1 <!-- OSSEC Rules for Windows Firewall - https://www.csoonline.com/article/2619761/security/what-to-monitor-to-stop-hacker-and-malware-attacks.html?page=3, https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor -->
4 <group name="windows, ipsec,">
6 <rule id="18651" level="8">
9 <description>IKE DoS-prevention mode started</description>
10 <group>windows,</group>
14 <rule id="18652" level="8">
15 <if_sid>18105</if_sid>
16 <id>^4652$|^4653$</id>
17 <description>An IPsec Main Mode negotiation failed</description>
18 <group>windows,</group>
22 <rule id="18653" level="8">
23 <if_sid>18105</if_sid>
25 <description>An IPsec Quick Mode negotiation failed</description>
26 <group>windows,</group>
30 <rule id="18654" level="8">
31 <if_sid>18104</if_sid>
32 <id>^4983$|^4984$</id>
33 <description>An IPsec Extended Mode negotiation failed</description>
34 <group>windows,</group>
38 <rule id="18655" level="4">
39 <if_sid>18104</if_sid>
41 <description>IPsec dropped an inbound packet that failed an integrity check</description>
42 <group>windows,</group>
46 <rule id="18656" level="8">
47 <if_sid>18104</if_sid>
48 <id>^4961$|^4962$</id>
49 <description>IPsec dropped an inbound packet that failed a replay check</description>
50 <group>windows,</group>
54 <rule id="18657" level="8">
55 <if_sid>18104</if_sid>
57 <description>IPsec dropped an inbound clear text packet that should have been secured</description>
58 <group>windows,</group>
62 <rule id="18658" level="4">
63 <if_sid>18104</if_sid>
65 <description>IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)</description>
66 <group>windows,</group>
70 <rule id="18659" level="7">
71 <if_sid>18104</if_sid>
73 <description>During Main Mode negotiation, IPsec received an invalid negotiation packet</description>
74 <group>windows,</group>
78 <rule id="18660" level="7">
79 <if_sid>18104</if_sid>
81 <description>During Quick Mode negotiation, IPsec received an invalid negotiation packet</description>
82 <group>windows,</group>
86 <rule id="18661" level="7">
87 <if_sid>18104</if_sid>
89 <description>During Extended Mode negotiation, IPsec received an invalid negotiation packet</description>
90 <group>windows,</group>
94 <rule id="18662" level="8">
95 <if_sid>18104</if_sid>
97 <description>An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started</description>
98 <group>windows,</group>
102 <rule id="18663" level="8">
103 <if_sid>18105</if_sid>
105 <description>IPsec Services failed to get the complete list of network interfaces on the computer</description>
106 <group>windows,</group>
110 <rule id="18664" level="8">
111 <if_sid>18105</if_sid>
113 <description>IPsec Services failed to initialize RPC server. IPsec Services could not be started</description>
114 <group>windows,</group>
118 <rule id="18665" level="8">
119 <if_sid>18105</if_sid>
121 <description>IPsec Services has experienced a critical failure and has been shut down</description>
122 <group>windows,</group>
126 <rule id="18666" level="8">
127 <if_sid>18105</if_sid>
129 <description>IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces</description>
130 <group>windows,</group>
134 <rule id="18667" level="8">
135 <if_sid>18104</if_sid>
137 <description>IPsec Services was disabled</description>
138 <group>windows,</group>
142 <rule id="18668" level="8">
143 <if_sid>18105</if_sid>
145 <description>IPsec Services encountered a potentially serious failure</description>
146 <group>windows,</group>