Imported Upstream version 2.3

[ossec-hids.git] / etc / rules / msauth_rules.xml

<!-- @(#) $Id: msauth_rules.xml,v 1.35 2009/11/06 15:30:30 dcid Exp $
  -  Example of Microsoft Windows (2000, XP, 2003) rules for OSSEC.
  -
  -  Copyright (C) 2009 Trend Micro Inc.
  -  All rights reserved.
  -
  -  This program is a free software; you can redistribute it
  -  and/or modify it under the terms of the GNU General Public
  -  License (version 3) as published by the FSF - Free Software
  -  Foundation.
  -
  -  License details: http://www.ossec.net/en/licensing.html
  -->


<var name="MS_FREQ">6</var>      

<group name="windows,">
  <rule id="18100" level="0">
    <category>windows</category>
    <description>Group of windows rules.</description>
  </rule>

  <rule id="18101" level="0">
    <if_sid>18100</if_sid>
    <status>^INFORMATION</status>
    <description>Windows informational event.</description>
  </rule>
  
  <rule id="18102" level="0">
    <if_sid>18100</if_sid>
    <status>^WARNING</status>
    <description>Windows warning event.</description>
  </rule>
  
  <rule id="18103" level="5">
    <if_sid>18100</if_sid>
    <status>^ERROR</status>
    <description>Windows error event.</description>
    <group>system_error,</group>
  </rule>

  <rule id="18104" level="0">
    <if_sid>18100</if_sid>
    <status>^AUDIT_SUCCESS|^success</status>
    <description>Windows audit success event.</description>
  </rule>
  
  <rule id="18105" level="4">
    <if_sid>18100</if_sid>
    <status>^AUDIT_FAILURE|^failure</status>
    <description>Windows audit failure event.</description>
  </rule>

  <rule id="18106" level="5">
    <if_sid>18105</if_sid>
    <id>^529|^530|^531|^532|^533|^534|^535|^536|^537|^539|^4625</id>
    <description>Windows Logon Failure.</description>
    <group>win_authentication_failed,</group>
  </rule>

  <rule id="18107" level="3">
    <if_sid>18104</if_sid>
    <id>^528|^540|^672|^673|^4624|^4769</id>
    <description>Windows Logon Success.</description>
    <group>authentication_success,</group>
  </rule>

  <rule id="18108" level="4">
    <if_sid>18105</if_sid>
    <id>^577</id>
    <description>Failed attempt to perform a privileged </description>
    <description>operation.</description>
  </rule>

  <rule id="18109" level="3">
    <if_sid>18104</if_sid>
    <id>^682|^683</id>
    <description>Session reconnected/disconnected to winstation.</description>
  </rule>

  <rule id="18110" level="8">
    <if_sid>18104</if_sid>
    <id>^624|^626|^645|^4720|^4722</id>
    <description>User account enabled or created.</description>
    <group>adduser,account_changed,</group>
  </rule>

  <rule id="18111" level="8">
    <if_sid>18104</if_sid>
    <id>^628|^642|^685|^4738|^4781</id>
    <description>User account changed.</description>
    <group>account_changed,</group>
  </rule>

  <rule id="18112" level="8">
    <if_sid>18104</if_sid>
    <id>^630|^629|^4725|^4726</id>
    <description>User account disabled or deleted.</description>
    <group>adduser,account_changed,</group>
  </rule>
  
  <rule id="18113" level="8">
    <if_sid>18104</if_sid>
    <id>^612|^643|^4719|^4907|^4912</id>
    <description>Windows Audit Policy changed.</description>
    <group>policy_changed,</group>
  </rule>

  <rule id="18114" level="8">
    <if_sid>18104</if_sid>
    <id>^63|^641|^664|^658|^659|^660|^662|^668|^4907</id>
    <description>Group account changed.</description>
    <group>adduser,account_changed,</group>
  </rule>
  
  <rule id="18115" level="8">
    <if_sid>18104</if_sid>
    <id>^640</id>
    <description>General account database changed.</description>
    <info>http://www.ultimatewindowssecurity.com/events/com259.html</info>
    <group>adduser,account_changed,</group>
  </rule>
  
  <rule id="18116" level="9">
    <if_sid>18104</if_sid>
    <id>^644|^4740</id>
    <description>User account locked out (multiple login errors).</description>
    <group>authentication_failures,</group>  
  </rule>

  <rule id="18117" level="7">
    <if_sid>18104</if_sid>
    <id>^513|^4609</id>
    <description>Windows is shutting down.</description>
    <group>system_shutdown,</group>
  </rule>
  
  <rule id="18118" level="9">
    <if_sid>18104</if_sid>
    <id>^517</id>
    <description>Windows audit log was cleared.</description>
    <group>logs_cleared,</group>
  </rule>
  
  <rule id="18119" level="3">
    <if_sid>18107</if_sid>
    <options>alert_by_email</options>
    <if_fts />
    <description>First time this user logged in this system.</description>
    <group>authentication_success,</group>
  </rule>

  <rule id="18120" level="0">
    <if_sid>18105</if_sid>
    <id>^680</id>
    <description>Windows login attempt (ignored). Duplicated.</description>
  </rule>

  <rule id="18125" level="5">
    <if_sid>18102, 18103</if_sid>
    <id>^20187|^20014|^20078|^20050|^20049|^20189</id>
    <description>Remote access login failure.</description>
    <group>authentication_failed,</group>
  </rule>
  
  <rule id="18126" level="3">
    <if_sid>18101</if_sid>
    <id>^20158</id>
    <description>Remote access login success.</description>
    <group>authentication_success,</group>
  </rule>
  
  <rule id="18127" level="8">
    <if_sid>18104</if_sid>
    <id>^646|^647</id>
    <description>Computer account changed/deleted.</description>
    <group>account_changed,</group>
  </rule>
  
  <rule id="18128" level="8">
    <if_sid>18104</if_sid>
    <id>^65|^66</id>
    <description>Group account added/changed/deleted.</description>
    <group>account_changed,</group>
  </rule>

  <rule id="18129" level="8">
    <if_sid>18103</if_sid>
    <id>^13570</id>
    <description>Windows file system full.</description>
    <group>low_diskspace,</group>
  </rule>


  <!-- Granular windows login rules -->
  <rule id="18130" level="5">
    <if_sid>18106</if_sid>
    <id>^529</id>
    <description>Logon Failure - Unknown user or bad password.</description>
    <info>http://www.ultimatewindowssecurity.com/events/com190.html</info>
    <group>win_authentication_failed,</group>
  </rule>

  <rule id="18131" level="5">
    <if_sid>18106</if_sid>
    <id>^530</id>
    <description>Logon Failure - Account logon time restriction </description>
    <description>violation.</description>
    <info>http://www.ultimatewindowssecurity.com/events/com191.html</info>
    <group>win_authentication_failed,login_denied,</group>
  </rule>

  <rule id="18132" level="5">
    <if_sid>18106</if_sid>
    <id>^531</id>
    <description>Logon Failure - Account currently disabled.</description>
    <info>http://www.ultimatewindowssecurity.com/events/com192.html</info>
    <group>win_authentication_failed,login_denied,</group>
  </rule>

  <rule id="18133" level="5">
    <if_sid>18106</if_sid>
    <id>^532</id>
    <description>Logon Failure - Specified account expired.</description>
    <info>http://www.ultimatewindowssecurity.com/events/com193.html</info>
    <group>win_authentication_failed,login_denied,</group>
  </rule>

  <rule id="18134" level="7">
    <if_sid>18106</if_sid>
    <id>^533</id>
    <description>Logon Failure - User not allowed to login at </description>
    <description>this computer.</description>
    <info>http://www.ultimatewindowssecurity.com/events/com194.html</info>
    <group>win_authentication_failed,login_denied,</group>
  </rule>

  <rule id="18135" level="5">
    <if_sid>18106</if_sid>
    <id>^534</id>
    <description>Logon Failure - User not granted logon type.</description>
    <info>http://www.ultimatewindowssecurity.com/events/com195.html</info>
    <group>win_authentication_failed,</group>
  </rule>
  
  <rule id="18136" level="5">
    <if_sid>18106</if_sid>
    <id>^535</id>
    <description>Logon Failure - Account's password expired.</description>
    <info>http://www.ultimatewindowssecurity.com/events/com196.html</info>
    <group>win_authentication_failed,</group>
  </rule>

  <rule id="18137" level="5">
    <if_sid>18106</if_sid>
    <id>^536|^537</id>
    <description>Logon Failure - Internal error.</description>
    <group>win_authentication_failed,</group>
  </rule>

  <rule id="18138" level="7">
    <if_sid>18106</if_sid>
    <id>^539</id>
    <description>Logon Failure - Account locked out.</description>
    <group>win_authentication_failed,</group>
  </rule>
  
  <rule id="18139" level="5">
    <if_sid>18105</if_sid>
    <id>^672|^673|^675|^676|^681|^4769</id>
    <description>Windows DC Logon Failure.</description>
    <group>win_authentication_failed,</group>
  </rule>
  
  <rule id="18140" level="7">
    <if_sid>18104</if_sid>
    <id>^520</id>
    <description>System time changed.</description>
    <group>time_changed,</group>
  </rule>

  <rule id="18141" level="7">
    <if_sid>18102</if_sid>
    <id>^1076</id>
    <match>unexpected shutdown</match>
    <group>system_error, system_shutdown,</group>
    <description>Unexpected Windows shutdown.</description>
  </rule>

  <rule id="18142" level="5">
    <if_sid>18104</if_sid>
    <id>^671|^4767</id>
    <description>User account unlocked.</description>
    <info>http://www.ultimatewindowssecurity.com/events/com291.html</info>
    <group>account_changed,</group>
  </rule>

  <rule id="18143" level="8">
    <if_sid>18114</if_sid>
    <id>^631|^635|^658</id>
    <description>Security enabled group created.</description>
    <group>adduser,account_changed,</group>
  </rule>

  <rule id="18144" level="8">
    <if_sid>18114</if_sid>
    <id>^634|^638|^662</id>
    <description>Security enabled group deleted.</description>
    <group>adduser,account_changed,</group>
  </rule>

  <!-- Some services change their startup type automatically -->
  <rule id="18145" level="3">
    <if_sid>18101</if_sid>
    <id>^7040</id>
    <group>policy_changed,</group>
    <description>Service startup type was changed.</description>
    <info>This does not appear to be logged on Windows 2000.</info>
  </rule>

  <rule id="18146" level="5">
    <if_sid>18101</if_sid>
    <id>^11724</id>
    <options>alert_by_email</options>
    <description>Application Uninstalled.</description>
  </rule>

  <rule id="18147" level="5">
    <if_sid>18101</if_sid>
    <id>^11707</id>
    <options>alert_by_email</options>
    <description>Application Installed.</description>
  </rule>
  
  <rule id="18148" level="3">
    <if_sid>18104</if_sid>
    <id>^4608</id>
    <description>Windows is starting up.</description>
  </rule>

  <rule id="18149" level="3">
    <if_sid>18104</if_sid>
    <id>^538|^4634|^4647</id>
    <description>Windows User Logoff.</description>
  </rule>


  <!-- Ignore Login events, type 5, from Advapi for:
    -  LOCAL SERVICE and NETWORK SERVICE.
    -->
  <rule id="18121" level="0">
    <if_sid>18107,18149</if_sid>
    <id>^528|^538|^540</id>
    <user>^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON</user>
    <description>Windows Logon Success (ignored).</description>
  </rule>
  
  
  <!-- Kerberos failures that may indicate an attack -->
  <rule id="18170" level="10">
    <if_sid>18139</if_sid>
    <match>Failure Code: 0x1F</match>
    <description>Windows DC integrity check on decrypted </description>
    <description>field failed.</description>
    <info>http://www.ultimatewindowssecurity.com/kerberrors.html</info>
    <group>win_authentication_failed,attacks,</group>
  </rule>
  
  <rule id="18171" level="10">
    <if_sid>18139</if_sid>
    <match>Failure Code: 0x22</match>
    <description>Windows DC - Possible replay attack.</description>
    <info>http://www.ultimatewindowssecurity.com/kerberrors.html</info>
    <group>win_authentication_failed,attacks,</group>
  </rule>

  <rule id="18172" level="7">
    <if_sid>18139</if_sid>
    <match>Failure Code: 0x25</match>
    <description>Windows DC - Clock skew too great.</description>
    <info>http://www.ultimatewindowssecurity.com/kerberrors.html</info>
    <group>win_authentication_failed,attacks,</group>
  </rule>


  <!-- MS SQL rules -->
  <rule id="18180" level="5">
    <if_sid>18105</if_sid>
    <id>^18456</id>
    <group>win_authentication_failed,</group>
    <description>MS SQL Server Logon Failure.</description>
  </rule>

  <rule id="18181" level="3">
    <if_sid>18104</if_sid>
    <id>^18454|^18453</id>
    <description>MS SQL Server Logon Success.</description>
    <group>authentication_success,</group>
  </rule>

  
  
  <!-- Composite rules -->
  <rule id="18151" level="10" frequency="$MS_FREQ" timeframe="240">
    <if_matched_sid>18108</if_matched_sid>
    <same_user />
    <description>Multiple failed attempts to perform a </description>
    <description>privileged operation by the same user.</description>
  </rule>

  <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
    <if_matched_group>win_authentication_failed</if_matched_group>
    <description>Multiple Windows Logon Failures.</description>
    <group>authentication_failures,</group>
  </rule>
  
  <rule id="18153" level="10" frequency="$MS_FREQ" timeframe="240">
    <if_matched_sid>18105</if_matched_sid>
    <description>Multiple Windows audit failure events.</description>
  </rule>

  <rule id="18154" level="10" frequency="$MS_FREQ" timeframe="240">
    <if_matched_sid>18103</if_matched_sid>
    <description>Multiple Windows error events.</description>
  </rule>
  
  <rule id="18155" level="10" frequency="$MS_FREQ" timeframe="120">
    <if_matched_sid>18102</if_matched_sid>
    <description>Multiple Windows warning events.</description>
  </rule>

  <rule id="18156" level="10" frequency="$MS_FREQ" timeframe="240">
    <if_matched_sid>18125</if_matched_sid>
    <description>Multiple remote access login failures.</description>
    <group>authentication_failures,</group>
  </rule>
</group>

<!-- EOF -->