debian/ossec-hids/var/ossec/rules/owncloud_rules.xml

   1 <group name="syslog,owncloud,">
   2   <rule id="53300" level="0">
   3     <decoded_as>owncloud</decoded_as>
   4     <description>ownCloud messages grouped.</description>
   5   </rule>
   6
   7   <rule id="53301" level="6">
   8     <if_sid>53300</if_sid>
   9     <match>Login failed: </match>
  10     <description>ownCloud authentication failed.</description>
  11     <group>authentication_failed,</group>
  12   </rule>
  13
  14   <rule id="53302" level="10" frequency="6" timeframe="120">
  15     <if_matched_sid>53301</if_matched_sid>
  16     <same_source_ip />
  17     <description>ownCloud brute force (multiple failed logins).</description>
  18     <group>authentication_failures,</group>
  19   </rule>
  20
  21   <rule id="53303" level="6">
  22     <if_sid>53300</if_sid>
  23     <match>Passed filename is not valid, might be malicious </match>
  24     <description>ownCloud possible malicious request.</description>
  25     <group>web,appsec,attack,</group>
  26   </rule>
  27
  28   <rule id="53304" level="8">
  29     <if_sid>53300</if_sid>
  30     <status>^4$</status>
  31     <description>ownCloud FATAL message.</description>
  32   </rule>
  33
  34  <rule id="53305" level="4">
  35     <if_sid>53300</if_sid>
  36     <status>^3$</status>
  37     <description>ownCloud ERROR message.</description>
  38   </rule>
  39
  40   <rule id="53306" level="3">
  41     <if_sid>53300</if_sid>
  42     <status>^2$</status>
  43     <description>ownCloud WARN message.</description>
  44   </rule>
  45
  46   <rule id="53307" level="0">
  47     <if_sid>53300</if_sid>
  48     <status>^1$</status>
  49     <description>ownCloud INFO message.</description>
  50   </rule>
  51
  52   <rule id="53308" level="0">
  53     <if_sid>53300</if_sid>
  54     <status>^0$</status>
  55     <description>ownCloud DEBUG message.</description>
  56   </rule>
  57
  58 </group>