Hi Shawn, On Thu, Jan 6, 2011 at 5:26 PM, Jefferson, Shawn <[email protected]> wrote: > I was thinking of setting up an ARP cache check with OSSEC that would check > for duplicate ARP entries. Thinking about it, I think on Windows a vbscript > is probably the best way. On Linux, bash script I guess? I was going to > use the file-diff checking that OSSEC can do. > > Has anyone done this already, or know of a better/different way to do this? > >
I don't know if it'll do exactly what you're wanting, but arpwatch logs are supported. You could also write the script and use the full_command option to execute it and alert on the output.
