projects / ossec-hids.git / blob
? search:


2286a25f619a7445207a016bb1ef329d59b35f71
[ossec-hids.git] / etc / rules / mysql_rules.xml
1 <!-- @(#) $Id$
2   -  Official MySQL rules for OSSEC.
3   -
4   -  Copyright (C) 2009 Trend Micro Inc.
5   -  All rights reserved.
6   -
7   -  This program is a free software; you can redistribute it
8   -  and/or modify it under the terms of the GNU General Public
9   -  License (version 2) as published by the FSF - Free Software
10   -  Foundation.
11   -
12   -  License details: http://www.ossec.net/en/licensing.html
13   -->
14   
15
16 <!-- MYSQL Log messages -->
17 <group name="mysql_log,">
18   <rule id="50100" level="0">
19     <decoded_as>mysql_log</decoded_as>
20     <description>MySQL messages grouped.</description>
21   </rule>
22
23   <rule id="50105" level="3">
24     <if_sid>50100</if_sid>
25     <regex>^MySQL log: \d+ \S+ \d+ Connect</regex>
26     <description>Database authentication success.</description>
27     <group>authentication_success,</group>
28   </rule>
29
30   <rule id="50106" level="9">
31     <if_sid>50105</if_sid>
32     <match>Access denied for user</match>
33     <description>Database authentication failure.</description>
34     <group>authentication_failed,</group>
35   </rule>
36   
37   <rule id="50107" level="0">
38     <if_sid>50100</if_sid>
39     <regex>^MySQL log: \d+ \S+ \d+ Query</regex>
40     <description>Database query.</description>
41   </rule>
42   
43   <rule id="50108" level="3">
44     <if_sid>50100</if_sid>
45     <regex>^MySQL log: \d+ \S+ \d+ Quit</regex>
46     <description>User disconnected from database.</description>
47   </rule>
48
49   <rule id="50120" level="12">
50     <if_sid>50100</if_sid>
51     <match>mysqld ended|Shutdown complete</match>
52     <description>Database shutdown messge.</description>
53     <group>service_availability,</group>
54   </rule>
55
56   <rule id="50121" level="3">
57     <if_sid>50100</if_sid>
58     <match>mysqld started|mysqld restarted</match>
59     <description>Database startup message.</description>
60     <group>service_availability,</group>
61   </rule>
62   
63   <rule id="50125" level="5">
64     <if_sid>50100</if_sid>
65     <regex>^MySQL log: \d+ \S+ \d+ [ERROR]</regex>
66     <description>Database error.</description>
67   </rule> 
68   
69   <rule id="50126" level="12">
70     <if_sid>50125</if_sid>
71     <match>Fatal error:</match>
72     <description>Database fatal error.</description>
73     <group>service_availability,</group>
74   </rule>
75   
76   <rule id="50180" level="10" frequency="6" timeframe="120" ignore="60">
77     <if_matched_sid>50125</if_matched_sid>
78     <description>Multiple database errors.</description>
79     <group>service_availability,</group>
80   </rule>
81
82 </group> <!-- MYSQL -->
83
84 <!-- EOF -->
ossec-hids