3 # Ossec official rules should be under some of these
6 # Local rules should go from 100000 to 120000.
8 # Every rule will also have a revision attribute (if modified).
9 # *default revision is 0 (when first added).
11 00000 - 00999 Internally reserved for ossec
12 01000 - 01999 General syslog
15 02500 - 02699 Access control
16 02700 - 02729 Mail/procmail
19 02860 - 02899 Mount/Automount
21 03100 - 03299 Sendmail
25 03700 - 03799 MailScanner
27 04100 - 04299 Generic Firewall
28 04300 - 04499 Cisco PIX Firewall
29 04500 - 04699 Netscreen Firewall
31 05100 - 05299 Kernels (Linux, Unix, etc)
34 05500 - 05599 Pam unix
37 05900 - 05999 Adduser or user deletion.
39 07100 - 07199 Tripwire
40 07200 - 07299 Arpwatch
41 07300 - 07399 Symantec Anti Virus
44 09200 - 09299 Squid syslog
45 09300 - 09399 Horde IMP
51 11300 - 11399 Pure-FTPD
54 12100 - 12299 Named (bind DNS)
56 13100 - 13299 Samba (smbd)
58 14100 - 14199 Racoon SSL
59 14200 - 14299 Cisco VPN Concentrator
63 18100 - 18499 Windows system
66 20300 - 20499 IDS (Snort specific)
68 30100 - 30999 Apache error log.
69 31100 - 31199 Web access log
73 40100 - 40499 Attack patterns.
74 40500 - 40599 Privilege scalation.
75 40600 - 40999 Scan patterns.
77 100000 - 109999 User defined rules