+++ /dev/null
-OSSEC HIDS v0.9
-Copyright (C) 2009 Trend Micro Inc.
-
-
-
---- Rules Classification ---
-
-
--- Classification --
-
-The rules are classified in multiple levels. From the lowest (00) to the maximum
-level 16. Some levels are not used right now. Other levels can be added between
-them or after them.
-
-**The rules will be read from the highest to the lowest level. **
-
-00 - Ignored - No action taken. Used to avoid false positives. These rules
- are scanned before all the others. They include events with no
- security relevance.
-01 - None -
-02 - System low priority notification - System notification or
- status messages. They have no security relevance.
-03 - Successful/Authorized events - They include successful login attempts,
- firewall allow events, etc.
-04 - System low priority error - Errors related to bad configurations or
- unused devices/applications. They have no security relevance and
- are usually caused by default installations or software testing.
-05 - User generated error - They include missed passwords, denied
- actions, etc. By itself they have no security relevance.
-06 - Low relevance attack - They indicate a worm or a virus that have
- no affect to the system (like code red for apache servers, etc).
- They also include frequently IDS events and frequently errors.
-07 - "Bad word" matching. They include words like "bad", "error", etc.
- These events are most of the time unclassified and may have
- some security relevance.
-08 - First time seen - Include first time seen events. First time
- an IDS event is fired or the first time an user logged in.
- If you just started using OSSEC HIDS these messages will
- probably be frequently. After a while they should go away.
- It also includes security relevant actions (like the starting
- of a sniffer or something like that).
-09 - Error from invalid source - Include attempts to login as
- an unknown user or from an invalid source. May have security
- relevance (specially if repeated). They also include errors
- regarding the "admin" (root) account.
-10 - Multiple user generated errors - They include multiple bad
- passwords, multiple failed logins, etc. They may indicate an
- attack or may just be that a user just forgot his credentials.
-11 - Integrity checking warning - They include messages regarding
- the modification of binaries or the presence of rootkits (by
- rootcheck). If you just modified your system configuration
- you should be fine regarding the "syscheck" messages. They
- may indicate a successful attack. Also included IDS events
- that will be ignored (high number of repetitions).
-12 - High importancy event - They include error or warning messages
- from the system, kernel, etc. They may indicate an attack against
- a specific application.
-13 - Unusual error (high importance) - Most of the times it matches a
- common attack pattern.
-14 - High importance security event. Most of the times done with
- correlation and it indicates an attack.
-15 - Severe attack - No chances of false positives. Immediate
- attention is necessary.
-
-
-== Rules Group ==
-
--We can specify groups for specific rules. It's used for active
-response reasons and for correlation.
-- We currently use the following groups:
-
-- invalid_login
-- authentication_success
-- authentication_failed
-- connection_attempt
-- attacks
-- adduser
-- sshd
-- ids
-- firewall
-- squid
-- apache
-- syslog
-
-
-
-== Rules Config ==
-
-http://www.ossec.net/en/manual.html#rules
-