X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fattack_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fattack_rules.xml;h=5cdfeda3ee16e1c37db2622a2d31fbc8d3fe5817;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=0000000000000000000000000000000000000000;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b;p=ossec-hids.git
diff --git a/debian/ossec-hids/var/ossec/rules/attack_rules.xml b/debian/ossec-hids/var/ossec/rules/attack_rules.xml
new file mode 100644
index 0000000..5cdfeda
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/attack_rules.xml
@@ -0,0 +1,122 @@
+
+
+
+
+^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$
+
+
+
+
+
+ authentication_success
+ $SYS_USERS
+ System user successfully logged to the system.
+ invalid_login,
+
+
+
+ ^rpc.statd[\d+]: gethostbyname error for \W+
+ Buffer overflow attack on rpc.statd
+ exploit_attempt,
+
+
+
+ ftpd[\d+]: \S+ FTP LOGIN FROM \.+ 0bin0sh
+ Buffer overflow on WU-FTPD versions prior to 2.6
+ exploit_attempt,
+
+
+
+ ?????????????????????
+ Possible buffer overflow attempt.
+ exploit_attempt,
+
+
+
+ changed by \(\(null\)
+ "Null" user changed some information.
+ exploit_attempt,
+
+
+
+ @@@@@@@@@@@@@@@@@@@@@@@@@
+ Buffer overflow attempt (probably on yppasswd).
+ exploit_attempt,
+
+
+
+ cachefsd: Segmentation Fault - core dumped
+ Heap overflow in the Solaris cachefsd service.
+ 2002-0033
+ exploit_attempt,
+
+
+
+ attempt to execute code on stack by
+ Stack overflow attempt or program exiting
+ with SEGV (Solaris).
+ http://snap.nlc.dcccd.edu/reference/sysadmin/julian/ch18/389-392.html
+ exploit_attempt,
+
+
+
+ authentication_failed
+ Multiple authentication failures.
+ authentication_failures,
+
+
+
+ authentication_success
+ authentication_failures
+
+ Multiple authentication failures followed
+ by a success.
+
+
+
+ virus
+ Multiple viruses detected - Possible outbreak.
+ virus,
+
+
+
+
+
+
+
+
+
+ adduser
+ attacks
+ Attacks followed by the addition
+ of an user.
+
+
+
+
+
+
+
+
+ connection_attempt
+ Network scan from same source ip.
+
+ http://project.honeynet.org/papers/enemy2/
+
+
+
+
+