1 <!-- @(#) $Id: arpwatch_rules.xml,v 1.9 2009/06/24 17:06:19 dcid Exp $
2 - Official Arpwatch rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 3) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
16 <group name="syslog,arpwatch,">
17 <rule id="7200" level="0" noalert="1">
18 <decoded_as>arpwatch</decoded_as>
19 <description>Grouping of the arpwatch rules.</description>
22 <rule id="7201" level="4">
24 <options>alert_by_email</options>
26 <description>Arpwatch new host detected.</description>
27 <group>new_host,</group>
30 <rule id="7202" level="9">
32 <match>flip flop </match>
33 <description>Arpwatch "flip flop" message. </description>
34 <description>IP address/MAC relation changing too often.</description>
35 <group>ip_spoof,</group>
38 <rule id="7203" level="3">
40 <match>reaper: pid </match>
41 <description>Arpwatch exiting.</description>
42 <group>service_availability,</group>
45 <rule id="7204" level="9">
47 <match>changed ethernet address </match>
48 <description>Changed network interface for ip address.</description>
49 <group>ip_spoof,</group>
52 <rule id="7205" level="0">
54 <match>bad interface eth0|exiting|Running as </match>
55 <description>Arpwatch startup/exiting messages.</description>
58 <rule id="7206" level="0">
60 <match>sent bad addr len</match>
61 <description>Arpwatch detected bad address len (ignored).</description>
63 </group> <!-- SYSLOG,arpwatch, -->
projects / ossec-hids.git / blob