--- /dev/null
+OSSEC HIDS v0.9
+Copyright (C) 2009 Trend Micro Inc.
+
+
+
+--- Rules Classification ---
+
+
+-- Classification --
+
+The rules are classified in multiple levels. From the lowest (00) to the maximum
+level 16. Some levels are not used right now. Other levels can be added between
+them or after them.
+
+**The rules will be read from the highest to the lowest level. **
+
+00 - Ignored - No action taken. Used to avoid false positives. These rules
+ are scanned before all the others. They include events with no
+ security relevance.
+01 - None -
+02 - System low priority notification - System notification or
+ status messages. They have no security relevance.
+03 - Successful/Authorized events - They include successful login attempts,
+ firewall allow events, etc.
+04 - System low priority error - Errors related to bad configurations or
+ unused devices/applications. They have no security relevance and
+ are usually caused by default installations or software testing.
+05 - User generated error - They include missed passwords, denied
+ actions, etc. By itself they have no security relevance.
+06 - Low relevance attack - They indicate a worm or a virus that have
+ no affect to the system (like code red for apache servers, etc).
+ They also include frequently IDS events and frequently errors.
+07 - "Bad word" matching. They include words like "bad", "error", etc.
+ These events are most of the time unclassified and may have
+ some security relevance.
+08 - First time seen - Include first time seen events. First time
+ an IDS event is fired or the first time an user logged in.
+ If you just started using OSSEC HIDS these messages will
+ probably be frequently. After a while they should go away.
+ It also includes security relevant actions (like the starting
+ of a sniffer or something like that).
+09 - Error from invalid source - Include attempts to login as
+ an unknown user or from an invalid source. May have security
+ relevance (specially if repeated). They also include errors
+ regarding the "admin" (root) account.
+10 - Multiple user generated errors - They include multiple bad
+ passwords, multiple failed logins, etc. They may indicate an
+ attack or may just be that a user just forgot his credentials.
+11 - Integrity checking warning - They include messages regarding
+ the modification of binaries or the presence of rootkits (by
+ rootcheck). If you just modified your system configuration
+ you should be fine regarding the "syscheck" messages. They
+ may indicate a successful attack. Also included IDS events
+ that will be ignored (high number of repetitions).
+12 - High importancy event - They include error or warning messages
+ from the system, kernel, etc. They may indicate an attack against
+ a specific application.
+13 - Unusual error (high importance) - Most of the times it matches a
+ common attack pattern.
+14 - High importance security event. Most of the times done with
+ correlation and it indicates an attack.
+15 - Severe attack - No chances of false positives. Immediate
+ attention is necessary.
+
+
+== Rules Group ==
+
+-We can specify groups for specific rules. It's used for active
+response reasons and for correlation.
+- We currently use the following groups:
+
+- invalid_login
+- authentication_success
+- authentication_failed
+- connection_attempt
+- attacks
+- adduser
+- sshd
+- ids
+- firewall
+- squid
+- apache
+- syslog
+
+
+
+== Rules Config ==
+
+http://www.ossec.net/en/manual.html#rules
+
projects / ossec-hids.git / blobdiff