Yes, arpwatch is supported. I actually use it to monitor the MAC/IP relation on my network, so it is currently working and tested. By default it logs to /var/log/messages and it should just work by default.. Let us know if you have any problems.
Hope it helps, -- Daniel B. Cid dcid ( at ) ossec.net On 10/6/06, gentuxx <[EMAIL PROTECTED]> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [EMAIL PROTECTED] wrote: > > Hi ! > > I'm somewhat concerned about ARP spoofing on switched network, specially > because of > ettercap : > - > http://www.securitypronews.com/securitypronews-24-20030623EtterCapARPSpoofingandBeyond.html > > - http://www.secuobs.com/news/04102006-ettercap.shtml (It's in french, I > didn't find someting equivalent...) > > Ettercap is capable of Man in the middle Attacks (SSL, SSHv1) and > capable of sniffing switched Networks > > So to my question : "Is Ossec capable of looking in logs given by tools > like arpwatch and detect suspicious changes ?" > > Thanks. > > Sioban. > I don't know if arpwatch is specifically supported. If not, I'm guessing that you might be able to set something up like the nmap monitoring[1]. If you could submit log samples of arpwatch[2], or sample output if it doesn't log, then a decoder could be written for it. [1] http://www.ossec.net/wiki/index.php/Tutorials:Nmap_Correlation [2] http://www.ossec.net/wiki/index.php/Log_Samples - -- gentux echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 18D3 4A9E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFJntXTPA54hjTSp4RAkg5AJ4uQlh6rdimYin1ToH0zuUgWWC6GACeLVxH 1rN5hVGPwKG4/OA/Ye74JYA= =2oKg -----END PGP SIGNATURE-----
