1 <!-- Copyright 2010 Dan Parriott (ddpbsd@gmail.com)
2 - This program is a free software; you can redistribute it
3 - and/or modify it under the terms of the GNU General Public
4 - License (version 2) as published by the FSF - Free Software
7 - License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
12 <!-- Modify it at your will. -->
14 <group name="local,syslog,openbsd">
16 <rule id="51500" level="0" noalert="1">
17 <decoded_as>bsd_kernel</decoded_as>
18 <description>Grouping of bsd_kernel alerts</description>
21 <rule id="51501" level="1">
22 <if_sid>51500</if_sid>
23 <match>ichiic0: abort failed, status 0x40</match>
24 <description>A timeout occurred waiting for a transfer.</description>
27 <rule id="51502" level="0">
28 <if_sid>51500</if_sid>
29 <match>Check Condition (error 0x70) on opcode 0x0</match>
30 <description>Check media in optical drive.</description>
33 <rule id="51503" level="1">
34 <if_sid>51500</if_sid>
35 <match>BBB bulk-in clear stall failed</match>
36 <description>A disk has timed out.</description>
39 <rule id="51504" level="1">
40 <if_sid>51500</if_sid>
41 <match>arp info overwritten for</match>
42 <description>arp info has been overwritten for a host</description>
45 <rule id="51505" level="5">
46 <if_sid>51500</if_sid>
47 <match>was not properly unmounted</match>
48 <description>A filesystem was not properly unmounted, likely system crash</description>
51 <rule id="51506" level="1">
52 <if_sid>51500</if_sid>
53 <match>UKC> quit</match>
54 <description>UKC was used, possibly modifying a kernel at boot time.</description>
57 <rule id="51507" level="1">
58 <if_sid>51500</if_sid>
59 <match>Michael MIC failure</match>
60 <description>Michael MIC failure: Checksum failure in the tkip protocol.</description>
63 <rule id="51508" level="2">
64 <if_sid>51500</if_sid>
65 <match>soft error (corrected)</match>
66 <description>A soft error has been corrected on a hard drive, </description>
67 <description>this is a possible early sign of failure.</description>
70 <rule id="51509" level="1">
71 <if_sid>51500</if_sid>
72 <regex>acpithinkpad\d:</regex>
73 <match>unknown event</match>
74 <description>Unknown acpithinkpad event</description>
77 <rule id="51510" level="5">
78 <if_sid>51500</if_sid>
79 <match>Critical temperature, shutting down</match>
80 <description>System shutdown due to temperature</description>
83 <rule id="51511" level="1">
84 <if_sid>51500</if_sid>
85 <match>_AL0[0] _PR0 failed</match>
86 <description>Unknown ACPI event (bug 6299 in OpenBSD bug tracking system).</description>
89 <rule id="51512" level="1">
90 <if_sid>51500</if_sid>
91 <match>ehci_freex: xfer=0xffff8000003ef800 not busy, 0x4f4e5155</match>
92 <description>USB diagnostic message.</description>
95 <rule id="51513" level="1">
96 <if_sid>51500</if_sid>
97 <match>ichiic0: abort failed, status 0x0</match>
98 <description>Possible APM or ACPI event.</description>
101 <rule id="51514" level="3">
102 <if_sid>51500</if_sid>
103 <match>Filesystem is not clean - run fsck</match>
104 <description>Unclean filesystem, run fsck.</description>
107 <rule id="51515" level="0">
108 <if_sid>51500</if_sid>
109 <match>atascsi_passthru_done, timeout</match>
110 <description>Timeout in atascsi_passthru_done.</description>
113 <rule id="51516" level="0">
114 <if_sid>51500</if_sid>
115 <regex>RTC BIOS diagnostic error 80\pclock_battery\p</regex>
116 <description>Clock battery error 80</description>
119 <rule id="51518" level="3">
120 <if_sid>51500</if_sid>
121 <match>i/o error on block</match>
122 <description>I/O error on a storage device</description>
125 <rule id="51519" level="1">
126 <if_sid>51500</if_sid>
127 <match>kbc: cmd word write error</match>
128 <description>kbc error.</description>
131 <rule id="51520" level="1">
132 <if_sid>51500</if_sid>
133 <match>BBB reset failed, IOERROR</match>
134 <description>USB reset failed, IOERROR.</description>
137 <rule id="51521" level="0" noalert="1">
138 <decoded_as>groupdel</decoded_as>
139 <description>Grouping for groupdel rules.</description>
140 <group>groupdel,</group>
143 <rule id="51522" level="2">
144 <if_sid>51521</if_sid>
145 <match>group deleted</match>
146 <description>Group deleted.</description>
147 <group>groupdel,</group>
150 <rule id="51523" level="0">
151 <program_name>savecore</program_name>
152 <match>no core dump</match>
153 <description>No core dumps.</description>
156 <rule id="51524" level="4">
157 <program_name>reboot</program_name>
158 <match>rebooted by</match>
159 <description>System was rebooted.</description>
162 <rule id="51525" level="0">
163 <program_name>^ftp-proxy</program_name>
164 <match>proxy cannot connect to server</match>
165 <description>ftp-proxy cannot connect to a server.</description>
168 <rule id="51526" level="0">
169 <decoded_as>bsd_kernel</decoded_as>
170 <match>uncorrectable data error reading fsbn</match>
171 <description>Hard drive is dying.</description>
174 <rule id="51527" level="0">
175 <decoded_as>bsd_kernel</decoded_as>
177 <action>state transition</action>
178 <status>MASTER -> BACKUP</status>
179 <description>CARP master to backup.</description>
182 <rule id="51528" level="0">
183 <decoded_as>bsd_kernel</decoded_as>
184 <match>duplicate IP6 address</match>
185 <description>Duplicate IPv6 address.</description>
188 <rule id="51529" level="0">
189 <decoded_as>bsd_kernel</decoded_as>
190 <match>failed loadfirmware of file</match>
191 <description>Could not load a firmware.</description>
194 <rule id="51530" level="0">
195 <program_name>^hotplugd</program_name>
196 <match>Permission denied$</match>
197 <description>hotplugd could not open a file.</description>
200 </group> <!-- SYSLOG,LOCAL -->
projects / ossec-hids.git / blob