PageRenderTime 17ms CodeModel.GetById 15ms app.highlight 0ms RepoModel.GetById 0ms app.codeStats 0ms

/rules/50_arpwatch_rules.xml

https://bitbucket.org/oscarschneider/ossec-rules
XML | 66 lines | 42 code | 10 blank | 14 comment | 0 complexity | 0e0476addd472964be26ec7cb3a6513d MD5 | raw file
 1<!-- @(#) $Id: arpwatch_rules.xml,v 1.10 2010/03/04 20:12:33 dcid Exp $
 2  -  Official Arpwatch rules for OSSEC.
 3  -
 4  -  Copyright (C) 2009 Trend Micro Inc.
 5  -  All rights reserved.
 6  -
 7  -  This program is a free software; you can redistribute it
 8  -  and/or modify it under the terms of the GNU General Public
 9  -  License (version 2) as published by the FSF - Free Software
10  -  Foundation.
11  -
12  -  License details: http://www.ossec.net/en/licensing.html
13  -->
14                            
15
16<group name="syslog,arpwatch,">
17  <rule id="7200" level="0" noalert="1">
18    <decoded_as>arpwatch</decoded_as>
19    <description>Grouping of the arpwatch rules.</description>
20  </rule>
21
22  <rule id="7201" level="4">
23    <if_sid>7200</if_sid>
24    <options>alert_by_email</options>
25    <if_fts />
26    <description>Arpwatch new host detected.</description>
27    <group>new_host,</group>
28  </rule>
29                  
30  <rule id="7202" level="9">
31    <if_sid>7200</if_sid>
32    <match>flip flop </match>
33    <description>Arpwatch "flip flop" message. </description>
34    <description>IP address/MAC relation changing too often.</description>
35    <group>ip_spoof,</group>
36  </rule>
37
38  <rule id="7203" level="3">
39    <if_sid>7200</if_sid>
40    <match>reaper: pid </match>
41    <description>Arpwatch exiting.</description>
42    <group>service_availability,</group>
43  </rule>
44 
45  <rule id="7204" level="9">
46    <if_sid>7200</if_sid>
47    <match>changed ethernet address </match>
48    <description>Changed network interface for ip address.</description>
49    <group>ip_spoof,</group>
50  </rule> 
51 
52  <rule id="7205" level="0">
53    <if_sid>7200</if_sid>
54    <match>bad interface eth0|exiting|Running as </match>
55    <description>Arpwatch startup/exiting messages.</description>
56  </rule> 
57
58  <rule id="7206" level="0">
59    <if_sid>7200</if_sid>
60    <match>sent bad addr len</match>
61    <description>Arpwatch detected bad address len (ignored).</description>
62  </rule> 
63</group> <!-- SYSLOG,arpwatch, -->
64
65
66<!-- EOF -->