X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fms_dhcp_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fms_dhcp_rules.xml;h=c0c8385f91a05b98fd33e48d3b30fbafe9d8a9e7;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=0000000000000000000000000000000000000000;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b;p=ossec-hids.git

diff --git a/debian/ossec-hids/var/ossec/rules/ms_dhcp_rules.xml b/debian/ossec-hids/var/ossec/rules/ms_dhcp_rules.xml
new file mode 100644
index 0000000..c0c8385
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/ms_dhcp_rules.xml
@@ -0,0 +1,436 @@
+
+<!-- @(#) $Id: ./etc/rules/ms_dhcp_rules.xml, 2011/09/08 dcid Exp $
+
+  -  Microsoft Windows 2003 ipv4, Windows 2008 ipv4/ipv6 DHCP rules for OSSEC.
+  -  Author: phishphreek@gmail.com
+  -  License: http://www.ossec.net/en/licensing.html (http://gplv3.fsf.org)
+  -->
+
+  
+<!--Server 2003 and 2008 IPv4 Event ID  Meaning 
+00        The log was started.
+01        The log was stopped.
+02        The log was temporarily paused due to low disk space.
+10        A new IP address was leased to a client.
+11        A lease was renewed by a client.
+12        A lease was released by a client.
+13        An IP address was found to be in use on the network.
+14        A lease request could not be satisfied because the scope's address pool was exhausted.
+15        A lease was denied.
+16        A lease was deleted.
+17        A lease was expired.
+18	A lease was expired and DNS records were deleted. (Server 2008 Only)
+20        A BOOTP address was leased to a client.
+21        A dynamic BOOTP address was leased to a client.
+22        A BOOTP request could not be satisfied because the scope's  address pool for BOOTP was exhausted.
+23        A BOOTP IP address was deleted after checking to see it was not in use.
+24        IP address cleanup operation has began.
+25        IP address cleanup statistics.
+30        DNS update request to the named DNS server
+31        DNS update failed
+32        DNS update successful
+33	Packet dropped due to NAP policy. Server 2008 Only)
+50+       Codes above 50 are used for Rogue Server Detection information.
+-->
+
+
+<!--Server 2003 IPv4 Log Sample 
+ID,Date,Time,Description,IP Address,Host Name,MAC Address
+24,3/10/2009,0:00:46,Database Cleanup Begin,,,,
+31,3/10/2009,0:00:46,DNS Update Failed,192.168.10.201,OPS03W034.,2,
+30,3/10/2009,0:00:46,DNS Update Request,201.10.168.192,OPS03W034.,,
+25,3/10/2009,0:00:46,0 leases expired and 0 leases deleted,,,,
+11,3/10/2009,0:01:40,Renew,192.168.10.201,OPS03W034.,001AA0DA3062,
+32,3/10/2009,0:01:55,DNS Update Successful,192.168.10.204,ex03.domain.local,,
+15,3/10/2009,8:49:10,NACK,192.168.10.205,,000B97A0B7E8,
+10,3/10/2009,8:49:10,Assign,192.168.10.205,6ftya92251.domain.local,000B97A0B7E8,
+12,3/10/2009,15:52:38,Release,192.168.112.32,6ftya91701.,000B97A0B41D,
+18,3/10/2009,19:59:11,Expired,192.168.10.205,,,
+17,3/10/2009,23:59:16,DNS record not deleted,192.168.10.205,,,
+-->
+
+
+<group name="windows,dhcp,">
+  <rule id="6300" level="0">
+    <decoded_as>ms-dhcp-ipv4</decoded_as>
+    <description>Grouping for the MS-DHCP rules.</description>
+  </rule>
+  
+  <rule id="6301" level="2">
+	<if_sid>6300</if_sid>
+	<id>^00</id>
+    <description>The log was started.</description>
+    <group>service_start,</group>
+  </rule>
+  
+  <rule id="6302" level="3">
+	<if_sid>6300</if_sid>
+	<id>^01</id>
+    <description>The log was stopped.</description>
+    <group>service_availability,</group>
+  </rule>
+  
+  <rule id="6303" level="10">
+	<if_sid>6300</if_sid>
+	<id>^02</id>
+    <description>The log was temporarily paused due to low disk space.</description>
+    <group>system_error,</group>
+  </rule>
+
+  <rule id="6304" level="0">
+	<if_sid>6300</if_sid>
+	<id>^10</id>
+    <description>A new IP address was leased to a client.</description>
+    <group>dhcp_lease_action,</group>
+  </rule>
+ 
+  <rule id="6305" level="0">
+	<if_sid>6300</if_sid>
+	<id>^11</id>
+    <description>A lease was renewed by a client.</description>
+    <group>dhcp_lease_action,</group>
+  </rule>
+
+  <rule id="6306" level="0">
+	<if_sid>6300</if_sid>
+	<id>^12</id>
+    <description>A lease was released by a client.</description>
+    <group>dhcp_lease_action,</group>
+  </rule>
+
+  <rule id="6307" level="0">
+	<if_sid>6300</if_sid>
+	<id>^13</id>
+    <description>An IP address was found to be in use on the network.</description>
+    <group>dhcp_lease_action,</group>
+  </rule>
+
+  <rule id="6308" level="12">
+	<if_sid>6300</if_sid>
+	<id>^14</id>
+    <description>A lease request could not be satisfied because the scope's address pool was exhausted.</description>
+    <group>service_availability,dhcp_lease_action,</group>
+  </rule>
+
+  <rule id="6309" level="7">
+	<if_sid>6300</if_sid>
+	<id>^15</id>
+    <description>A lease was denied.</description>
+    <group>dhcp_lease_action,</group>
+  </rule>
+
+  <rule id="6310" level="0">
+	<if_sid>6300</if_sid>
+	<id>^16</id>
+    <description>A lease was deleted.</description>
+    <group>dhcp_lease_action,</group>
+  </rule>
+
+  <rule id="6311" level="0">
+	<if_sid>6300</if_sid>
+	<id>^17</id>
+    <description>A lease was expired and DNS records for an expired leases have not been deleted.</description>
+    <group>dhcp_lease_action,</group>
+  </rule>
+
+  <rule id="6322" level="0">
+	<if_sid>6300</if_sid>
+	<id>^18</id>
+    <description>A lease was expired and DNS records were deleted.</description>
+    <group>dhcp_lease_action,dhcp_dns_maintenance</group>
+  </rule>
+  
+  <rule id="6312" level="0">
+	<if_sid>6300</if_sid>
+	<id>^20</id>
+    <description>A BOOTP address was leased to a client.</description>
+    <group>dhcp_lease_action,</group>
+  </rule>
+
+  <rule id="6313" level="0">
+	<if_sid>6300</if_sid>
+	<id>^21</id>
+    <description>A dynamic BOOTP address was leased to a client.</description>
+    <group>dhcp_lease_action,</group>
+  </rule>
+
+  
+  <rule id="6314" level="10">
+	<if_sid>6300</if_sid>
+	<id>^22</id>
+    <description>A BOOTP request could not be satisfied because the scope's  address pool for BOOTP was exhausted.</description>
+    <group>dhcp_lease_action,</group>
+  </rule>
+  
+  <rule id="6315" level="0">
+	<if_sid>6300</if_sid>
+	<id>^23</id>
+    <description>A BOOTP IP address was deleted after checking to see it was not in use.</description>
+    <group>dhcp_lease_action,</group>
+  </rule>
+
+  <rule id="6316" level="3">
+	<if_sid>6300</if_sid>
+	<id>^24</id>
+    <description>IP address cleanup operation has began.</description>
+    <group>dhcp_maintenance,</group>
+  </rule>
+
+  <rule id="6317" level="2">
+	<if_sid>6300</if_sid>
+	<id>^25</id>
+    <description>IP address cleanup statistics.</description>
+    <group>dhcp_maintenance,</group>
+  </rule>
+  
+  <rule id="6318" level="0">
+	<if_sid>6300</if_sid>
+	<id>^30</id>
+    <description>DNS update request to the named DNS server.</description>
+    <group>dhcp_dns_maintenance,</group>
+  </rule>
+  
+  <rule id="6319" level="7">
+	<if_sid>6300</if_sid>
+	<id>^31</id>
+    <description>DNS update failed.</description>
+    <group>dhcp_dns_maintenance,</group>
+  </rule>
+  
+  <rule id="6320" level="0">
+	<if_sid>6300</if_sid>
+	<id>^32</id>
+    <description>DNS update successful.</description>
+    <group>dhcp_dns_maintenance,</group>
+  </rule>  
+  
+  <rule id="6323" level="12">
+	<if_sid>6300</if_sid>
+	<id>^33</id>
+    <description>Packet dropped due to NAP policy.</description>
+    <group>dhcp_lease_action,</group>
+
+  </rule>  
+  
+  <rule id="6321" level="12">
+	<if_sid>6300</if_sid>
+	<id>^5</id>
+    <description>Codes above 50 are used for Rogue Server Detection information.</description>
+    <group>dhcp_rogue_server,</group>
+  </rule>  
+
+
+
+<!--
+Server 2008 IPv6 Event ID  Meaning
+11000	Solicit.
+11001		Advertise.
+11002	Request.
+11003	Confirm.
+11004	Renew.
+11005	Rebind.
+11006	Decline.
+11007	Release.
+11008	Information Request.
+11009	Scope Full.
+11010		Started.
+11011		Stopped.
+11012		Audit log paused.
+11013		DHCP Log File.
+11014		Bad Address.
+11015		Address is already in use.
+11016		Client deleted.
+11017		DNS record not deleted.
+11018		Expired.
+11019		Expired and Deleted count.
+11020	Database cleanup begin.
+11021		Database cleanup end.
+11023	Service not authorized in AD.
+11024	Service authorized in AD.
+11025	Service has not determined if it authorized in AD.
+-->
+<!--Server 2008 IPv6 Log Sample (short on samples, not currently using)
+11020,05/05/09,00:00:38,DHCPV6 Database Cleanup Begin,,,,,,
+11019,05/05/09,00:00:38,DHCPV6 0 leases expired and 0 leases deleted,,,,,,
+11021,05/05/09,00:00:38,DHCPV6 Database Cleanup End,,,,,,
+11011,05/05/09,10:50:55,DHCPV6 Stopped,,,,,,
+11010,05/05/09,10:55:58,DHCPV6 Started,,,,,,
+-->  
+
+  <rule id="6350" level="0">
+    <decoded_as>ms-dhcp-ipv6</decoded_as>
+    <description>Grouping for the MS-DHCP rules.</description>
+  </rule>
+  
+  <rule id="6351" level="0">
+	<if_sid>6350</if_sid>
+	<id>^11000</id>
+    <description>Solicit.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+  
+  <rule id="6352" level="0">
+	<if_sid>6350</if_sid>
+	<id>^11001|^11002</id>
+    <description>Advertise.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+  
+  <rule id="6354" level="0">
+	<if_sid>6350</if_sid>
+	<id>^11003</id>
+    <description>Confirm.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+
+  <rule id="6355" level="0">
+	<if_sid>6350</if_sid>
+	<id>^11004</id>
+    <description>Renew.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+  
+  <rule id="6356" level="0">
+	<if_sid>6350</if_sid>
+	<id>^11005</id>
+    <description>Rebind.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+
+  
+  <rule id="6357" level="7">
+	<if_sid>6350</if_sid>
+	<id>^11006</id>
+    <description>DHCP Decline.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+  
+  <rule id="6358" level="0">
+	<if_sid>6350</if_sid>
+	<id>^11007</id>
+    <description>Release.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+  
+  <rule id="6359" level="0">
+	<if_sid>6350</if_sid>
+	<id>^11008</id>
+    <description>Information Request.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+  
+  <rule id="6360" level="12">
+	<if_sid>6350</if_sid>
+	<id>^11009</id>
+    <description>Scope Full.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+  
+  <rule id="6361" level="3">
+	<if_sid>6350</if_sid>
+	<id>^11010</id>
+    <description>Started.</description>
+    <group>service_start,</group>
+  </rule>
+  
+  <rule id="6362" level="7">
+	<if_sid>6350</if_sid>
+	<id>^11011</id>
+    <description>Stopped.</description>
+    <group>service_availability,</group>
+  </rule>
+  
+  <rule id="6363" level="10">
+	<if_sid>6350</if_sid>
+	<id>^11012</id>
+    <description>Audit log paused.</description>
+    <group>service_availability,</group>
+  </rule>
+
+  
+  <rule id="6364" level="7">
+	<if_sid>6350</if_sid>
+	<id>^11013</id>
+    <description>DHCP Log File.</description>
+    <group>system_error,</group>
+  </rule>
+  
+  <rule id="6365" level="7">
+	<if_sid>6350</if_sid>
+	<id>^11014</id>
+    <description>Bad Address.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+  
+  <rule id="6366" level="4">
+	<if_sid>6350</if_sid>
+	<id>^11015</id>
+    <description>Address is already in use.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+  
+  <rule id="6367" level="0">
+	<if_sid>6350</if_sid>
+	<id>^11016</id>
+    <description>Client deleted.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+
+  <rule id="6368" level="0">
+	<if_sid>6350</if_sid>
+	<id>^11017</id>
+    <description>DNS record not deleted.</description>
+    <group>dhcp_ipv6,</group>
+  </rule> 
+  
+  <rule id="6369" level="0">
+	<if_sid>6350</if_sid>
+	<id>^11018</id>
+    <description>Expired.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+
+  <rule id="6370" level="0">
+	<if_sid>6350</if_sid>
+	<id>^11019</id>
+    <description>Expired and Deleted count.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+  
+  <rule id="6371" level="2">
+	<if_sid>6350</if_sid>
+	<id>^11020</id>
+    <description>Database cleanup begin.</description>
+    <group>dhcp_ipv6,</group>
+
+  </rule> 
+  
+  <rule id="6372" level="2">
+	<if_sid>6350</if_sid>
+	<id>^11021</id>
+    <description>Database cleanup end.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+
+  <rule id="6373" level="12">
+	<if_sid>6350</if_sid>
+	<id>^11023</id>
+    <description>Service not authorized in AD.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+  
+  <rule id="6374" level="3">
+	<if_sid>6350</if_sid>
+	<id>^11024</id>
+    <description>Service authorized in AD.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>
+  
+  <rule id="6376" level="12">
+	<if_sid>6350</if_sid>
+	<id>^11025</id>
+    <description>Service has not determined if it is authorized in AD.</description>
+    <group>dhcp_ipv6,</group>
+  </rule>  
+</group>
+