1 <!-- @(#) $Id: syslog_rules.xml,v 1.87 2009/12/01 15:40:07 dcid Exp $
2 - Official Generic Syslog rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 3) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
16 <!-- Default variables for the SYSLOG rules. -->
18 <!-- Bad words matching. Any log containing these messages
21 <var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
24 <!-- Syslog errors. -->
25 <group name="syslog,errors,">
26 <rule id="1001" level="2">
27 <match>^Couldn't open /etc/securetty</match>
28 <description>File missing. Root access unrestricted.</description>
31 <rule id="1002" level="2">
32 <match>$BAD_WORDS</match>
33 <options>alert_by_email</options>
34 <description>Unknown problem somewhere in the system.</description>
37 <rule id="1003" level="13" maxsize="1025">
38 <description>Non standard syslog message (size too large).</description>
41 <rule id="1004" level="5">
42 <match>^exiting on signal</match>
43 <description>Syslogd exiting (logging stopped).</description>
46 <rule id="1005" level="5">
47 <program_name>syslogd</program_name>
48 <match>^restart</match>
49 <description>Syslogd restarted.</description>
52 <rule id="1006" level="5">
53 <regex>^syslogd \S+ restart</regex>
54 <description>Syslogd restarted.</description>
57 <rule id="1007" level="7">
58 <match>file system full|No space left on device</match>
59 <description>File system full.</description>
60 <group>low_diskspace,</group>
62 </group> <!-- SYSLOG,ERRORS -->
67 <group name="syslog,nfs,">
68 <!-- XXX All These NFS rules need to be fixed. -->
69 <rule id="2100" level="0" noalert="1">
70 <program_name>^automount|^mount</program_name>
71 <description>NFS rules grouped.</description>
74 <rule id="2101" level="4">
76 <match>nfs: mount failure</match>
77 <description>Unable to mount the NFS share.</description>
80 <rule id="2102" level="4">
82 <match>reason given by server: Permission denied</match>
83 <description>Unable to mount the NFS directory.</description>
86 <rule id="2103" level="4">
87 <match>^rpc.mountd: refused mount request from</match>
88 <description>Unable to mount the NFS directory.</description>
91 <rule id="2104" level="2">
93 <regex>lookup for \S+ failed</regex>
94 <description>Automount informative message</description>
96 </group> <!-- SYSLOG,NFS -->
100 <!-- xinetd messages -->
101 <group name="syslog,xinetd,">
102 <rule id="2301" level="10">
103 <match>^Deactivating service </match>
104 <description>Excessive number connections to a service.</description>
106 </group> <!-- SYSLOG,XINETD -->
110 <!-- Access control messages -->
111 <group name="syslog,access_control,">
112 <rule id="2501" level="5">
113 <match>FAILED LOGIN |authentication failure|</match>
114 <match>Authentication failed for|invalid password for|</match>
115 <match>LOGIN FAILURE|auth failure: |authentication error|</match>
116 <match>authinternal failed|Failed to authorize|</match>
117 <match>Wrong password given for|login failed|Auth: Login incorrect</match>
118 <group>authentication_failed,</group>
119 <description>User authentication failure.</description>
122 <rule id="2502" level="10">
123 <match>more authentication failures;|REPEATED login failures</match>
124 <description>User missed the password more than one time</description>
125 <group>authentication_failed,</group>
128 <rule id="2503" level="5">
129 <regex>^refused connect from|</regex>
130 <regex>^libwrap refused connection|</regex>
131 <regex>Connection from \S+ denied</regex>
132 <description>Connection blocked by Tcp Wrappers.</description>
133 <group>access_denied,</group>
136 <rule id="2504" level="9">
137 <match>ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED</match>
138 <description>Illegal root login. </description>
139 <group>invalid_login,</group>
142 <rule id="2505" level="3">
143 <match>^ROOT LOGIN on</match>
144 <description>Physical root login.</description>
147 <rule id="2506" level="3">
148 <match>^Authentication passed</match>
149 <description>Pop3 Authentication passed.</description>
151 </group> <!-- SYSLOG,ACESSCONTROL -->
155 <!-- Mail/Procmail messages -->
156 <group name="syslog,mail,">
157 <rule id="2701" level="0">
158 <program_name>^procmail</program_name>
159 <description>Ignoring procmail messages.</description>
161 </group> <!-- SYSLOG,SENDMAIL -->
165 <!-- Smartd messages -->
166 <group name="syslog,smartd,">
167 <rule id="2800" level="0" noalert="1">
168 <program_name>^smart</program_name>
169 <description>Pre-match rule for smartd.</description>
172 <rule id="2801" level="0">
173 <if_sid>2800</if_sid>
174 <match>No configuration file /etc/smartd.conf found</match>
175 <description>Smartd Started but not configured</description>
178 <rule id="2802" level="0">
179 <if_sid>2800</if_sid>
180 <match>Unable to register ATA device</match>
181 <description>Smartd configuration problem</description>
184 <rule id="2803" level="0">
185 <if_sid>2800</if_sid>
186 <match>No such device or address</match>
187 <description>Device configured but not available to Smartd</description>
189 </group> <!-- SYSLOG,SMARTD -->
193 <!-- Linux Kernel messages -->
194 <group name="syslog,linuxkernel,">
195 <rule id="5100" level="0" noalert="1">
196 <program_name>^kernel</program_name>
197 <description>Pre-match rule for kernel messages</description>
200 <rule id="5101" level="0">
201 <if_sid>5100</if_sid>
202 <match>PCI: if you experience problems, try using option</match>
203 <description>Informative message from the kernel.</description>
206 <rule id="5102" level="0">
207 <if_sid>5100</if_sid>
208 <match>modprobe: Can't locate module sound</match>
209 <description>Informative message from the kernel</description>
212 <rule id="5103" level="9">
213 <if_sid>5100</if_sid>
214 <match>Oversized packet received from</match>
215 <description>Error message from the kernel. </description>
216 <description>Ping of death attack.</description>
219 <rule id="5104" level="8">
220 <if_sid>5100</if_sid>
221 <regex>Promiscuous mode enabled|</regex>
222 <regex>device \S+ entered promiscuous mode</regex>
223 <description>Interface entered in promiscuous(sniffing) mode.</description>
224 <group>promisc,</group>
227 <rule id="5105" level="0">
228 <if_sid>5100</if_sid>
229 <match>end_request: I/O error, dev fd0, sector 0|</match>
230 <match>Buffer I/O error on device fd0, logical block 0</match>
231 <description>Invalid request to /dev/fd0 (bug on the kernel).</description>
234 <rule id="5106" level="0">
235 <if_sid>5100</if_sid>
236 <match>svc: unknown program 100227 (me 100003)</match>
237 <description>NFS incompability between Linux and Solaris.</description>
240 <rule id="5107" level="0">
241 <if_sid>5100</if_sid>
242 <match>svc: bad direction </match>
243 <description>NFS incompability between Linux and Solaris.</description>
246 <rule id="5108" level="12">
247 <if_sid>5100</if_sid>
248 <match>Out of Memory: </match>
249 <description>System running out of memory. </description>
250 <description>Availability of the system is in risk.</description>
251 <group>service_availability,</group>
254 <rule id="5109" level="4">
255 <if_sid>5100</if_sid>
256 <match>I/O error: dev |end_request: I/O error, dev</match>
257 <description>Kernel Input/Output error</description>
260 <rule id="5110" level="4">
261 <if_sid>5100</if_sid>
262 <match>Forged DCC command from</match>
263 <description>IRC misconfiguration</description>
266 <rule id="5111" level="0">
267 <if_sid>5100</if_sid>
268 <match>ipw2200: Firmware error detected.</match>
269 <description>Kernel device error.</description>
272 <rule id="5112" level="0">
273 <if_sid>5100</if_sid>
274 <match>usbhid: probe of</match>
275 <description>Kernel usbhid probe error (ignored).</description>
278 <rule id="5113" level="7">
279 <if_sid>5100</if_sid>
280 <match>Kernel log daemon terminating</match>
281 <group>system_shutdown,</group>
282 <description>System is shutting down.</description>
285 <rule id="5130" level="7">
286 <if_sid>5100</if_sid>
287 <match>ADSL line is down</match>
288 <description>Monitor ADSL line is down.</description>
291 <rule id="5131" level="3">
292 <if_sid>5100</if_sid>
293 <match>ADSL line is up</match>
294 <description>Monitor ADSL line is up.</description>
297 <rule id="5200" level="0">
298 <match>^hpiod: unable to ParDevice</match>
299 <description>Ignoring hpiod for producing useless logs.</description>
301 </group> <!-- SYSLOG,LINUXKERNEL -->
305 <!-- Cron messages -->
306 <group name="syslog,cron,">
307 <rule id="2830" level="0">
308 <program_name>crond|crontab</program_name>
309 <description>Crontab rule group.</description>
312 <rule id="2831" level="0">
313 <if_sid>2830</if_sid>
314 <match>^unable to exec</match>
315 <description>Wrong crond configuration</description>
318 <rule id="2834" level="5">
319 <if_sid>2830</if_sid>
320 <match>BEGIN EDIT</match>
321 <description>Crontab opened for editing.</description>
324 <rule id="2832" level="5">
325 <if_sid>2830</if_sid>
326 <match>REPLACE</match>
327 <description>Crontab entry changed.</description>
330 <rule id="2833" level="8">
331 <if_sid>2832</if_sid>
332 <match>^(root)</match>
333 <description>Root's crontab entry changed.</description>
336 </group> <!-- SYSLOG,CRON -->
341 <group name="syslog, su,">
342 <rule id="5300" level="0" noalert="1">
343 <decoded_as>su</decoded_as>
344 <description>Initial grouping for su messages.</description>
347 <rule id="5301" level="5">
348 <if_sid>5300</if_sid>
349 <match>authentication failure; |failed|BAD su|^-| - </match>
350 <description>User missed the password to change UID (user id).</description>
351 <group>authentication_failed,</group>
354 <rule id="5302" level="9">
355 <if_sid>5301</if_sid>
357 <description>User missed the password to change UID to root.</description>
358 <group>authentication_failed,</group>
361 <rule id="5303" level="3">
362 <if_sid>5300</if_sid>
363 <regex>session opened for user root|^'su root'|</regex>
364 <regex>^+ \S+ \S+\proot$|^\S+ to root on|^SU \S+ \S+ + \S+ \S+-root$</regex>
365 <description>User successfully changed UID to root.</description>
366 <group>authentication_success,</group>
369 <rule id="5304" level="3">
370 <if_sid>5300</if_sid>
371 <regex>session opened for user|succeeded for|</regex>
372 <regex>^+|^\S+ to |^SU \S+ \S+ + </regex>
373 <description>User successfully changed UID.</description>
374 <group>authentication_success,</group>
377 <rule id="5305" level="4">
378 <if_sid>5303, 5304</if_sid>
380 <options>alert_by_email</options>
381 <description>First time (su) is executed by user.</description>
383 </group> <!-- SYSLOG,SU -->
387 <!-- Tripwire messages -->
388 <group name="syslog,tripwire,">
389 <rule id="7101" level="8">
390 <match>Integrity Check failed: File could not</match>
391 <description>Problems with the tripwire checking</description>
393 </group> <!-- SYSLOG,TRIPWIRE -->
397 <!-- Adduser messages -->
398 <group name="syslog,adduser">
399 <rule id="5901" level="8">
400 <match>^new group</match>
401 <description>New group added to the system</description>
404 <rule id="5902" level="8">
405 <match>^new user|^new account added</match>
406 <description>New user added to the system</description>
409 <rule id="5903" level="2">
410 <match>^delete user|^account deleted|^remove group</match>
411 <description>Group (or user) deleted from the system</description>
414 <rule id="5904" level="8">
415 <match>^changed user</match>
416 <description>Information from the user was changed</description>
418 </group> <!-- SYSLOG,ADDUSER -->
422 <!-- Sudo messages -->
423 <group name="syslog,sudo">
424 <rule id="5400" level="0" noalert="1">
425 <decoded_as>sudo</decoded_as>
426 <description>Initial group for sudo messages</description>
429 <rule id="5401" level="10">
430 <if_sid>5400</if_sid>
431 <match>3 incorrect password attempts</match>
432 <description>Three failed attempts to run sudo</description>
435 <rule id="5402" level="3">
436 <if_sid>5400</if_sid>
437 <match> ; USER=root ; COMMAND=</match>
438 <description>Successful sudo to ROOT executed</description>
441 <rule id="5403" level="4">
442 <if_sid>5400</if_sid>
443 <options>alert_by_email</options>
445 <description>First time user executed sudo.</description>
447 </group> <!-- SYSLOG, SUDO -->
450 <!-- PPTP messages -->
451 <group name="syslog,pptp">
452 <rule id="9100" level="0" noalert="1">
453 <program_name>^pptpd</program_name>
454 <description>PPTPD messages grouped</description>
457 <rule id="9101" level="0">
458 <if_sid>9100</if_sid>
459 <regex>^GRE: \S+ from \S+ failed: status = -1 </regex>
460 <description>PPTPD failed message (communication error)</description>
461 <info>poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml</info>
464 <rule id="9102" level="0">
465 <if_sid>9100</if_sid>
466 <match>^tcflush failed: Bad file descriptor</match>
467 <description>PPTPD communication error</description>
474 <group name="syslog,fts,">
475 <rule id="10100" level="4">
476 <if_group>authentication_success</if_group>
477 <options>alert_by_email</options>
479 <group>authentication_success</group>
480 <description>First time user logged in.</description>
485 <group name="syslog,squid,">
486 <rule id="9200" level="0" noalert="1">
487 <program_name>^squid</program_name>
488 <description>Squid syslog messages grouped</description>
491 <rule id="9201" level="0">
492 <if_sid>9200</if_sid>
493 <match>^ctx: enter level|^sslRead|^urlParse: Illegal |</match>
494 <match>^httpReadReply: Request not yet |^httpReadReply: Excess data</match>
495 <description>Squid debug message</description>
500 <group name="syslog,dpkg,">
501 <rule id="2900" level="0">
502 <decoded_as>windows-date-format</decoded_as>
503 <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d \w+ </regex>
504 <description>Dpkg (Debian Package) log.</description>
507 <rule id="2901" level="3">
508 <if_sid>2900</if_sid>
509 <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install</regex>
510 <description>New dpkg (Debian Package) requested to install.</description>
513 <rule id="2902" level="7">
514 <if_sid>2900</if_sid>
515 <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status installed</regex>
516 <description>New dpkg (Debian Package) installed.</description>
517 <group>config_changed,</group>
520 <rule id="2903" level="7">
521 <if_sid>2900</if_sid>
522 <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove|</regex>
523 <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge</regex>
524 <description>Dpkg (Debian Package) removed.</description>
525 <group>config_changed,</group>
530 <group name="syslog,yum,">
531 <rule id="2930" level="0">
532 <program_name>^yum</program_name>
533 <description>Yum logs.</description>
536 <rule id="2931" level="0">
537 <hostname>yum.log$</hostname>
538 <match>^Installed|^Updated|^Erased</match>
539 <description>Yum logs.</description>
542 <rule id="2932" level="7">
543 <if_sid>2930,2931</if_sid>
544 <match>^Installed</match>
545 <group>config_changed,</group>
546 <description>New Yum package installed.</description>
549 <rule id="2933" level="7">
550 <if_sid>2930,2931</if_sid>
551 <match>^Updated</match>
552 <group>config_changed,</group>
553 <description>Yum package updated.</description>
556 <rule id="2934" level="7">
557 <if_sid>2930,2931</if_sid>
558 <match>^Erased</match>
559 <group>config_changed,</group>
560 <description>Yum package deleted.</description>
projects / ossec-hids.git / blob