Imported Upstream version 2.7

[ossec-hids.git] / etc / rules / arpwatch_rules.xml

diff --git a/etc/rules/arpwatch_rules.xml b/etc/rules/arpwatch_rules.xml
index ac4e57a..f059f8b 100755 (executable)
--- a/etc/rules/arpwatch_rules.xml
+++ b/etc/rules/arpwatch_rules.xml
@@ -1,4 +1,5 @@
-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/arpwatch_rules.xml, 2011/09/08 dcid Exp $
+
   -  Official Arpwatch rules for OSSEC.
   -
   -  Copyright (C) 2009 Trend Micro Inc.
@@ -60,6 +61,28 @@
     <match>sent bad addr len</match>
     <description>Arpwatch detected bad address len (ignored).</description>
   </rule> 
+
+  <rule id="7207" level="1">
+    <if_sid>7200</if_sid>
+    <match>/dev/bpf0: Permission denied</match>
+    <description>arpwatch probably run with wrong permissions</description>
+  </rule>
+
+  <rule id="7208" level="1">
+    <if_sid>7200</if_sid>
+    <match>reused old ethernet address</match>
+    <description>An IP has reverted to an old ethernet address.</description>
+  </rule>
+
+  <rule id="7209" level="7">
+    <if_sid>7200</if_sid>
+    <match>ethernet mismatch</match>
+    <description>Possible arpspoofing attempt.</description>
+    <group>ip_spoof,</group>
+  </rule>
+
+
+
 </group> <!-- SYSLOG,arpwatch, -->