1 <!-- @(#) $Id: ./etc/rules/arpwatch_rules.xml, 2011/09/08 dcid Exp $
3 - Official Arpwatch rules for OSSEC.
5 - Copyright (C) 2009 Trend Micro Inc.
8 - This program is a free software; you can redistribute it
9 - and/or modify it under the terms of the GNU General Public
10 - License (version 2) as published by the FSF - Free Software
13 - License details: http://www.ossec.net/en/licensing.html
17 <group name="syslog,arpwatch,">
18 <rule id="7200" level="0" noalert="1">
19 <decoded_as>arpwatch</decoded_as>
20 <description>Grouping of the arpwatch rules.</description>
23 <rule id="7201" level="4">
25 <options>alert_by_email</options>
27 <description>Arpwatch new host detected.</description>
28 <group>new_host,</group>
31 <rule id="7202" level="9">
33 <match>flip flop </match>
34 <description>Arpwatch "flip flop" message. </description>
35 <description>IP address/MAC relation changing too often.</description>
36 <group>ip_spoof,</group>
39 <rule id="7203" level="3">
41 <match>reaper: pid </match>
42 <description>Arpwatch exiting.</description>
43 <group>service_availability,</group>
46 <rule id="7204" level="9">
48 <match>changed ethernet address </match>
49 <description>Changed network interface for ip address.</description>
50 <group>ip_spoof,</group>
53 <rule id="7205" level="0">
55 <match>bad interface eth0|exiting|Running as </match>
56 <description>Arpwatch startup/exiting messages.</description>
59 <rule id="7206" level="0">
61 <match>sent bad addr len</match>
62 <description>Arpwatch detected bad address len (ignored).</description>
65 <rule id="7207" level="1">
67 <match>/dev/bpf0: Permission denied</match>
68 <description>arpwatch probably run with wrong permissions</description>
71 <rule id="7208" level="1">
73 <match>reused old ethernet address</match>
74 <description>An IP has reverted to an old ethernet address.</description>
77 <rule id="7209" level="7">
79 <match>ethernet mismatch</match>
80 <description>Possible arpspoofing attempt.</description>
81 <group>ip_spoof,</group>
86 </group> <!-- SYSLOG,arpwatch, -->