arpwatch event. Where does it go?

So, I put arpwatch on my sensor. I have a couple questions.


1. 
Arpwatch by default logs its data to syslog, but it looks
like by
default that the sensor is looking in
/var/log/ossim/arpwatch.log. I
changed the config for the sensor in 

/etc/ossim/agent/plugins/arpwatch.cfg
location=/var/log/syslog

and the now the sensor seems to have picked up arpwatch
data.

2.
Here is what the arpwatch sensor reports in
/var/log/ossim/agent-plain.log

host-mac-event host="192.168.1.12"
mac="0:c:29:b5:9d:6c" vendor="unknown"
sensor="192.168.1.122" interface="eth0"
date="2007-08-17 13:18:57"
plugin_id="1512" plugin_sid="1"
log="Aug 17 13:18:56 cienfuegos arpwatch: new station
192.168.1.12 0:c:29:b5:9d:6c eth0"

What does the agent now do with thisn information? Does it
submit the
data to a table in the OSSIM database? Is there a way that I
can see
this data from the web interface? Is there a correlation
rule that uses
the arpwatch data. At the moment, it is a mystery as to what
OSSIM does
with the ARPWATCH data.

brian
-- 
Brian Lavender
http://www.brie.com/brian/


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Os-sim-support mailing list
Os-sim-supportlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport

Hi Brian,

I still have to catch up with some of your mails, but let me
answer  
this one first which has a quick && easy answer.

1.
Usually arpwatch gets started by the agent instead of the
system,  
that way it logs where it has to with the expected format.
Try seting  
it back, killing it from init and letting ossim-agent start
arpwatch.

2.
Once the server gets MAC data, it compares it against
previous  
entries for that IP address in the database. If there is one
which is  
the same, the event is discarded. If the MAC addresses
differ, an  
"anomaly" gets inserted and a
"mac-change" event gets raised. This  
can be checked on "Control Panel -> anomalies"
(there's a link to the  
full MAC inventory there too).

Additionally, there is a correlation directive that raises
an alarm  
if a host with asset 4 or 5 changes it's address.

As a side note, something similar happens to p0f and pads
data with  
one big difference: only hosts that match an already defined
asset  
(that is, host or network) get stored. The intention is to
limit the  
amount of data that gets inserted into the database since
p0f and  
pads by default alert about any host (internal or
external).

Greetings,

Dominique

Am 18.08.2007 um 01:58 schrieb Brian Lavender:

> So, I put arpwatch on my sensor. I have a couple
questions.
>
> 1.
> Arpwatch by default logs its data to syslog, but it
looks like by
> default that the sensor is looking in
/var/log/ossim/arpwatch.log. I
> changed the config for the sensor in
>
> /etc/ossim/agent/plugins/arpwatch.cfg
> location=/var/log/syslog
>
> and the now the sensor seems to have picked up arpwatch
data.
>
> 2.
> Here is what the arpwatch sensor reports in
> /var/log/ossim/agent-plain.log
>
> host-mac-event host="192.168.1.12"
mac="0:c:29:b5:9d:6c"  
> vendor="unknown"
sensor="192.168.1.122" interface="eth0" 

> date="2007-08-17 13:18:57"
plugin_id="1512" plugin_sid="1"
log="Aug  
> 17 13:18:56 cienfuegos arpwatch: new station
192.168.1.12 0:c: 
> 29:b5:9d:6c eth0"
>
> What does the agent now do with thisn information? Does
it submit the
> data to a table in the OSSIM database? Is there a way
that I can see
> this data from the web interface? Is there a
correlation rule that  
> uses
> the arpwatch data. At the moment, it is a mystery as to
what OSSIM  
> does
> with the ARPWATCH data.
>
> brian
> -- 
> Brian Lavender
> http://www.brie.com/brian/

>
>
------------------------------------------------------------
---------- 
> ---
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? 
Stop.
> Now Search log events and configuration files using
AJAX and a  
> browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Os-sim-support mailing list
> Os-sim-supportlists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Os-sim-support mailing list
Os-sim-supportlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport

Details below regarding arpwatch and problems with seeing
anomalies.

On Sat, Aug 18, 2007 at 11:20:27AM +0200, Dominique Karg
wrote:
> Hi Brian,
> 
> I still have to catch up with some of your mails, but
let me answer  
> this one first which has a quick && easy
answer.
> 
> 1.
> Usually arpwatch gets started by the agent instead of
the system,  
> that way it logs where it has to with the expected
format. Try seting  
> it back, killing it from init and letting ossim-agent
start arpwatch.

Got arpwatch started via the agent. changing the interface
to eth0 did
the trick as was previously mentioned.
> 
> 2.
> Once the server gets MAC data, it compares it against
previous  
> entries for that IP address in the database. If there
is one which is  
> the same, the event is discarded. If the MAC addresses
differ, an  
> "anomaly" gets inserted and a
"mac-change" event gets raised. This  
> can be checked on "Control Panel ->
anomalies" (there's a link to the  
> full MAC inventory there too).
> 
> Additionally, there is a correlation directive that
raises an alarm  
> if a host with asset 4 or 5 changes it's address.

I put an asset in Policy->H0sts for 192.168.1.12 and I
gave it an asset ID
number of 4. If originally had a mac address of 
00:0C:29:B5:9D:6D. Then
I changed the MAC address of the host to  00:0C:29:B5:9D:6E.
It's
a VMWARE virtual machine. It looks like my sensor picked it
up in
/var/log/ossim/agent-plain.log with the following message.

host-mac-event host="192.168.1.12"
mac="0:c:29:b5:9d:6e" vendor="unknown"
sensor="192.168.1.122" interface="eth0"
date="2007-08-20 14:17:26"
plugin_id="1512" plugin_sid="2"
log="arpwatch: changed ethernet address 192.168.1.12
0:c:29:b5:9d:6e (0:c:29:b5:9d:6d) eth0"

But it doesn't seem to show up in Control Panel ->
anomalies. 

It shows up in the server log which runs on 192.168.1.120
in
/var/log/ossim/server.log

2007-08-20 14:16:35 OSSIM-Message: Event received: event
id="0" alarm="0"
type="detector" date="2007-08-20
14:17:26" plugin_id="1512"
plugin_sid="2" src_ip="192.168.1.12"
dst_ip="0.0.0.0" sensor="192.168.1.122"
interface="eth0"
protocol="Host_ARP_Event" asset_src="1"
asset_dst="1" data="0:c:29:b5:9d:6d|VMWare
--> 00:0C:29:B5:9D:6E|unknown"
userdata1="00:0C:29:B5:9D:6E"
userdata2="unknown"

Now I am just trying to figure out why it doesn't show up in

Control Panel -> anomalies

Any ideas?

brian

> 
> As a side note, something similar happens to p0f and
pads data with  
> one big difference: only hosts that match an already
defined asset  
> (that is, host or network) get stored. The intention is
to limit the  
> amount of data that gets inserted into the database
since p0f and  
> pads by default alert about any host (internal or
external).
> 
> Greetings,
> 
> Dominique
> 
> Am 18.08.2007 um 01:58 schrieb Brian Lavender:
> 
> >So, I put arpwatch on my sensor. I have a couple
questions.
> >
> >1.
> >Arpwatch by default logs its data to syslog, but it
looks like by
> >default that the sensor is looking in
/var/log/ossim/arpwatch.log. I
> >changed the config for the sensor in
> >
> >/etc/ossim/agent/plugins/arpwatch.cfg
> >location=/var/log/syslog
> >
> >and the now the sensor seems to have picked up
arpwatch data.
> >
> >2.
> >Here is what the arpwatch sensor reports in
> >/var/log/ossim/agent-plain.log
> >
> >host-mac-event host="192.168.1.12"
mac="0:c:29:b5:9d:6c"  
> >vendor="unknown"
sensor="192.168.1.122" interface="eth0" 

> >date="2007-08-17 13:18:57"
plugin_id="1512" plugin_sid="1"
log="Aug  
> >17 13:18:56 cienfuegos arpwatch: new station
192.168.1.12 0:c: 
> >29:b5:9d:6c eth0"
> >
> >What does the agent now do with thisn information?
Does it submit the
> >data to a table in the OSSIM database? Is there a
way that I can see
> >this data from the web interface? Is there a
correlation rule that  
> >uses
> >the arpwatch data. At the moment, it is a mystery
as to what OSSIM  
> >does
> >with the ARPWATCH data.
> >
> >brian
> >-- 
> >Brian Lavender
> >http://www.brie.com/brian/

> >
>
>--------------------------------------------------------
-------------- 
> >---
> >This SF.net email is sponsored by: Splunk Inc.
> >Still grepping through log files to find problems? 
Stop.
> >Now Search log events and configuration files using
AJAX and a  
> >browser.
> >Download your FREE copy of Splunk now >>  http://get.splunk.com/
> >_______________________________________________
> >Os-sim-support mailing list
> >Os-sim-supportlists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport
> 

-- 
Brian Lavender
http://www.brie.com/brian/


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Os-sim-support mailing list
Os-sim-supportlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport

The messages showed in /var/log/ossim/server.log are
correct, at a
first sight, everything is ok.

May be that you don't have inserted in DB the plugin
identification. I
mean; do you see in Configuration->plugins the plugin
1512 (arpwatch)?

If it's not there (we changed in this release the way all
the plugins
are loaded), try to load it:

# cd /usr/share/doc/ossim-mysql/contrib/plugins
# cat arpwatch.sql p0f.sql pads.sql pam_unix.sql rrd.sql
ssh.sql sudo.sql 
  nmap-monitor.sql ossim-monitor.sql | mysql -u root ossim
-p

If It's there, then you could check the DB to see if the
data is
inserted, or there are some problem in the communication
between
server & DB. The table wich stores MAC information is
ossim.host_mac.

If it doesn't works, please, could you start the
ossim-server with -D6
flag (debug), and post here or send to me the server.log? I
can check
if something seems wrong somewhere.

Alberto.

2007/8/21, Brian Lavender <brianbrie.com>:
> Details below regarding arpwatch and problems with
seeing anomalies.
>
> On Sat, Aug 18, 2007 at 11:20:27AM +0200, Dominique
Karg wrote:
> > Hi Brian,
> >
> > I still have to catch up with some of your mails,
but let me answer
> > this one first which has a quick && easy
answer.
> >
> > 1.
> > Usually arpwatch gets started by the agent instead
of the system,
> > that way it logs where it has to with the expected
format. Try seting
> > it back, killing it from init and letting
ossim-agent start arpwatch.
>
> Got arpwatch started via the agent. changing the
interface to eth0 did
> the trick as was previously mentioned.
> >
> > 2.
> > Once the server gets MAC data, it compares it
against previous
> > entries for that IP address in the database. If
there is one which is
> > the same, the event is discarded. If the MAC
addresses differ, an
> > "anomaly" gets inserted and a
"mac-change" event gets raised. This
> > can be checked on "Control Panel ->
anomalies" (there's a link to the
> > full MAC inventory there too).
> >
> > Additionally, there is a correlation directive
that raises an alarm
> > if a host with asset 4 or 5 changes it's address.
>
> I put an asset in Policy->H0sts for 192.168.1.12 and
I gave it an asset ID
> number of 4. If originally had a mac address of 
00:0C:29:B5:9D:6D. Then
> I changed the MAC address of the host to 
00:0C:29:B5:9D:6E. It's
> a VMWARE virtual machine. It looks like my sensor
picked it up in
> /var/log/ossim/agent-plain.log with the following
message.
>
> host-mac-event host="192.168.1.12"
mac="0:c:29:b5:9d:6e" vendor="unknown"
sensor="192.168.1.122" interface="eth0"
date="2007-08-20 14:17:26"
plugin_id="1512" plugin_sid="2"
log="arpwatch: changed ethernet address 192.168.1.12
0:c:29:b5:9d:6e (0:c:29:b5:9d:6d) eth0"
>
> But it doesn't seem to show up in Control Panel ->
anomalies.
>
> It shows up in the server log which runs on
192.168.1.120 in
> /var/log/ossim/server.log
>
> 2007-08-20 14:16:35 OSSIM-Message: Event received:
event id="0" alarm="0"
type="detector" date="2007-08-20
14:17:26" plugin_id="1512"
plugin_sid="2" src_ip="192.168.1.12"
dst_ip="0.0.0.0" sensor="192.168.1.122"
interface="eth0"
protocol="Host_ARP_Event" asset_src="1"
asset_dst="1" data="0:c:29:b5:9d:6d|VMWare
--> 00:0C:29:B5:9D:6E|unknown"
userdata1="00:0C:29:B5:9D:6E"
userdata2="unknown"
>
> Now I am just trying to figure out why it doesn't show
up in
> Control Panel -> anomalies
>
> Any ideas?
>
> brian
>
> >
> > As a side note, something similar happens to p0f
and pads data with
> > one big difference: only hosts that match an
already defined asset
> > (that is, host or network) get stored. The
intention is to limit the
> > amount of data that gets inserted into the
database since p0f and
> > pads by default alert about any host (internal or
external).
> >
> > Greetings,
> >
> > Dominique
> >
> > Am 18.08.2007 um 01:58 schrieb Brian Lavender:
> >
> > >So, I put arpwatch on my sensor. I have a
couple questions.
> > >
> > >1.
> > >Arpwatch by default logs its data to syslog,
but it looks like by
> > >default that the sensor is looking in
/var/log/ossim/arpwatch.log. I
> > >changed the config for the sensor in
> > >
> > >/etc/ossim/agent/plugins/arpwatch.cfg
> > >location=/var/log/syslog
> > >
> > >and the now the sensor seems to have picked up
arpwatch data.
> > >
> > >2.
> > >Here is what the arpwatch sensor reports in
> > >/var/log/ossim/agent-plain.log
> > >
> > >host-mac-event host="192.168.1.12"
mac="0:c:29:b5:9d:6c"
> > >vendor="unknown"
sensor="192.168.1.122" interface="eth0"
> > >date="2007-08-17 13:18:57"
plugin_id="1512" plugin_sid="1"
log="Aug
> > >17 13:18:56 cienfuegos arpwatch: new station
192.168.1.12 0:c:
> > >29:b5:9d:6c eth0"
> > >
> > >What does the agent now do with thisn
information? Does it submit the
> > >data to a table in the OSSIM database? Is
there a way that I can see
> > >this data from the web interface? Is there a
correlation rule that
> > >uses
> > >the arpwatch data. At the moment, it is a
mystery as to what OSSIM
> > >does
> > >with the ARPWATCH data.
> > >
> > >brian
> > >--
> > >Brian Lavender
> > >http://www.brie.com/brian/

> > >
> >
>--------------------------------------------------------
--------------
> > >---
> > >This SF.net email is sponsored by: Splunk
Inc.
> > >Still grepping through log files to find
problems?  Stop.
> > >Now Search log events and configuration files
using AJAX and a
> > >browser.
> > >Download your FREE copy of Splunk now >>
 http://get.splunk.com/
> >
>_______________________________________________
> > >Os-sim-support mailing list
> > >Os-sim-supportlists.sourceforge.net
> > >https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport
> >
>
> --
> Brian Lavender
> http://www.brie.com/brian/

>
>
------------------------------------------------------------
-------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? 
Stop.
> Now Search log events and configuration files using
AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Os-sim-support mailing list
> Os-sim-supportlists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport
>

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Os-sim-support mailing list
Os-sim-supportlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport

On Tue, Aug 21, 2007 at 03:25:47PM +0200, Alberto Roman
wrote:
> The messages showed in /var/log/ossim/server.log are
correct, at a
> first sight, everything is ok.
> 
> May be that you don't have inserted in DB the plugin
identification. I
> mean; do you see in Configuration->plugins the
plugin 1512 (arpwatch)?
> 
> If it's not there (we changed in this release the way
all the plugins
> are loaded), try to load it:
> 
> # cd /usr/share/doc/ossim-mysql/contrib/plugins
> # cat arpwatch.sql p0f.sql pads.sql pam_unix.sql
rrd.sql ssh.sql sudo.sql 
>   nmap-monitor.sql ossim-monitor.sql | mysql -u root
ossim -p

Ok, the plugins are starting to show. I am running 

There are a number of key violations for the snort plugin
sql.

uniq snort.sql will likely eliminate the key violations.

/usr/share/doc/ossim-mysql/contrib/plugins/snort.sql

INSERT INTO plugin_sid (plugin_id, sid, category_id,
class_id, name) VALUES (1104, 1, 201, NULL, 'Spade: Closed
dest port used');

INSERT INTO plugin_sid (plugin_id, sid, category_id,
class_id, name) VALUES (1104, 102, 201, NULL, 'Spade: Rare
dest port used');

INSERT INTO plugin_sid (plugin_id, sid, category_id,
class_id, name) VALUES (1104, 3, 201, NULL, 'Spade: Non-live
dest used');

1104, 4
1104, 5
1104, 6
1104, 101
1105, 1
1117, 1

brian

> 
> If It's there, then you could check the DB to see if
the data is
> inserted, or there are some problem in the
communication between
> server & DB. The table wich stores MAC information
is ossim.host_mac.
> 
> If it doesn't works, please, could you start the
ossim-server with -D6
> flag (debug), and post here or send to me the
server.log? I can check
> if something seems wrong somewhere.
> 
> Alberto.
> 
> 2007/8/21, Brian Lavender <brianbrie.com>:
> > Details below regarding arpwatch and problems with
seeing anomalies.
> >
> > On Sat, Aug 18, 2007 at 11:20:27AM +0200,
Dominique Karg wrote:
> > > Hi Brian,
> > >
> > > I still have to catch up with some of your
mails, but let me answer
> > > this one first which has a quick &&
easy answer.
> > >
> > > 1.
> > > Usually arpwatch gets started by the agent
instead of the system,
> > > that way it logs where it has to with the
expected format. Try seting
> > > it back, killing it from init and letting
ossim-agent start arpwatch.
> >
> > Got arpwatch started via the agent. changing the
interface to eth0 did
> > the trick as was previously mentioned.
> > >
> > > 2.
> > > Once the server gets MAC data, it compares it
against previous
> > > entries for that IP address in the database.
If there is one which is
> > > the same, the event is discarded. If the MAC
addresses differ, an
> > > "anomaly" gets inserted and a
"mac-change" event gets raised. This
> > > can be checked on "Control Panel ->
anomalies" (there's a link to the
> > > full MAC inventory there too).
> > >
> > > Additionally, there is a correlation
directive that raises an alarm
> > > if a host with asset 4 or 5 changes it's
address.
> >
> > I put an asset in Policy->H0sts for
192.168.1.12 and I gave it an asset ID
> > number of 4. If originally had a mac address of 
00:0C:29:B5:9D:6D. Then
> > I changed the MAC address of the host to 
00:0C:29:B5:9D:6E. It's
> > a VMWARE virtual machine. It looks like my sensor
picked it up in
> > /var/log/ossim/agent-plain.log with the following
message.
> >
> > host-mac-event host="192.168.1.12"
mac="0:c:29:b5:9d:6e" vendor="unknown"
sensor="192.168.1.122" interface="eth0"
date="2007-08-20 14:17:26"
plugin_id="1512" plugin_sid="2"
log="arpwatch: changed ethernet address 192.168.1.12
0:c:29:b5:9d:6e (0:c:29:b5:9d:6d) eth0"
> >
> > But it doesn't seem to show up in Control Panel
-> anomalies.
> >
> > It shows up in the server log which runs on
192.168.1.120 in
> > /var/log/ossim/server.log
> >
> > 2007-08-20 14:16:35 OSSIM-Message: Event received:
event id="0" alarm="0"
type="detector" date="2007-08-20
14:17:26" plugin_id="1512"
plugin_sid="2" src_ip="192.168.1.12"
dst_ip="0.0.0.0" sensor="192.168.1.122"
interface="eth0"
protocol="Host_ARP_Event" asset_src="1"
asset_dst="1" data="0:c:29:b5:9d:6d|VMWare
--> 00:0C:29:B5:9D:6E|unknown"
userdata1="00:0C:29:B5:9D:6E"
userdata2="unknown"
> >
> > Now I am just trying to figure out why it doesn't
show up in
> > Control Panel -> anomalies
> >
> > Any ideas?
> >
> > brian
> >
> > >
> > > As a side note, something similar happens to
p0f and pads data with
> > > one big difference: only hosts that match an
already defined asset
> > > (that is, host or network) get stored. The
intention is to limit the
> > > amount of data that gets inserted into the
database since p0f and
> > > pads by default alert about any host
(internal or external).
> > >
> > > Greetings,
> > >
> > > Dominique
> > >
> > > Am 18.08.2007 um 01:58 schrieb Brian
Lavender:
> > >
> > > >So, I put arpwatch on my sensor. I have a
couple questions.
> > > >
> > > >1.
> > > >Arpwatch by default logs its data to
syslog, but it looks like by
> > > >default that the sensor is looking in
/var/log/ossim/arpwatch.log. I
> > > >changed the config for the sensor in
> > > >
> > > >/etc/ossim/agent/plugins/arpwatch.cfg
> > > >location=/var/log/syslog
> > > >
> > > >and the now the sensor seems to have
picked up arpwatch data.
> > > >
> > > >2.
> > > >Here is what the arpwatch sensor reports
in
> > > >/var/log/ossim/agent-plain.log
> > > >
> > > >host-mac-event
host="192.168.1.12"
mac="0:c:29:b5:9d:6c"
> > > >vendor="unknown"
sensor="192.168.1.122" interface="eth0"
> > > >date="2007-08-17 13:18:57"
plugin_id="1512" plugin_sid="1"
log="Aug
> > > >17 13:18:56 cienfuegos arpwatch: new
station 192.168.1.12 0:c:
> > > >29:b5:9d:6c eth0"
> > > >
> > > >What does the agent now do with thisn
information? Does it submit the
> > > >data to a table in the OSSIM database? Is
there a way that I can see
> > > >this data from the web interface? Is
there a correlation rule that
> > > >uses
> > > >the arpwatch data. At the moment, it is a
mystery as to what OSSIM
> > > >does
> > > >with the ARPWATCH data.
> > > >
> > > >brian
> > > >--
> > > >Brian Lavender
> > > >http://www.brie.com/brian/

> > > >
> > >
>--------------------------------------------------------
--------------
> > > >---
> > > >This SF.net email is sponsored by: Splunk
Inc.
> > > >Still grepping through log files to find
problems?  Stop.
> > > >Now Search log events and configuration
files using AJAX and a
> > > >browser.
> > > >Download your FREE copy of Splunk now
>>  http://get.splunk.com/
> > >
>_______________________________________________
> > > >Os-sim-support mailing list
> > > >Os-sim-supportlists.sourceforge.net
> > > >https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport
> > >
> >
> > --
> > Brian Lavender
> > http://www.brie.com/brian/

> >
> >
------------------------------------------------------------
-------------
> > This SF.net email is sponsored by: Splunk Inc.
> > Still grepping through log files to find problems?
 Stop.
> > Now Search log events and configuration files
using AJAX and a browser.
> > Download your FREE copy of Splunk now >>  http://get.splunk.com/
> > _______________________________________________
> > Os-sim-support mailing list
> > Os-sim-supportlists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport
> >

-- 
Brian Lavender
http://www.brie.com/brian/


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Os-sim-support mailing list
Os-sim-supportlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport

On Sat, Aug 18, 2007 at 11:20:27AM +0200, Dominique Karg
wrote:
> Hi Brian,
> 
> I still have to catch up with some of your mails, but
let me answer  
> this one first which has a quick && easy
answer.
> 
> 1.
> Usually arpwatch gets started by the agent instead of
the system,  
> that way it logs where it has to with the expected
format. Try seting  
> it back, killing it from init and letting ossim-agent
start arpwatch.
> 
> 2.
> Once the server gets MAC data, it compares it against
previous  
> entries for that IP address in the database. If there
is one which is  
> the same, the event is discarded. If the MAC addresses
differ, an  
> "anomaly" gets inserted and a
"mac-change" event gets raised. This  
> can be checked on "Control Panel ->
anomalies" (there's a link to the  
> full MAC inventory there too).

I have good news. I just succeeded at detecting a changed
MAC address.
The loading of the sql for the plugins did the trick. 

-- 
Brian Lavender
http://www.brie.com/brian/


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Os-sim-support mailing list
Os-sim-supportlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-s
upport