X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fossec_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fossec_rules.xml;h=7de90f58a88d0c83b96fde64a3f545fb1388aeca;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=0000000000000000000000000000000000000000;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b;p=ossec-hids.git

diff --git a/debian/ossec-hids/var/ossec/rules/ossec_rules.xml b/debian/ossec-hids/var/ossec/rules/ossec_rules.xml
new file mode 100644
index 0000000..7de90f5
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/ossec_rules.xml
@@ -0,0 +1,362 @@
+<!-- @(#) $Id: ./etc/rules/ossec_rules.xml, 2012/03/30 dcid Exp $
+
+  -  Official ossec rules for OSSEC.
+  -
+  -  Copyright (C) 2009 Trend Micro Inc.
+  -  All rights reserved.
+  -
+  -  This program is a free software; you can redistribute it
+  -  and/or modify it under the terms of the GNU General Public
+  -  License (version 2) as published by the FSF - Free Software
+  -  Foundation.
+  -
+  -  License details: http://www.ossec.net/en/licensing.html
+  -->
+
+
+
+<group name="ossec,">
+  <rule id="500" level="0">
+    <category>ossec</category>
+    <decoded_as>ossec</decoded_as>
+    <description>Grouping of ossec rules.</description>
+  </rule>
+  
+  <rule id="501" level="3">
+    <if_sid>500</if_sid>
+    <if_fts />
+    <options>alert_by_email</options>
+    <match>Agent started</match>
+    <description>New ossec agent connected.</description>
+  </rule>
+  
+  <rule id="502" level="3">
+    <if_sid>500</if_sid>
+    <options>alert_by_email</options>
+    <match>Ossec started</match>
+    <description>Ossec server started.</description>
+  </rule>
+
+  <rule id="503" level="3">
+    <if_sid>500</if_sid>
+    <options>alert_by_email</options>
+    <match>Agent started</match>
+    <description>Ossec agent started.</description>
+  </rule>
+
+  <rule id="504" level="3">
+    <if_sid>500</if_sid>
+    <options>alert_by_email</options>
+    <match>Agent disconnected</match>
+    <description>Ossec agent disconnected.</description>
+  </rule>
+  
+  <rule id="509" level="0">
+    <category>ossec</category>
+    <decoded_as>rootcheck</decoded_as>
+    <description>Rootcheck event.</description>
+    <group>rootcheck,</group>
+  </rule>
+
+  <rule id="510" level="7">
+    <if_sid>509</if_sid>
+    <description>Host-based anomaly detection event (rootcheck).</description>
+    <group>rootcheck,</group>
+    <if_fts />
+  </rule>
+
+  <rule id="511" level="0">
+    <if_sid>510</if_sid>
+    <match>^NTFS Alternate data stream found</match>
+    <regex>Thumbs.db:encryptable'.|:Zone.Identifier'.|</regex>
+    <regex>Exchsrvr/Mailroot/vsi</regex>
+    <description>Ignored common NTFS ADS entries.</description>
+    <group>rootcheck,</group>
+  </rule>
+
+  <rule id="512" level="3">
+    <if_sid>510</if_sid>
+    <match>^Windows Audit</match>
+    <description>Windows Audit event.</description>
+    <group>rootcheck,</group>
+  </rule>
+  
+  <rule id="513" level="9">
+    <if_sid>510</if_sid>
+    <match>^Windows Malware</match>
+    <description>Windows malware detected.</description>
+    <group>rootcheck,</group>
+  </rule>
+  
+  <rule id="514" level="2">
+    <if_sid>510</if_sid>
+    <match>^Application Found</match>
+    <description>Windows application monitor event.</description>
+    <group>rootcheck,</group>
+  </rule>
+
+  <rule id="515" level="0">
+    <if_sid>510</if_sid>
+    <match>^Starting rootcheck scan|^Ending rootcheck scan.|</match>
+    <match>^Starting syscheck scan|^Ending syscheck scan.</match>
+    <description>Ignoring rootcheck/syscheck scan messages.</description>
+    <group>rootcheck,syscheck</group>
+  </rule>
+
+  <rule id="516" level="3">
+    <if_sid>510</if_sid>
+    <match>^System Audit</match>
+    <description>System Audit event.</description>
+    <group>rootcheck,</group>
+  </rule>
+  
+  <rule id="518" level="9">
+    <if_sid>514</if_sid>
+    <match>Adware|Spyware</match>
+    <description>Windows Adware/Spyware application found.</description>
+    <group>rootcheck,</group>
+  </rule>
+
+  <rule id="519" level="7">
+    <if_sid>516</if_sid>
+    <match>^System Audit: Web vulnerability</match>
+    <description>System Audit: Vulnerable web application found.</description>
+    <group>rootcheck,</group>
+  </rule>
+
+  <!-- Process monitoring rules -->
+  <rule id="530" level="0">
+    <if_sid>500</if_sid>
+    <match>^ossec: output: </match>
+    <description>OSSEC process monitoring rules.</description>
+    <group>process_monitor,</group>
+  </rule>
+
+  <rule id="531" level="7" ignore="7200">
+    <if_sid>530</if_sid>
+    <match>ossec: output: 'df -P': /dev/</match>
+    <regex>100%</regex>
+    <description>Partition usage reached 100% (disk space monitor).</description> 
+    <group>low_diskspace,</group>
+  </rule>
+
+ <rule id="532" level="0">
+    <if_sid>531</if_sid>
+    <match>cdrom|/media|usb|/mount|floppy|dvd</match>
+    <description>Ignoring external medias.</description> 
+  </rule>
+
+  <rule id="533" level="7">
+    <if_sid>530</if_sid>
+    <match>ossec: output: 'netstat -tan</match>
+    <check_diff />
+    <description>Listened ports status (netstat) changed (new port opened or closed).</description> 
+  </rule>
+
+  <rule id="534" level="1">
+    <if_sid>530</if_sid>
+    <match>ossec: output: 'w'</match>
+    <check_diff />
+    <options>no_log</options>
+    <description>List of logged in users. It will not be alerted by default.</description> 
+  </rule>
+
+  <rule id="535" level="1">
+    <if_sid>530</if_sid>
+    <match>ossec: output: 'last -n </match>
+    <check_diff />
+    <options>no_log</options>
+    <description>List of the last logged in users.</description> 
+  </rule>
+
+  <rule id="550" level="7">
+    <category>ossec</category>
+    <decoded_as>syscheck_integrity_changed</decoded_as>
+    <description>Integrity checksum changed.</description>
+    <group>syscheck,</group>
+  </rule>
+  
+  <rule id="551" level="7">
+    <category>ossec</category>
+    <decoded_as>syscheck_integrity_changed_2nd</decoded_as>
+    <description>Integrity checksum changed again (2nd time).</description>
+    <group>syscheck,</group>
+  </rule>
+  
+  <rule id="552" level="7">
+    <category>ossec</category>
+    <decoded_as>syscheck_integrity_changed_3rd</decoded_as>
+    <description>Integrity checksum changed again (3rd time).</description>
+    <group>syscheck,</group>
+  </rule>
+  
+  <rule id="553" level="7">
+    <category>ossec</category>
+    <decoded_as>syscheck_deleted</decoded_as>
+    <description>File deleted. Unable to retrieve checksum.</description>
+    <group>syscheck,</group>
+  </rule>
+  
+  <rule id="554" level="5">
+    <category>ossec</category>
+    <decoded_as>syscheck_new_entry</decoded_as>
+    <description>File added to the system.</description>
+    <group>syscheck,</group>
+  </rule>
+
+  <rule id="555" level="7">
+    <if_sid>500</if_sid>
+    <match>^ossec: agentless: </match>
+    <description>Integrity checksum for agentless device changed.</description>
+    <group>syscheck,agentless</group>
+  </rule>
+
+  <!-- Hostinfo rules -->  
+  <rule id="580" level="8">
+    <category>ossec</category>
+    <decoded_as>hostinfo_modified</decoded_as>
+    <description>Host information changed.</description>
+    <group>hostinfo,</group>
+  </rule>
+  
+  <rule id="581" level="8">
+    <category>ossec</category>
+    <decoded_as>hostinfo_new</decoded_as>
+    <description>Host information added.</description>
+    <group>hostinfo,</group>
+  </rule>
+
+
+  <!-- File rotation/reducded rules -->
+  <rule id="591" level="3">
+    <if_sid>500</if_sid>
+    <match>^ossec: File rotated </match>
+    <description>Log file rotated.</description>
+  </rule>
+  
+  <rule id="592" level="8">
+    <if_sid>500</if_sid>
+    <match>^ossec: File size reduced</match>
+    <description>Log file size reduced.</description>
+    <group>attacks,</group>
+  </rule>
+
+  <rule id="593" level="9">
+    <if_sid>500</if_sid>
+    <match>^ossec: Event log cleared</match>
+    <description>Microsoft Event log cleared.</description>
+    <group>logs_cleared,</group>
+  </rule>
+
+  <rule id="594" level="5">
+    <category>ossec</category>
+    <if_sid>550</if_sid>
+    <hostname>syscheck-registry</hostname>
+    <group>syscheck,</group>
+    <description>Registry Integrity Checksum Changed</description>
+  </rule>
+
+  <rule id="595" level="5">
+    <category>ossec</category>
+    <if_sid>551</if_sid>
+    <hostname>syscheck-registry</hostname>
+    <group>syscheck,</group>
+    <description>Registry Integrity Checksum Changed Again (2nd time)</description>
+  </rule>
+
+  <rule id="596" level="5">
+    <category>ossec</category>
+    <if_sid>552</if_sid>
+    <hostname>syscheck-registry</hostname>
+    <group>syscheck,</group>
+    <description>Registry Integrity Checksum Changed Again (3rd time)</description>
+  </rule>
+
+  <rule id="597" level="5">
+    <category>ossec</category>
+    <if_sid>553</if_sid>
+    <hostname>syscheck-registry</hostname>
+    <group>syscheck,</group>
+    <description>Registry Entry Deleted. Unable to Retrieve Checksum</description>
+  </rule>
+
+  <rule id="598" level="5">
+    <category>ossec</category>
+    <if_sid>554</if_sid>
+    <hostname>syscheck-registry</hostname>
+    <group>syscheck,</group>
+    <description>Registry Entry Added to the System</description>
+  </rule>
+
+<!-- active response rules
+Example:
+Sat May  7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
+-->
+
+  <rule id="600" level="0">
+    <decoded_as>ar_log</decoded_as>
+    <description>Active Response Messages Grouped</description>
+    <group>active_response,</group>
+  </rule>
+
+  <rule id="601" level="3">
+    <if_sid>600</if_sid>
+    <action>firewall-drop.sh</action>
+    <status>add</status>
+    <description>Host Blocked by firewall-drop.sh Active Response</description>
+    <group>active_response,</group>
+  </rule>
+
+  <rule id="602" level="3">
+    <if_sid>600</if_sid>
+    <action>firewall-drop.sh</action>
+    <status>delete</status>
+    <description>Host Unblocked by firewall-drop.sh Active Response</description>
+    <group>active_response,</group>
+  </rule>
+
+  <rule id="603" level="3">
+    <if_sid>600</if_sid>
+    <action>host-deny.sh</action>
+    <status>add</status>
+    <description>Host Blocked by host-deny.sh Active Response</description>
+    <group>active_response,</group>
+  </rule>
+
+  <rule id="604" level="3">
+    <if_sid>600</if_sid>
+    <action>host-deny.sh</action>
+    <status>delete</status>
+    <description>Host Unblocked by host-deny.sh Active Response</description>
+    <group>active_response,</group>
+  </rule>
+
+  <rule id="605" level="3">
+    <if_sid>600</if_sid>
+    <action>route-null.sh</action>
+    <status>add</status>
+    <description>Host Blocked by route-null.sh Active Response</description>
+    <group>active_response,</group>
+  </rule>
+
+  <rule id="606" level="3">
+    <if_sid>600</if_sid>
+    <action>route-null.sh</action>
+    <status>delete</status>
+    <description>Host Unblocked by route-null.sh Active Response</description>
+    <group>active_response,</group>
+  </rule>
+
+  <rule id="700" level="0">
+    <category>ossec</category>
+    <decoded_as>ossec-logcollector</decoded_as>
+    <description>Logcollector Messages Grouped</description>
+  </rule>
+
+  <rule id="701" level="0">
+    <if_sid>700</if_sid>
+    <match>INFO: </match>
+    <description>Ignore informational messages (usually at startup)</description>
+  </rule>
+
+</group> <!-- OSSEC -->