mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 08:55:24 +00:00
e82962e4a7
* create schema/tables, add yaml schema tables * Update osquery-table-details.ejs * Generate schema from schema/tables/ folder * Create generate-yaml-tables-from-json.js * update created table files * update fleet override validation * update error messages, add fleetRepoUrl * Delete generate-yaml-tables-from-json.js * Update osquery-table-details.ejs * Update whitespace in table examples * Revert "Update osquery-table-details.ejs" This reverts commit 2e9d63208f59997d492375ebaf1d0ec7e4afe468. * add YAML tables generated from updated Fleet schema * lint fixes * update arp_cache and docker_containers tables
24 lines
973 B
YAML
24 lines
973 B
YAML
name: arp_cache
|
|
examples: >-
|
|
List the content of the ARP cache.
|
|
|
|
```
|
|
|
|
SELECT address, interface, mac FROM arp_cache;
|
|
|
|
```
|
|
|
|
On systems located in an office or datacenter, you can use this to watch for network attacks by checking for gateway IPs that do not have the expected MAC address. This could indicate an [ARP spoofing](https://en.wikipedia.org/wiki/ARP_spoofing) attack, in which an attacker that controls a system on the LAN attempts to funnel all remote traffic through it so they can inspect it.
|
|
|
|
```
|
|
|
|
SELECT * FROM arp_cache WHERE address IN (INSERT_GATEWAY_IPS) AND mac NOT IN (INSERT_EXPECTED_MAC_ADDRESSES);
|
|
|
|
```
|
|
notes: >-
|
|
* The first six digits of a MAC address is the [Organizationally Unique
|
|
Identifier
|
|
(OUI)](https://en.wikipedia.org/wiki/Organizationally_unique_identifier).
|
|
|
|
* You can lookup the manufacturer and model via the MAC address using a tool like [wireshark OUI lookup](https://www.wireshark.org/tools/oui-lookup.html).
|