X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fms_ipsec_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fms_ipsec_rules.xml;h=07f43001ecbe63977e8ac069cc6ed66ea0eab98b;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=0000000000000000000000000000000000000000;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b;p=ossec-hids.git

diff --git a/debian/ossec-hids/var/ossec/rules/ms_ipsec_rules.xml b/debian/ossec-hids/var/ossec/rules/ms_ipsec_rules.xml
new file mode 100644
index 0000000..07f4300
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/ms_ipsec_rules.xml
@@ -0,0 +1,149 @@
+<!-- OSSEC Rules for Windows Firewall - https://www.csoonline.com/article/2619761/security/what-to-monitor-to-stop-hacker-and-malware-attacks.html?page=3, https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor -->
+
+
+<group name="windows, ipsec,">
+
+  <rule id="18651" level="8">
+    <if_sid>18104</if_sid>
+    <id>^4646$</id>
+    <description>IKE DoS-prevention mode started</description>
+    <group>windows,</group>
+  </rule>
+
+
+  <rule id="18652" level="8">
+    <if_sid>18105</if_sid>
+    <id>^4652$|^4653$</id>
+    <description>An IPsec Main Mode negotiation failed</description>
+    <group>windows,</group>
+   </rule>
+
+
+  <rule id="18653" level="8">
+    <if_sid>18105</if_sid>
+    <id>^4654$</id>
+    <description>An IPsec Quick Mode negotiation failed</description>
+    <group>windows,</group>
+  </rule>
+
+	
+  <rule id="18654" level="8">
+    <if_sid>18104</if_sid>
+    <id>^4983$|^4984$</id>
+    <description>An IPsec Extended Mode negotiation failed</description>
+    <group>windows,</group>
+  </rule>
+
+  
+  <rule id="18655" level="4">
+    <if_sid>18104</if_sid>
+    <id>^4960$</id>
+    <description>IPsec dropped an inbound packet that failed an integrity check</description>
+    <group>windows,</group>
+  </rule>
+
+
+  <rule id="18656" level="8">
+    <if_sid>18104</if_sid>
+    <id>^4961$|^4962$</id>
+    <description>IPsec dropped an inbound packet that failed a replay check</description>
+    <group>windows,</group>
+  </rule>
+	
+
+  <rule id="18657" level="8">
+    <if_sid>18104</if_sid>
+    <id>^4963$</id>
+    <description>IPsec dropped an inbound clear text packet that should have been secured</description>
+    <group>windows,</group>
+  </rule>
+
+
+  <rule id="18658" level="4">
+    <if_sid>18104</if_sid>
+    <id>^4965$</id>
+    <description>IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)</description>
+    <group>windows,</group>
+  </rule>
+
+
+  <rule id="18659" level="7">
+    <if_sid>18104</if_sid>
+    <id>^4976$</id>
+    <description>During Main Mode negotiation, IPsec received an invalid negotiation packet</description>
+    <group>windows,</group>
+   </rule>
+
+
+  <rule id="18660" level="7">
+    <if_sid>18104</if_sid>
+    <id>^4977$</id>
+    <description>During Quick Mode negotiation, IPsec received an invalid negotiation packet</description>
+    <group>windows,</group>
+  </rule>
+
+
+  <rule id="18661" level="7">
+    <if_sid>18104</if_sid>
+    <id>^4978$</id> 
+    <description>During Extended Mode negotiation, IPsec received an invalid negotiation packet</description>
+    <group>windows,</group>
+  </rule>
+
+
+  <rule id="18662" level="8">
+    <if_sid>18104</if_sid>
+    <id>^5453$</id>
+    <description>An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started</description>
+    <group>windows,</group>
+  </rule>
+
+
+  <rule id="18663" level="8">
+    <if_sid>18105</if_sid>
+    <id>^5480$</id>
+    <description>IPsec Services failed to get the complete list of network interfaces on the computer</description>
+    <group>windows,</group>
+  </rule>
+
+
+  <rule id="18664" level="8">
+    <if_sid>18105</if_sid>
+    <id>^5483$</id>
+    <description>IPsec Services failed to initialize RPC server. IPsec Services could not be started</description>
+    <group>windows,</group>
+  </rule>
+
+
+  <rule id="18665" level="8">
+    <if_sid>18105</if_sid>
+    <id>^5484$</id>
+    <description>IPsec Services has experienced a critical failure and has been shut down</description>
+    <group>windows,</group>
+  </rule>
+
+
+  <rule id="18666" level="8">
+    <if_sid>18105</if_sid>
+    <id>^5485$</id>
+    <description>IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces</description>
+    <group>windows,</group>
+  </rule>
+
+
+  <rule id="18667" level="8">
+    <if_sid>18104</if_sid>
+    <id>^4710$</id>
+    <description>IPsec Services was disabled</description>
+    <group>windows,</group>
+  </rule>
+
+
+  <rule id="18668" level="8">
+    <if_sid>18105</if_sid>
+    <id>^4712$</id>
+    <description>IPsec Services encountered a potentially serious failure</description>
+    <group>windows,</group>
+   </rule>
+	
+</group>