, new sensors.
Test strategy, commands, eval datasets, fuzz harness.
Open the docs and follow the quickstart. Lab requires four Linux hosts (or VMs) on one VLAN. Production is one host-agent per protected node.
Quickstart guide