-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/arpwatch_rules.xml, 2011/09/08 dcid Exp $
+
- Official Arpwatch rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<match>sent bad addr len</match>
<description>Arpwatch detected bad address len (ignored).</description>
</rule>
+
+ <rule id="7207" level="1">
+ <if_sid>7200</if_sid>
+ <match>/dev/bpf0: Permission denied</match>
+ <description>arpwatch probably run with wrong permissions</description>
+ </rule>
+
+ <rule id="7208" level="1">
+ <if_sid>7200</if_sid>
+ <match>reused old ethernet address</match>
+ <description>An IP has reverted to an old ethernet address.</description>
+ </rule>
+
+ <rule id="7209" level="7">
+ <if_sid>7200</if_sid>
+ <match>ethernet mismatch</match>
+ <description>Possible arpspoofing attempt.</description>
+ <group>ip_spoof,</group>
+ </rule>
+
+
+
</group> <!-- SYSLOG,arpwatch, -->