/rules/50_arpwatch_rules.xml
https://bitbucket.org/oscarschneider/ossec-rules · XML · 66 lines · 42 code · 10 blank · 14 comment · 0 complexity · 0e0476addd472964be26ec7cb3a6513d MD5 · raw file
- <!-- @(#) $Id: arpwatch_rules.xml,v 1.10 2010/03/04 20:12:33 dcid Exp $
- - Official Arpwatch rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
- <group name="syslog,arpwatch,">
- <rule id="7200" level="0" noalert="1">
- <decoded_as>arpwatch</decoded_as>
- <description>Grouping of the arpwatch rules.</description>
- </rule>
- <rule id="7201" level="4">
- <if_sid>7200</if_sid>
- <options>alert_by_email</options>
- <if_fts />
- <description>Arpwatch new host detected.</description>
- <group>new_host,</group>
- </rule>
-
- <rule id="7202" level="9">
- <if_sid>7200</if_sid>
- <match>flip flop </match>
- <description>Arpwatch "flip flop" message. </description>
- <description>IP address/MAC relation changing too often.</description>
- <group>ip_spoof,</group>
- </rule>
- <rule id="7203" level="3">
- <if_sid>7200</if_sid>
- <match>reaper: pid </match>
- <description>Arpwatch exiting.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="7204" level="9">
- <if_sid>7200</if_sid>
- <match>changed ethernet address </match>
- <description>Changed network interface for ip address.</description>
- <group>ip_spoof,</group>
- </rule>
-
- <rule id="7205" level="0">
- <if_sid>7200</if_sid>
- <match>bad interface eth0|exiting|Running as </match>
- <description>Arpwatch startup/exiting messages.</description>
- </rule>
- <rule id="7206" level="0">
- <if_sid>7200</if_sid>
- <match>sent bad addr len</match>
- <description>Arpwatch detected bad address len (ignored).</description>
- </rule>
- </group> <!-- SYSLOG,arpwatch, -->
- <!-- EOF -->