2 <!-- @(#) $Id: ./etc/rules/ms_dhcp_rules.xml, 2011/09/08 dcid Exp $
4 - Microsoft Windows 2003 ipv4, Windows 2008 ipv4/ipv6 DHCP rules for OSSEC.
5 - Author: phishphreek@gmail.com
6 - License: http://www.ossec.net/en/licensing.html (http://gplv3.fsf.org)
10 <!--Server 2003 and 2008 IPv4 Event ID Meaning
11 00 The log was started.
12 01 The log was stopped.
13 02 The log was temporarily paused due to low disk space.
14 10 A new IP address was leased to a client.
15 11 A lease was renewed by a client.
16 12 A lease was released by a client.
17 13 An IP address was found to be in use on the network.
18 14 A lease request could not be satisfied because the scope's address pool was exhausted.
19 15 A lease was denied.
20 16 A lease was deleted.
21 17 A lease was expired.
22 18 A lease was expired and DNS records were deleted. (Server 2008 Only)
23 20 A BOOTP address was leased to a client.
24 21 A dynamic BOOTP address was leased to a client.
25 22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
26 23 A BOOTP IP address was deleted after checking to see it was not in use.
27 24 IP address cleanup operation has began.
28 25 IP address cleanup statistics.
29 30 DNS update request to the named DNS server
31 32 DNS update successful
32 33 Packet dropped due to NAP policy. Server 2008 Only)
33 50+ Codes above 50 are used for Rogue Server Detection information.
37 <!--Server 2003 IPv4 Log Sample
38 ID,Date,Time,Description,IP Address,Host Name,MAC Address
39 24,3/10/2009,0:00:46,Database Cleanup Begin,,,,
40 31,3/10/2009,0:00:46,DNS Update Failed,192.168.10.201,OPS03W034.,2,
41 30,3/10/2009,0:00:46,DNS Update Request,201.10.168.192,OPS03W034.,,
42 25,3/10/2009,0:00:46,0 leases expired and 0 leases deleted,,,,
43 11,3/10/2009,0:01:40,Renew,192.168.10.201,OPS03W034.,001AA0DA3062,
44 32,3/10/2009,0:01:55,DNS Update Successful,192.168.10.204,ex03.domain.local,,
45 15,3/10/2009,8:49:10,NACK,192.168.10.205,,000B97A0B7E8,
46 10,3/10/2009,8:49:10,Assign,192.168.10.205,6ftya92251.domain.local,000B97A0B7E8,
47 12,3/10/2009,15:52:38,Release,192.168.112.32,6ftya91701.,000B97A0B41D,
48 18,3/10/2009,19:59:11,Expired,192.168.10.205,,,
49 17,3/10/2009,23:59:16,DNS record not deleted,192.168.10.205,,,
53 <group name="windows,dhcp,">
54 <rule id="6300" level="0">
55 <decoded_as>ms-dhcp-ipv4</decoded_as>
56 <description>Grouping for the MS-DHCP rules.</description>
59 <rule id="6301" level="2">
62 <description>The log was started.</description>
63 <group>service_start,</group>
66 <rule id="6302" level="3">
69 <description>The log was stopped.</description>
70 <group>service_availability,</group>
73 <rule id="6303" level="10">
76 <description>The log was temporarily paused due to low disk space.</description>
77 <group>system_error,</group>
80 <rule id="6304" level="0">
83 <description>A new IP address was leased to a client.</description>
84 <group>dhcp_lease_action,</group>
87 <rule id="6305" level="0">
90 <description>A lease was renewed by a client.</description>
91 <group>dhcp_lease_action,</group>
94 <rule id="6306" level="0">
97 <description>A lease was released by a client.</description>
98 <group>dhcp_lease_action,</group>
101 <rule id="6307" level="0">
102 <if_sid>6300</if_sid>
104 <description>An IP address was found to be in use on the network.</description>
105 <group>dhcp_lease_action,</group>
108 <rule id="6308" level="12">
109 <if_sid>6300</if_sid>
111 <description>A lease request could not be satisfied because the scope's address pool was exhausted.</description>
112 <group>service_availability,dhcp_lease_action,</group>
115 <rule id="6309" level="7">
116 <if_sid>6300</if_sid>
118 <description>A lease was denied.</description>
119 <group>dhcp_lease_action,</group>
122 <rule id="6310" level="0">
123 <if_sid>6300</if_sid>
125 <description>A lease was deleted.</description>
126 <group>dhcp_lease_action,</group>
129 <rule id="6311" level="0">
130 <if_sid>6300</if_sid>
132 <description>A lease was expired and DNS records for an expired leases have not been deleted.</description>
133 <group>dhcp_lease_action,</group>
136 <rule id="6322" level="0">
137 <if_sid>6300</if_sid>
139 <description>A lease was expired and DNS records were deleted.</description>
140 <group>dhcp_lease_action,dhcp_dns_maintenance</group>
143 <rule id="6312" level="0">
144 <if_sid>6300</if_sid>
146 <description>A BOOTP address was leased to a client.</description>
147 <group>dhcp_lease_action,</group>
150 <rule id="6313" level="0">
151 <if_sid>6300</if_sid>
153 <description>A dynamic BOOTP address was leased to a client.</description>
154 <group>dhcp_lease_action,</group>
158 <rule id="6314" level="10">
159 <if_sid>6300</if_sid>
161 <description>A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.</description>
162 <group>dhcp_lease_action,</group>
165 <rule id="6315" level="0">
166 <if_sid>6300</if_sid>
168 <description>A BOOTP IP address was deleted after checking to see it was not in use.</description>
169 <group>dhcp_lease_action,</group>
172 <rule id="6316" level="3">
173 <if_sid>6300</if_sid>
175 <description>IP address cleanup operation has began.</description>
176 <group>dhcp_maintenance,</group>
179 <rule id="6317" level="2">
180 <if_sid>6300</if_sid>
182 <description>IP address cleanup statistics.</description>
183 <group>dhcp_maintenance,</group>
186 <rule id="6318" level="0">
187 <if_sid>6300</if_sid>
189 <description>DNS update request to the named DNS server.</description>
190 <group>dhcp_dns_maintenance,</group>
193 <rule id="6319" level="7">
194 <if_sid>6300</if_sid>
196 <description>DNS update failed.</description>
197 <group>dhcp_dns_maintenance,</group>
200 <rule id="6320" level="0">
201 <if_sid>6300</if_sid>
203 <description>DNS update successful.</description>
204 <group>dhcp_dns_maintenance,</group>
207 <rule id="6323" level="12">
208 <if_sid>6300</if_sid>
210 <description>Packet dropped due to NAP policy.</description>
211 <group>dhcp_lease_action,</group>
215 <rule id="6321" level="12">
216 <if_sid>6300</if_sid>
218 <description>Codes above 50 are used for Rogue Server Detection information.</description>
219 <group>dhcp_rogue_server,</group>
225 Server 2008 IPv6 Event ID Meaning
234 11008 Information Request.
238 11012 Audit log paused.
241 11015 Address is already in use.
242 11016 Client deleted.
243 11017 DNS record not deleted.
245 11019 Expired and Deleted count.
246 11020 Database cleanup begin.
247 11021 Database cleanup end.
248 11023 Service not authorized in AD.
249 11024 Service authorized in AD.
250 11025 Service has not determined if it authorized in AD.
252 <!--Server 2008 IPv6 Log Sample (short on samples, not currently using)
253 11020,05/05/09,00:00:38,DHCPV6 Database Cleanup Begin,,,,,,
254 11019,05/05/09,00:00:38,DHCPV6 0 leases expired and 0 leases deleted,,,,,,
255 11021,05/05/09,00:00:38,DHCPV6 Database Cleanup End,,,,,,
256 11011,05/05/09,10:50:55,DHCPV6 Stopped,,,,,,
257 11010,05/05/09,10:55:58,DHCPV6 Started,,,,,,
260 <rule id="6350" level="0">
261 <decoded_as>ms-dhcp-ipv6</decoded_as>
262 <description>Grouping for the MS-DHCP rules.</description>
265 <rule id="6351" level="0">
266 <if_sid>6350</if_sid>
268 <description>Solicit.</description>
269 <group>dhcp_ipv6,</group>
272 <rule id="6352" level="0">
273 <if_sid>6350</if_sid>
274 <id>^11001|^11002</id>
275 <description>Advertise.</description>
276 <group>dhcp_ipv6,</group>
279 <rule id="6354" level="0">
280 <if_sid>6350</if_sid>
282 <description>Confirm.</description>
283 <group>dhcp_ipv6,</group>
286 <rule id="6355" level="0">
287 <if_sid>6350</if_sid>
289 <description>Renew.</description>
290 <group>dhcp_ipv6,</group>
293 <rule id="6356" level="0">
294 <if_sid>6350</if_sid>
296 <description>Rebind.</description>
297 <group>dhcp_ipv6,</group>
301 <rule id="6357" level="7">
302 <if_sid>6350</if_sid>
304 <description>DHCP Decline.</description>
305 <group>dhcp_ipv6,</group>
308 <rule id="6358" level="0">
309 <if_sid>6350</if_sid>
311 <description>Release.</description>
312 <group>dhcp_ipv6,</group>
315 <rule id="6359" level="0">
316 <if_sid>6350</if_sid>
318 <description>Information Request.</description>
319 <group>dhcp_ipv6,</group>
322 <rule id="6360" level="12">
323 <if_sid>6350</if_sid>
325 <description>Scope Full.</description>
326 <group>dhcp_ipv6,</group>
329 <rule id="6361" level="3">
330 <if_sid>6350</if_sid>
332 <description>Started.</description>
333 <group>service_start,</group>
336 <rule id="6362" level="7">
337 <if_sid>6350</if_sid>
339 <description>Stopped.</description>
340 <group>service_availability,</group>
343 <rule id="6363" level="10">
344 <if_sid>6350</if_sid>
346 <description>Audit log paused.</description>
347 <group>service_availability,</group>
351 <rule id="6364" level="7">
352 <if_sid>6350</if_sid>
354 <description>DHCP Log File.</description>
355 <group>system_error,</group>
358 <rule id="6365" level="7">
359 <if_sid>6350</if_sid>
361 <description>Bad Address.</description>
362 <group>dhcp_ipv6,</group>
365 <rule id="6366" level="4">
366 <if_sid>6350</if_sid>
368 <description>Address is already in use.</description>
369 <group>dhcp_ipv6,</group>
372 <rule id="6367" level="0">
373 <if_sid>6350</if_sid>
375 <description>Client deleted.</description>
376 <group>dhcp_ipv6,</group>
379 <rule id="6368" level="0">
380 <if_sid>6350</if_sid>
382 <description>DNS record not deleted.</description>
383 <group>dhcp_ipv6,</group>
386 <rule id="6369" level="0">
387 <if_sid>6350</if_sid>
389 <description>Expired.</description>
390 <group>dhcp_ipv6,</group>
393 <rule id="6370" level="0">
394 <if_sid>6350</if_sid>
396 <description>Expired and Deleted count.</description>
397 <group>dhcp_ipv6,</group>
400 <rule id="6371" level="2">
401 <if_sid>6350</if_sid>
403 <description>Database cleanup begin.</description>
404 <group>dhcp_ipv6,</group>
408 <rule id="6372" level="2">
409 <if_sid>6350</if_sid>
411 <description>Database cleanup end.</description>
412 <group>dhcp_ipv6,</group>
415 <rule id="6373" level="12">
416 <if_sid>6350</if_sid>
418 <description>Service not authorized in AD.</description>
419 <group>dhcp_ipv6,</group>
422 <rule id="6374" level="3">
423 <if_sid>6350</if_sid>
425 <description>Service authorized in AD.</description>
426 <group>dhcp_ipv6,</group>
429 <rule id="6376" level="12">
430 <if_sid>6350</if_sid>
432 <description>Service has not determined if it is authorized in AD.</description>
433 <group>dhcp_ipv6,</group>