X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=etc%2Frules%2Fossec_rules.xml;h=2abebdb0d08fef606a33ca821c3d40c22748f285;hb=c41c816a22f0e06f1c2b0a91563f3d9a3bcdb82a;hp=7ec55593553349a0f0325b5c9c54a16e72a87867;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git
diff --git a/etc/rules/ossec_rules.xml b/etc/rules/ossec_rules.xml
index 7ec5559..2abebdb 100755
--- a/etc/rules/ossec_rules.xml
+++ b/etc/rules/ossec_rules.xml
@@ -1,4 +1,5 @@
-
500
@@ -137,7 +145,30 @@
cdrom|/media|usb|/mount|floppy|dvd
Ignoring external medias.
-
+
+
+ 530
+ ossec: output: 'netstat -tan
+
+ Listened ports status (netstat) changed (new port opened or closed).
+
+
+
+ 530
+ ossec: output: 'w'
+
+ no_log
+ List of logged in users. It will not be alerted by default.
+
+
+
+ 530
+ ossec: output: 'last -n
+
+ no_log
+ List of the last logged in users.
+
+
ossec
syscheck_integrity_changed
@@ -216,4 +247,104 @@
Microsoft Event log cleared.
logs_cleared,
+
+
+ ossec
+ 550
+ syscheck-registry
+ syscheck,
+ Registry Integrity Checksum Changed
+
+
+
+ ossec
+ 551
+ syscheck-registry
+ syscheck,
+ Registry Integrity Checksum Changed Again (2nd time)
+
+
+
+ ossec
+ 552
+ syscheck-registry
+ syscheck,
+ Registry Integrity Checksum Changed Again (3rd time)
+
+
+
+ ossec
+ 553
+ syscheck-registry
+ syscheck,
+ Registry Entry Deleted. Unable to Retrieve Checksum
+
+
+
+ ossec
+ 554
+ syscheck-registry
+ syscheck,
+ Registry Entry Added to the System
+
+
+
+
+
+ ar_log
+ Active Response Messages Grouped
+ active_response,
+
+
+
+ 600
+ firewall-drop.sh
+ add
+ Host Blocked by firewall-drop.sh Active Response
+ active_response,
+
+
+
+ 600
+ firewall-drop.sh
+ delete
+ Host Unblocked by firewall-drop.sh Active Response
+ active_response,
+
+
+
+ 600
+ host-deny.sh
+ add
+ Host Blocked by host-deny.sh Active Response
+ active_response,
+
+
+
+ 600
+ host-deny.sh
+ delete
+ Host Unblocked by host-deny.sh Active Response
+ active_response,
+
+
+
+ 600
+ route-null.sh
+ add
+ Host Blocked by route-null.sh Active Response
+ active_response,
+
+
+
+ 600
+ route-null.sh
+ delete
+ Host Unblocked by route-null.sh Active Response
+ active_response,
+
+