X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fnginx_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fnginx_rules.xml;h=96ab323ec8f66e918fb784b93ee95407179f11f0;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=0000000000000000000000000000000000000000;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b;p=ossec-hids.git

diff --git a/debian/ossec-hids/var/ossec/rules/nginx_rules.xml b/debian/ossec-hids/var/ossec/rules/nginx_rules.xml
new file mode 100644
index 0000000..96ab323
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/nginx_rules.xml
@@ -0,0 +1,88 @@
+<!-- @(#) $Id: ./etc/rules/nginx_rules.xml, 2011/09/08 dcid Exp $
+
+  -  Official Nginx rules for OSSEC.
+  -
+  -  Copyright (C) 2009 Trend Micro Inc.
+  -  All rights reserved.
+  -
+  -  This program is a free software; you can redistribute it
+  -  and/or modify it under the terms of the GNU General Public
+  -  License (version 2) as published by the FSF - Free Software
+  -  Foundation.
+  -
+  -  License details: http://www.ossec.net/en/licensing.html
+  -->
+                        
+
+<group name="apache,">
+  <rule id="31300" level="0">
+    <decoded_as>nginx-errorlog</decoded_as>
+    <description>Nginx messages grouped.</description>
+  </rule>    
+
+  <rule id="31301" level="3">
+    <if_sid>31300</if_sid>
+    <regex>^\S+ \S+ [error] </regex>
+    <description>Nginx error message.</description>
+  </rule>
+  
+  <rule id="31302" level="3">
+    <if_sid>31300</if_sid>
+    <regex>^\S+ \S+ [warn] </regex>
+    <description>Nginx warning message.</description>
+  </rule>
+  
+  <rule id="31303" level="5">
+    <if_sid>31300</if_sid>
+    <regex>^\S+ \S+ [crit] </regex>
+    <description>Nginx critical message.</description>
+  </rule>
+
+  <rule id="31310" level="0">
+    <if_sid>31301</if_sid>
+    <match>failed (2: No such file or directory)|is not found (2: No such file or directory)</match>
+    <description>Server returned 404 (reported in the access.log).</description>
+  </rule>
+
+  <rule id="31311" level="0">
+    <if_sid>31301</if_sid>
+    <match>accept() failed (53: Software caused connection abort)</match>
+    <description>Incomplete client request.</description>
+  </rule>
+
+  <rule id="31312" level="0">
+    <if_sid>31301</if_sid>
+    <match>no user/password was provided for basic authentication</match>
+    <description>Initial 401 authentication request.</description>
+  </rule>
+
+  <rule id="31315" level="5">
+    <if_sid>31301</if_sid>
+    <match> password mismatch, client| was not found in </match>
+    <description>Web authentication failed.</description>
+    <group>authentication_failed,</group>
+  </rule>
+
+  <rule id="31316" level="10" frequency="6" timeframe="240">
+    <if_matched_sid>31315</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple web authentication failures.</description>
+    <group>authentication_failures,</group>
+  </rule>
+
+  <rule id="31317" level="0">
+    <if_sid>31303</if_sid>
+    <match>failed (2: No such file or directory</match>
+    <description>Common cache error when files were removed.</description>
+  </rule>
+
+  <rule id="31320" level="10">
+    <if_sid>31301</if_sid>
+    <match>failed (36: File name too long)</match>
+    <description>Invalid URI, file name too long.</description>
+    <group>invalid_request,</group>
+  </rule>
+</group> <!-- ERROR_LOG,NGINX -->
+
+<!-- EOF -->
+