<!-- @(#) $Id: arpwatch_rules.xml,v 1.10 2010/03/04 20:12:33 dcid Exp $
  -  Official Arpwatch rules for OSSEC.
  -
  -  Copyright (C) 2009 Trend Micro Inc.
  -  All rights reserved.
  -
  -  This program is a free software; you can redistribute it
  -  and/or modify it under the terms of the GNU General Public
  -  License (version 2) as published by the FSF - Free Software
  -  Foundation.
  -
  -  License details: http://www.ossec.net/en/licensing.html
  -->
                            

<group name="syslog,arpwatch,">
  <rule id="7200" level="0" noalert="1">
    <decoded_as>arpwatch</decoded_as>
    <description>Grouping of the arpwatch rules.</description>
  </rule>

  <rule id="7201" level="4">
    <if_sid>7200</if_sid>
    <options>alert_by_email</options>
    <if_fts />
    <description>Arpwatch new host detected.</description>
    <group>new_host,</group>
  </rule>
                  
  <rule id="7202" level="9">
    <if_sid>7200</if_sid>
    <match>flip flop </match>
    <description>Arpwatch "flip flop" message. </description>
    <description>IP address/MAC relation changing too often.</description>
    <group>ip_spoof,</group>
  </rule>

  <rule id="7203" level="3">
    <if_sid>7200</if_sid>
    <match>reaper: pid </match>
    <description>Arpwatch exiting.</description>
    <group>service_availability,</group>
  </rule>
 
  <rule id="7204" level="9">
    <if_sid>7200</if_sid>
    <match>changed ethernet address </match>
    <description>Changed network interface for ip address.</description>
    <group>ip_spoof,</group>
  </rule> 
 
  <rule id="7205" level="0">
    <if_sid>7200</if_sid>
    <match>bad interface eth0|exiting|Running as </match>
    <description>Arpwatch startup/exiting messages.</description>
  </rule> 

  <rule id="7206" level="0">
    <if_sid>7200</if_sid>
    <match>sent bad addr len</match>
    <description>Arpwatch detected bad address len (ignored).</description>
  </rule> 
</group> <!-- SYSLOG,arpwatch, -->


<!-- EOF -->