X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=debian%2Fossec-hids%2Fusr%2Fshare%2Fdoc%2Fossec-hids%2Frules.txt;fp=debian%2Fossec-hids%2Fusr%2Fshare%2Fdoc%2Fossec-hids%2Frules.txt;h=1fa2f9e21b823c81b24f983d96dbbdceb9d03afc;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=0000000000000000000000000000000000000000;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b;p=ossec-hids.git diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/rules.txt b/debian/ossec-hids/usr/share/doc/ossec-hids/rules.txt new file mode 100644 index 0000000..1fa2f9e --- /dev/null +++ b/debian/ossec-hids/usr/share/doc/ossec-hids/rules.txt @@ -0,0 +1,90 @@ +OSSEC HIDS v0.9 +Copyright (C) 2009 Trend Micro Inc. + + + +--- Rules Classification --- + + +-- Classification -- + +The rules are classified in multiple levels. From the lowest (00) to the maximum +level 16. Some levels are not used right now. Other levels can be added between +them or after them. + +**The rules will be read from the highest to the lowest level. ** + +00 - Ignored - No action taken. Used to avoid false positives. These rules + are scanned before all the others. They include events with no + security relevance. +01 - None - +02 - System low priority notification - System notification or + status messages. They have no security relevance. +03 - Successful/Authorized events - They include successful login attempts, + firewall allow events, etc. +04 - System low priority error - Errors related to bad configurations or + unused devices/applications. They have no security relevance and + are usually caused by default installations or software testing. +05 - User generated error - They include missed passwords, denied + actions, etc. By itself they have no security relevance. +06 - Low relevance attack - They indicate a worm or a virus that have + no affect to the system (like code red for apache servers, etc). + They also include frequently IDS events and frequently errors. +07 - "Bad word" matching. They include words like "bad", "error", etc. + These events are most of the time unclassified and may have + some security relevance. +08 - First time seen - Include first time seen events. First time + an IDS event is fired or the first time an user logged in. + If you just started using OSSEC HIDS these messages will + probably be frequently. After a while they should go away. + It also includes security relevant actions (like the starting + of a sniffer or something like that). +09 - Error from invalid source - Include attempts to login as + an unknown user or from an invalid source. May have security + relevance (specially if repeated). They also include errors + regarding the "admin" (root) account. +10 - Multiple user generated errors - They include multiple bad + passwords, multiple failed logins, etc. They may indicate an + attack or may just be that a user just forgot his credentials. +11 - Integrity checking warning - They include messages regarding + the modification of binaries or the presence of rootkits (by + rootcheck). If you just modified your system configuration + you should be fine regarding the "syscheck" messages. They + may indicate a successful attack. Also included IDS events + that will be ignored (high number of repetitions). +12 - High importancy event - They include error or warning messages + from the system, kernel, etc. They may indicate an attack against + a specific application. +13 - Unusual error (high importance) - Most of the times it matches a + common attack pattern. +14 - High importance security event. Most of the times done with + correlation and it indicates an attack. +15 - Severe attack - No chances of false positives. Immediate + attention is necessary. + + +== Rules Group == + +-We can specify groups for specific rules. It's used for active +response reasons and for correlation. +- We currently use the following groups: + +- invalid_login +- authentication_success +- authentication_failed +- connection_attempt +- attacks +- adduser +- sshd +- ids +- firewall +- squid +- apache +- syslog + + + +== Rules Config == + +http://www.ossec.net/en/manual.html#rules +