-<!-- @(#) $Id$
+<!-- @(#) $Id: syslog_rules.xml,v 1.22 2010/11/25 17:06:17 ddp Exp $
- Official Generic Syslog rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<description>Process exiting (killed).</description>
<group>service_availability,</group>
</rule>
+
+ <rule id="1009" level="0">
+ <if_sid>1002</if_sid>
+ <match>terminated without error|can't verify hostname: getaddrinfo|</match>
+ <match>PPM exceeds tolerance</match>
+ <description>Ignoring known false positives on rule 1002..</description>
+ </rule>
</group> <!-- SYSLOG,ERRORS -->
<match>^Authentication passed</match>
<description>Pop3 Authentication passed.</description>
</rule>
+
+ <rule id="2507" level="0">
+ <decoded_as>openldap</decoded_as>
+ <description>OpenLDAP group.</description>
+ </rule>
+
+ <rule id="2508" level="3">
+ <if_sid>2507</if_sid>
+ <match>ACCEPT from</match>
+ <description>OpenLDAP connection open.</description>
+ </rule>
+
+ <rule id="2509" level="5" timeframe="10" frequency="0">
+ <if_sid>2507</if_sid>
+ <if_matched_sid>2508</if_matched_sid>
+ <same_id />
+ <match>RESULT tag=97 err=49</match>
+ <description>OpenLDAP authentication failed.</description>
+ </rule>
+
</group> <!-- SYSLOG,ACESSCONTROL -->
<rule id="5111" level="0">
<if_sid>5100</if_sid>
- <match>ipw2200: Firmware error detected.</match>
+ <match>ipw2200: Firmware error detected.| ACPI Error</match>
<description>Kernel device error.</description>
</rule>
<options>alert_by_email</options>
<description>First time (su) is executed by user.</description>
</rule>
+
+ <rule id="5306" level="0">
+ <if_sid>5300</if_sid>
+ <match>unknown class</match>
+ <info>OpenBSD uses login classes, and an inappropriate login class was used.</info>
+ <description>A user has attempted to su to an unknown class.</description>
+ </rule>
+
</group> <!-- SYSLOG,SU -->
<group>config_changed,</group>
<description>Yum package deleted.</description>
</rule>
+
+ <!-- SCSI CONTROLLER -->
+ <rule id="2935" level="0" noalert="1">
+ <if_sid>5100</if_sid>
+ <id>mptscsih</id>
+ <description>Grouping for the mptscrih rules.</description>
+ </rule>
+
+ <rule id="2936" level="0" noalert="1">
+ <if_sid>5100</if_sid>
+ <id>mptbase</id>
+ <description>Grouping for the mptbase rules.</description>
+ </rule>
+
+ <rule id="2937" level="12">
+ <if_sid>2935</if_sid>
+ <status>FAILED</status>
+ <description>Posible Disk failure. SCSI controller error.</description>
+ </rule>
+
+ <rule id="2938" level="12">
+ <if_sid>2936</if_sid>
+ <action>failed</action>
+ <description>SCSI RAID ARRAY ERROR, drive failed.</description>
+ </rule>
+
+ <rule id="2939" level="12">
+ <if_sid>2936</if_sid>
+ <action>degraded</action>
+ <description>SCSI RAID is now in a degraded status.</description>
+ </rule>
+
</group>