Imported Upstream version 2.7

[ossec-hids.git] / etc / rules / ms_dhcp_rules.xml

<!-- @(#) $Id: ./etc/rules/ms_dhcp_rules.xml, 2011/09/08 dcid Exp $

  -  Microsoft Windows 2003 ipv4, Windows 2008 ipv4/ipv6 DHCP rules for OSSEC.
  -  Author: phishphreek@gmail.com
  -  License: http://www.ossec.net/en/licensing.html (http://gplv3.fsf.org)
  -->

  
<!--Server 2003 and 2008 IPv4 Event ID  Meaning 
00        The log was started.
01        The log was stopped.
02        The log was temporarily paused due to low disk space.
10        A new IP address was leased to a client.
11        A lease was renewed by a client.
12        A lease was released by a client.
13        An IP address was found to be in use on the network.
14        A lease request could not be satisfied because the scope's address pool was exhausted.
15        A lease was denied.
16        A lease was deleted.
17        A lease was expired.
18      A lease was expired and DNS records were deleted. (Server 2008 Only)
20        A BOOTP address was leased to a client.
21        A dynamic BOOTP address was leased to a client.
22        A BOOTP request could not be satisfied because the scope's  address pool for BOOTP was exhausted.
23        A BOOTP IP address was deleted after checking to see it was not in use.
24        IP address cleanup operation has began.
25        IP address cleanup statistics.
30        DNS update request to the named DNS server
31        DNS update failed
32        DNS update successful
33      Packet dropped due to NAP policy. Server 2008 Only)
50+       Codes above 50 are used for Rogue Server Detection information.
-->


<!--Server 2003 IPv4 Log Sample 
ID,Date,Time,Description,IP Address,Host Name,MAC Address
24,3/10/2009,0:00:46,Database Cleanup Begin,,,,
31,3/10/2009,0:00:46,DNS Update Failed,192.168.10.201,OPS03W034.,2,
30,3/10/2009,0:00:46,DNS Update Request,201.10.168.192,OPS03W034.,,
25,3/10/2009,0:00:46,0 leases expired and 0 leases deleted,,,,
11,3/10/2009,0:01:40,Renew,192.168.10.201,OPS03W034.,001AA0DA3062,
32,3/10/2009,0:01:55,DNS Update Successful,192.168.10.204,ex03.domain.local,,
15,3/10/2009,8:49:10,NACK,192.168.10.205,,000B97A0B7E8,
10,3/10/2009,8:49:10,Assign,192.168.10.205,6ftya92251.domain.local,000B97A0B7E8,
12,3/10/2009,15:52:38,Release,192.168.112.32,6ftya91701.,000B97A0B41D,
18,3/10/2009,19:59:11,Expired,192.168.10.205,,,
17,3/10/2009,23:59:16,DNS record not deleted,192.168.10.205,,,
-->


<group name="windows,dhcp,">
  <rule id="6300" level="0">
    <decoded_as>ms-dhcp-ipv4</decoded_as>
    <description>Grouping for the MS-DHCP rules.</description>
  </rule>
  
  <rule id="6301" level="2">
        <if_sid>6300</if_sid>
        <id>^00</id>
    <description>The log was started.</description>
    <group>service_start,</group>
  </rule>
  
  <rule id="6302" level="3">
        <if_sid>6300</if_sid>
        <id>^01</id>
    <description>The log was stopped.</description>
    <group>service_availability,</group>
  </rule>
  
  <rule id="6303" level="10">
        <if_sid>6300</if_sid>
        <id>^02</id>
    <description>The log was temporarily paused due to low disk space.</description>
    <group>system_error,</group>
  </rule>

  <rule id="6304" level="0">
        <if_sid>6300</if_sid>
        <id>^10</id>
    <description>A new IP address was leased to a client.</description>
    <group>dhcp_lease_action,</group>
  </rule>
 
  <rule id="6305" level="0">
        <if_sid>6300</if_sid>
        <id>^11</id>
    <description>A lease was renewed by a client.</description>
    <group>dhcp_lease_action,</group>
  </rule>

  <rule id="6306" level="0">
        <if_sid>6300</if_sid>
        <id>^12</id>
    <description>A lease was released by a client.</description>
    <group>dhcp_lease_action,</group>
  </rule>

  <rule id="6307" level="0">
        <if_sid>6300</if_sid>
        <id>^13</id>
    <description>An IP address was found to be in use on the network.</description>
    <group>dhcp_lease_action,</group>
  </rule>

  <rule id="6308" level="12">
        <if_sid>6300</if_sid>
        <id>^14</id>
    <description>A lease request could not be satisfied because the scope's address pool was exhausted.</description>
    <group>service_availability,dhcp_lease_action,</group>
  </rule>

  <rule id="6309" level="7">
        <if_sid>6300</if_sid>
        <id>^15</id>
    <description>A lease was denied.</description>
    <group>dhcp_lease_action,</group>
  </rule>

  <rule id="6310" level="0">
        <if_sid>6300</if_sid>
        <id>^16</id>
    <description>A lease was deleted.</description>
    <group>dhcp_lease_action,</group>
  </rule>

  <rule id="6311" level="0">
        <if_sid>6300</if_sid>
        <id>^17</id>
    <description>A lease was expired and DNS records for an expired leases have not been deleted.</description>
    <group>dhcp_lease_action,</group>
  </rule>

  <rule id="6322" level="0">
        <if_sid>6300</if_sid>
        <id>^18</id>
    <description>A lease was expired and DNS records were deleted.</description>
    <group>dhcp_lease_action,dhcp_dns_maintenance</group>
  </rule>
  
  <rule id="6312" level="0">
        <if_sid>6300</if_sid>
        <id>^20</id>
    <description>A BOOTP address was leased to a client.</description>
    <group>dhcp_lease_action,</group>
  </rule>

  <rule id="6313" level="0">
        <if_sid>6300</if_sid>
        <id>^21</id>
    <description>A dynamic BOOTP address was leased to a client.</description>
    <group>dhcp_lease_action,</group>
  </rule>

  
  <rule id="6314" level="10">
        <if_sid>6300</if_sid>
        <id>^22</id>
    <description>A BOOTP request could not be satisfied because the scope's  address pool for BOOTP was exhausted.</description>
    <group>dhcp_lease_action,</group>
  </rule>
  
  <rule id="6315" level="0">
        <if_sid>6300</if_sid>
        <id>^23</id>
    <description>A BOOTP IP address was deleted after checking to see it was not in use.</description>
    <group>dhcp_lease_action,</group>
  </rule>

  <rule id="6316" level="3">
        <if_sid>6300</if_sid>
        <id>^24</id>
    <description>IP address cleanup operation has began.</description>
    <group>dhcp_maintenance,</group>
  </rule>

  <rule id="6317" level="2">
        <if_sid>6300</if_sid>
        <id>^25</id>
    <description>IP address cleanup statistics.</description>
    <group>dhcp_maintenance,</group>
  </rule>
  
  <rule id="6318" level="0">
        <if_sid>6300</if_sid>
        <id>^30</id>
    <description>DNS update request to the named DNS server.</description>
    <group>dhcp_dns_maintenance,</group>
  </rule>
  
  <rule id="6319" level="7">
        <if_sid>6300</if_sid>
        <id>^31</id>
    <description>DNS update failed.</description>
    <group>dhcp_dns_maintenance,</group>
  </rule>
  
  <rule id="6320" level="0">
        <if_sid>6300</if_sid>
        <id>^32</id>
    <description>DNS update successful.</description>
    <group>dhcp_dns_maintenance,</group>
  </rule>  
  
  <rule id="6323" level="12">
        <if_sid>6300</if_sid>
        <id>^33</id>
    <description>Packet dropped due to NAP policy.</description>
    <group>dhcp_lease_action,</group>

  </rule>  
  
  <rule id="6321" level="12">
        <if_sid>6300</if_sid>
        <id>^5</id>
    <description>Codes above 50 are used for Rogue Server Detection information.</description>
    <group>dhcp_rogue_server,</group>
  </rule>  



<!--
Server 2008 IPv6 Event ID  Meaning
11000   Solicit.
11001           Advertise.
11002   Request.
11003   Confirm.
11004   Renew.
11005   Rebind.
11006   Decline.
11007   Release.
11008   Information Request.
11009   Scope Full.
11010           Started.
11011           Stopped.
11012           Audit log paused.
11013           DHCP Log File.
11014           Bad Address.
11015           Address is already in use.
11016           Client deleted.
11017           DNS record not deleted.
11018           Expired.
11019           Expired and Deleted count.
11020   Database cleanup begin.
11021           Database cleanup end.
11023   Service not authorized in AD.
11024   Service authorized in AD.
11025   Service has not determined if it authorized in AD.
-->
<!--Server 2008 IPv6 Log Sample (short on samples, not currently using)
11020,05/05/09,00:00:38,DHCPV6 Database Cleanup Begin,,,,,,
11019,05/05/09,00:00:38,DHCPV6 0 leases expired and 0 leases deleted,,,,,,
11021,05/05/09,00:00:38,DHCPV6 Database Cleanup End,,,,,,
11011,05/05/09,10:50:55,DHCPV6 Stopped,,,,,,
11010,05/05/09,10:55:58,DHCPV6 Started,,,,,,
-->  

  <rule id="6350" level="0">
    <decoded_as>ms-dhcp-ipv6</decoded_as>
    <description>Grouping for the MS-DHCP rules.</description>
  </rule>
  
  <rule id="6351" level="0">
        <if_sid>6350</if_sid>
        <id>^11000</id>
    <description>Solicit.</description>
    <group>dhcp_ipv6,</group>
  </rule>
  
  <rule id="6352" level="0">
        <if_sid>6350</if_sid>
        <id>^11001|^11002</id>
    <description>Advertise.</description>
    <group>dhcp_ipv6,</group>
  </rule>
  
  <rule id="6354" level="0">
        <if_sid>6350</if_sid>
        <id>^11003</id>
    <description>Confirm.</description>
    <group>dhcp_ipv6,</group>
  </rule>

  <rule id="6355" level="0">
        <if_sid>6350</if_sid>
        <id>^11004</id>
    <description>Renew.</description>
    <group>dhcp_ipv6,</group>
  </rule>
  
  <rule id="6356" level="0">
        <if_sid>6350</if_sid>
        <id>^11005</id>
    <description>Rebind.</description>
    <group>dhcp_ipv6,</group>
  </rule>

  
  <rule id="6357" level="7">
        <if_sid>6350</if_sid>
        <id>^11006</id>
    <description>DHCP Decline.</description>
    <group>dhcp_ipv6,</group>
  </rule>
  
  <rule id="6358" level="0">
        <if_sid>6350</if_sid>
        <id>^11007</id>
    <description>Release.</description>
    <group>dhcp_ipv6,</group>
  </rule>
  
  <rule id="6359" level="0">
        <if_sid>6350</if_sid>
        <id>^11008</id>
    <description>Information Request.</description>
    <group>dhcp_ipv6,</group>
  </rule>
  
  <rule id="6360" level="12">
        <if_sid>6350</if_sid>
        <id>^11009</id>
    <description>Scope Full.</description>
    <group>dhcp_ipv6,</group>
  </rule>
  
  <rule id="6361" level="3">
        <if_sid>6350</if_sid>
        <id>^11010</id>
    <description>Started.</description>
    <group>service_start,</group>
  </rule>
  
  <rule id="6362" level="7">
        <if_sid>6350</if_sid>
        <id>^11011</id>
    <description>Stopped.</description>
    <group>service_availability,</group>
  </rule>
  
  <rule id="6363" level="10">
        <if_sid>6350</if_sid>
        <id>^11012</id>
    <description>Audit log paused.</description>
    <group>service_availability,</group>
  </rule>

  
  <rule id="6364" level="7">
        <if_sid>6350</if_sid>
        <id>^11013</id>
    <description>DHCP Log File.</description>
    <group>system_error,</group>
  </rule>
  
  <rule id="6365" level="7">
        <if_sid>6350</if_sid>
        <id>^11014</id>
    <description>Bad Address.</description>
    <group>dhcp_ipv6,</group>
  </rule>
  
  <rule id="6366" level="4">
        <if_sid>6350</if_sid>
        <id>^11015</id>
    <description>Address is already in use.</description>
    <group>dhcp_ipv6,</group>
  </rule>
  
  <rule id="6367" level="0">
        <if_sid>6350</if_sid>
        <id>^11016</id>
    <description>Client deleted.</description>
    <group>dhcp_ipv6,</group>
  </rule>

  <rule id="6368" level="0">
        <if_sid>6350</if_sid>
        <id>^11017</id>
    <description>DNS record not deleted.</description>
    <group>dhcp_ipv6,</group>
  </rule> 
  
  <rule id="6369" level="0">
        <if_sid>6350</if_sid>
        <id>^11018</id>
    <description>Expired.</description>
    <group>dhcp_ipv6,</group>
  </rule>

  <rule id="6370" level="0">
        <if_sid>6350</if_sid>
        <id>^11019</id>
    <description>Expired and Deleted count.</description>
    <group>dhcp_ipv6,</group>
  </rule>
  
  <rule id="6371" level="2">
        <if_sid>6350</if_sid>
        <id>^11020</id>
    <description>Database cleanup begin.</description>
    <group>dhcp_ipv6,</group>

  </rule> 
  
  <rule id="6372" level="2">
        <if_sid>6350</if_sid>
        <id>^11021</id>
    <description>Database cleanup end.</description>
    <group>dhcp_ipv6,</group>
  </rule>

  <rule id="6373" level="12">
        <if_sid>6350</if_sid>
        <id>^11023</id>
    <description>Service not authorized in AD.</description>
    <group>dhcp_ipv6,</group>
  </rule>
  
  <rule id="6374" level="3">
        <if_sid>6350</if_sid>
        <id>^11024</id>
    <description>Service authorized in AD.</description>
    <group>dhcp_ipv6,</group>
  </rule>
  
  <rule id="6376" level="12">
        <if_sid>6350</if_sid>
        <id>^11025</id>
    <description>Service has not determined if it is authorized in AD.</description>
    <group>dhcp_ipv6,</group>
  </rule>  
</group>