X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=etc%2Frules%2Fossec_rules.xml;h=7de90f58a88d0c83b96fde64a3f545fb1388aeca;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=7ec55593553349a0f0325b5c9c54a16e72a87867;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git diff --git a/etc/rules/ossec_rules.xml b/etc/rules/ossec_rules.xml old mode 100755 new mode 100644 index 7ec5559..7de90f5 --- a/etc/rules/ossec_rules.xml +++ b/etc/rules/ossec_rules.xml @@ -1,4 +1,5 @@ - 500 @@ -126,7 +134,7 @@ 530 - ossec: output: 'df -h': /dev/ + ossec: output: 'df -P': /dev/ 100% Partition usage reached 100% (disk space monitor). low_diskspace, @@ -137,7 +145,30 @@ cdrom|/media|usb|/mount|floppy|dvd Ignoring external medias. - + + + 530 + ossec: output: 'netstat -tan + + Listened ports status (netstat) changed (new port opened or closed). + + + + 530 + ossec: output: 'w' + + no_log + List of logged in users. It will not be alerted by default. + + + + 530 + ossec: output: 'last -n + + no_log + List of the last logged in users. + + ossec syscheck_integrity_changed @@ -166,7 +197,7 @@ syscheck, - + ossec syscheck_new_entry File added to the system. @@ -216,4 +247,116 @@ Microsoft Event log cleared. logs_cleared, + + + ossec + 550 + syscheck-registry + syscheck, + Registry Integrity Checksum Changed + + + + ossec + 551 + syscheck-registry + syscheck, + Registry Integrity Checksum Changed Again (2nd time) + + + + ossec + 552 + syscheck-registry + syscheck, + Registry Integrity Checksum Changed Again (3rd time) + + + + ossec + 553 + syscheck-registry + syscheck, + Registry Entry Deleted. Unable to Retrieve Checksum + + + + ossec + 554 + syscheck-registry + syscheck, + Registry Entry Added to the System + + + + + + ar_log + Active Response Messages Grouped + active_response, + + + + 600 + firewall-drop.sh + add + Host Blocked by firewall-drop.sh Active Response + active_response, + + + + 600 + firewall-drop.sh + delete + Host Unblocked by firewall-drop.sh Active Response + active_response, + + + + 600 + host-deny.sh + add + Host Blocked by host-deny.sh Active Response + active_response, + + + + 600 + host-deny.sh + delete + Host Unblocked by host-deny.sh Active Response + active_response, + + + + 600 + route-null.sh + add + Host Blocked by route-null.sh Active Response + active_response, + + + + 600 + route-null.sh + delete + Host Unblocked by route-null.sh Active Response + active_response, + + + + ossec + ossec-logcollector + Logcollector Messages Grouped + + + + 700 + INFO: + Ignore informational messages (usually at startup) + +