/rules/50_arpwatch_rules.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 66 lines · 42 code · 10 blank · 14 comment · 0 complexity · 0e0476addd472964be26ec7cb3a6513d MD5 · raw file

  1. <!-- @(#) $Id: arpwatch_rules.xml,v 1.10 2010/03/04 20:12:33 dcid Exp $
  2. - Official Arpwatch rules for OSSEC.
  3. -
  4. - Copyright (C) 2009 Trend Micro Inc.
  5. - All rights reserved.
  6. -
  7. - This program is a free software; you can redistribute it
  8. - and/or modify it under the terms of the GNU General Public
  9. - License (version 2) as published by the FSF - Free Software
  10. - Foundation.
  11. -
  12. - License details: http://www.ossec.net/en/licensing.html
  13. -->
  14. <group name="syslog,arpwatch,">
  15. <rule id="7200" level="0" noalert="1">
  16. <decoded_as>arpwatch</decoded_as>
  17. <description>Grouping of the arpwatch rules.</description>
  18. </rule>
  19. <rule id="7201" level="4">
  20. <if_sid>7200</if_sid>
  21. <options>alert_by_email</options>
  22. <if_fts />
  23. <description>Arpwatch new host detected.</description>
  24. <group>new_host,</group>
  25. </rule>
  26. <rule id="7202" level="9">
  27. <if_sid>7200</if_sid>
  28. <match>flip flop </match>
  29. <description>Arpwatch "flip flop" message. </description>
  30. <description>IP address/MAC relation changing too often.</description>
  31. <group>ip_spoof,</group>
  32. </rule>
  33. <rule id="7203" level="3">
  34. <if_sid>7200</if_sid>
  35. <match>reaper: pid </match>
  36. <description>Arpwatch exiting.</description>
  37. <group>service_availability,</group>
  38. </rule>
  39. <rule id="7204" level="9">
  40. <if_sid>7200</if_sid>
  41. <match>changed ethernet address </match>
  42. <description>Changed network interface for ip address.</description>
  43. <group>ip_spoof,</group>
  44. </rule>
  45. <rule id="7205" level="0">
  46. <if_sid>7200</if_sid>
  47. <match>bad interface eth0|exiting|Running as </match>
  48. <description>Arpwatch startup/exiting messages.</description>
  49. </rule>
  50. <rule id="7206" level="0">
  51. <if_sid>7200</if_sid>
  52. <match>sent bad addr len</match>
  53. <description>Arpwatch detected bad address len (ignored).</description>
  54. </rule>
  55. </group> <!-- SYSLOG,arpwatch, -->
  56. <!-- EOF -->