-<!-- @(#) $Id: arpwatch_rules.xml,v 1.9 2009/06/24 17:06:19 dcid Exp $
+<!-- @(#) $Id: ./etc/rules/arpwatch_rules.xml, 2011/09/08 dcid Exp $
+
- Official Arpwatch rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
+ - License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
<match>sent bad addr len</match>
<description>Arpwatch detected bad address len (ignored).</description>
</rule>
+
+ <rule id="7207" level="1">
+ <if_sid>7200</if_sid>
+ <match>/dev/bpf0: Permission denied</match>
+ <description>arpwatch probably run with wrong permissions</description>
+ </rule>
+
+ <rule id="7208" level="1">
+ <if_sid>7200</if_sid>
+ <match>reused old ethernet address</match>
+ <description>An IP has reverted to an old ethernet address.</description>
+ </rule>
+
+ <rule id="7209" level="7">
+ <if_sid>7200</if_sid>
+ <match>ethernet mismatch</match>
+ <description>Possible arpspoofing attempt.</description>
+ <group>ip_spoof,</group>
+ </rule>
+
+
+
</group> <!-- SYSLOG,arpwatch, -->