X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=etc%2Frules%2Fsyslog_rules.xml;h=24b0b5fabda98b7353770b1c1bd2e62b54b52c36;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=80a00ee7d1a09de7d2c85ef184477ad3968278ad;hpb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;p=ossec-hids.git

diff --git a/etc/rules/syslog_rules.xml b/etc/rules/syslog_rules.xml
old mode 100755
new mode 100644
index 80a00ee..24b0b5f
--- a/etc/rules/syslog_rules.xml
+++ b/etc/rules/syslog_rules.xml
@@ -18,7 +18,7 @@
 <!-- Bad words matching. Any log containing these messages
   -  will be triggered.
   -->
-<var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
+<var name="BAD_WORDS">core_dumped|failure|error|attack| bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
 
 
 <!-- Syslog errors. -->
@@ -72,6 +72,12 @@
     <match>PPM exceeds tolerance</match>
     <description>Ignoring known false positives on rule 1002..</description>
   </rule>
+
+  <rule id="1010" level="5">
+    <match>segfault at </match>
+    <description>Process segfaulted.</description>
+    <group>service_availability,</group>
+  </rule>
 </group> <!-- SYSLOG,ERRORS -->
 
 
@@ -127,7 +133,8 @@
     <match>Authentication failed for|invalid password for|</match>
     <match>LOGIN FAILURE|auth failure: |authentication error|</match>
     <match>authinternal failed|Failed to authorize|</match>
-    <match>Wrong password given for|login failed|Auth: Login incorrect</match>
+    <match>Wrong password given for|login failed|Auth: Login incorrect|</match>
+    <match>Failed to authenticate user</match>
     <group>authentication_failed,</group>
     <description>User authentication failure.</description>
   </rule>
@@ -284,13 +291,13 @@
   <rule id="5106" level="0">
     <if_sid>5100</if_sid>
     <match>svc: unknown program 100227 (me 100003)</match>
-    <description>NFS incompability between Linux and Solaris.</description>
+    <description>NFS incompatibility between Linux and Solaris.</description>
   </rule>
 
   <rule id="5107" level="0">
     <if_sid>5100</if_sid>
     <match>svc: bad direction </match>
-    <description>NFS incompability between Linux and Solaris.</description>
+    <description>NFS incompatibility between Linux and Solaris.</description>
   </rule>
 
   <rule id="5108" level="12">
@@ -396,7 +403,7 @@
   
   <rule id="5301" level="5">
    <if_sid>5300</if_sid>
-   <match>authentication failure; |failed|BAD su|^-| - </match>
+   <match>authentication failure; |failed|BAD su|^-</match>
    <description>User missed the password to change UID (user id).</description> 
    <group>authentication_failed,</group>
   </rule>
@@ -473,6 +480,13 @@
     <match>^changed user</match>
     <description>Information from the user was changed</description>
   </rule>
+
+  <rule id="5905" level="0">
+    <program_name>useradd</program_name>
+    <match>failed adding user </match>
+    <description>useradd failed.</description>
+  </rule>
+
 </group> <!-- SYSLOG,ADDUSER -->
 
 
@@ -484,15 +498,15 @@
     <description>Initial group for sudo messages</description>
   </rule>
   
-  <rule id="5401" level="10">
+  <rule id="5401" level="5">
     <if_sid>5400</if_sid>
-    <match>3 incorrect password attempts</match>
-    <description>Three failed attempts to run sudo</description>
+    <match>incorrect password attempt</match>
+    <description>Failed attempt to run sudo</description>
   </rule>
 
   <rule id="5402" level="3">
     <if_sid>5400</if_sid>
-    <match> ; USER=root ; COMMAND=</match>
+    <regex> ; USER=root ; COMMAND=| ; USER=root ; TSID=\S+ ; COMMAND=</regex>
     <description>Successful sudo to ROOT executed</description>
   </rule>
 
@@ -501,7 +515,20 @@
     <options>alert_by_email</options>
     <if_fts></if_fts>
     <description>First time user executed sudo.</description>
-  </rule>                  
+  </rule>
+
+  <rule id="5404" level="10">
+    <if_sid>5401</if_sid>
+    <match>3 incorrect password attempts</match>
+    <description>Three failed attempts to run sudo</description>
+  </rule>
+
+  <rule id="5405" level="5">
+    <if_sid>5400</if_sid>
+    <match>user NOT in sudoers</match>
+    <description>Unauthorized user attempted to use sudo.</description>
+  </rule>
+
 </group> <!-- SYSLOG, SUDO -->
 
 
@@ -558,7 +585,15 @@
 <group name="syslog,dpkg,">
   <rule id="2900" level="0">
     <decoded_as>windows-date-format</decoded_as>
-    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d \w+ </regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d startup |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d configure |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d trigproc |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d conffile |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d upgrade </regex>
     <description>Dpkg (Debian Package) log.</description>
   </rule>
   
@@ -617,6 +652,73 @@
     <group>config_changed,</group>
     <description>Yum package deleted.</description>
   </rule>
+
+  <!-- SCSI CONTROLLER -->
+  <rule id="2935" level="0" noalert="1">
+    <if_sid>5100</if_sid>
+    <id>mptscsih</id>
+    <description>Grouping for the mptscrih rules.</description>
+  </rule>
+
+  <rule id="2936" level="0" noalert="1">
+    <if_sid>5100</if_sid>
+    <id>mptbase</id>
+    <description>Grouping for the mptbase rules.</description>
+  </rule>
+
+  <rule id="2937" level="12">
+    <if_sid>2935</if_sid>
+    <status>FAILED</status>
+    <description>Possible Disk failure. SCSI controller error.</description>
+  </rule>
+
+  <rule id="2938" level="12">
+    <if_sid>2936</if_sid>
+    <action>failed</action>
+    <description>SCSI RAID ARRAY ERROR, drive failed.</description>
+  </rule>
+
+  <rule id="2939" level="12">
+    <if_sid>2936</if_sid>
+    <action>degraded</action>
+    <description>SCSI RAID is now in a degraded status.</description>
+  </rule>
+
+  <rule id="2940" level="0">
+    <program_name>^NetworkManager</program_name>
+    <description>NetworkManager grouping.</description>
+  </rule>
+
+  <rule id="2941" level="3">
+    <if_sid>2940</if_sid>
+    <match> No chain/target/match by that name.$</match>
+    <description>Incorrect chain/target/match.</description>
+  </rule>
+
+  <rule id="2942" level="0">
+    <if_sid>1002</if_sid>
+    <match>g_slice_set_config: assertion `sys_page_size == 0' failed</match>
+    <description>Uninteresting gnome error.</description>
+  </rule>
+
+  <rule id="2943" level="0">
+    <match>^nouveau </match>
+    <description>nouveau driver grouping</description>
+  </rule>
+
+  <rule id="2944" level="1">
+    <if_sid>2943</if_sid>
+    <match> DATA_ERROR BEGIN_END_ACTIVE$| DATA_ERROR$</match>
+    <description>Uninteresting nouveau error.</description>
+  </rule>
+
+  <rule id="2945" level="4">
+    <program_name>^rsyslogd</program_name>
+    <match>^imuxsock begins to drop messages </match>
+    <info>https://isc.sans.edu/diary/Are+you+losing+system+logging+information+%28and+don%27t+know+it%29%3F/15106</info>
+    <description>rsyslog may be dropping messages due to rate-limiting.</description>
+  </rule>
+
 </group>