X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fopenbsd-dhcpd_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fopenbsd-dhcpd_rules.xml;h=4aa4251c0ebe2b05621a005a8007da0bded9f362;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=0000000000000000000000000000000000000000;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b;p=ossec-hids.git

diff --git a/debian/ossec-hids/var/ossec/rules/openbsd-dhcpd_rules.xml b/debian/ossec-hids/var/ossec/rules/openbsd-dhcpd_rules.xml
new file mode 100644
index 0000000..4aa4251
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/openbsd-dhcpd_rules.xml
@@ -0,0 +1,84 @@
+<!-- OpenBSD dhcpd -->
+<!--
+Aug 10 09:45:28 junction dhcpd[2042]: DHCPREQUEST for 192.168.17.154 from b4:b5:2f:15:4c:ec via sk0
+Aug 10 09:45:28 junction dhcpd[2042]: DHCPACK on 192.168.17.154 to b4:b5:2f:15:4c:ec via sk0
+-->
+
+<group name="syslog,dhcpd,">
+  <rule id="53000" level="0">
+    <decoded_as>dhcpd</decoded_as>
+    <description>dhcpd grouping.</description>
+  </rule>
+
+  <rule id="53001" level="1">
+    <if_sid>53000</if_sid>
+    <match>^DHCPREQUEST|^DHCPOFFER |^DHCPDISCOVER|^DHCPACK</match>
+    <description>Normal dhcp.</description>
+  </rule>
+
+  <rule id="53003" level="5">
+    <if_sid>53000</if_sid>
+    <match>answers a ping after sending a release|Possible release spoof</match>
+    <description>A host issued a release but is responding to pings.</description>
+  </rule>
+
+  <rule id="53004" level="1">
+    <if_sid>53000</if_sid>
+    <match>expecting left brace.$|</match>
+    <match>fixed-address parameter not allowed here.$|</match>
+    <match>parameters not allowed after first declaration.$|</match>
+    <match>Configuration file errors encountered</match>
+    <description>Configuration errors.</description>
+  </rule>
+
+  <rule id="53005" level="3">
+    <if_sid>53000</if_sid>
+    <match>exiting.$</match>
+    <description>dhcpd is exiting.</description>
+  </rule>
+
+  <rule id="53006" level="1">
+    <if_sid>53000</if_sid>
+    <match>Can't listen on </match>
+    <description>dhcpd cannot listen to an interface.</description>
+  </rule>
+
+  <rule id="53007" level="1">
+    <if_sid>53006</if_sid>
+    <match>has no subnet declaration for</match>
+    <description>dhcpd is not configured to listen to an interface.</description>
+  </rule>
+
+  <rule id="53008" level="1">
+    <if_sid>53000</if_sid>
+    <match>Listening on </match>
+    <description>dhcpd has been started.</description>
+  </rule>
+
+  <rule id="53009" level="0">
+    <if_sid>53000</if_sid>
+    <match>^Address range </match>
+    <description>Message with address range.</description>
+  </rule>
+
+  <rule id="53010" level="2">
+    <if_sid>53009</if_sid>
+    <match> not on net </match>
+    <description>Defined address range is not on the configured network.</description>
+  </rule>
+
+  <rule id="53011" level="7">
+    <if_sid>53000</if_sid>
+    <match>^no free leases</match>
+    <description>DHCP server has run out of leases.</description>
+  </rule>
+
+  <rule id="53013" level="2">
+    <if_sid>53000</if_sid>
+    <match>^already acking lease </match>
+    <description>Multiple acks.</description>
+  </rule>
+
+
+</group>
+