projects / ossec-hids.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
new upstream release (3.3.0); modify package compatibility for Stretch
[ossec-hids.git] / debian / ossec-hids / var / ossec / rules / attack_rules.xml
diff --git a/debian/ossec-hids/var/ossec/rules/attack_rules.xml b/debian/ossec-hids/var/ossec/rules/attack_rules.xml
new file mode 100644 (file)
index 0000000..5cdfeda
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/attack_rules.xml
@@ -0,0 +1,122 @@
+<!-- @(#) $Id: ./etc/rules/attack_rules.xml, 2011/09/08 dcid Exp $
+
+  -  Official "attack" correlation rules for OSSEC.
+  -
+  -  Copyright (C) 2009 Trend Micro Inc.
+  -  All rights reserved.
+  -
+  -  This program is a free software; you can redistribute it
+  -  and/or modify it under the terms of the GNU General Public
+  -  License (version 2) as published by the FSF - Free Software
+  -  Foundation.
+  -
+  -  License details: http://www.ossec.net/en/licensing.html
+  -->
+
+  
+<!-- System users. They should never log in to the system -->
+<var name="SYS_USERS">^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$</var>
+
+
+<!-- Attack signatures -->
+<group name="syslog,attacks,">
+  <rule id="40101" level="12">
+    <if_group>authentication_success</if_group>
+    <user>$SYS_USERS</user>
+    <description>System user successfully logged to the system.</description>
+    <group>invalid_login,</group>
+  </rule>
+
+  <rule id="40102" level="14">
+    <regex>^rpc.statd[\d+]: gethostbyname error for \W+</regex>
+    <description>Buffer overflow attack on rpc.statd</description>
+    <group>exploit_attempt,</group>
+  </rule>
+
+  <rule id="40103" level="14">
+    <regex>ftpd[\d+]: \S+ FTP LOGIN FROM \.+ 0bin0sh</regex>
+    <description>Buffer overflow on WU-FTPD versions prior to 2.6</description>
+    <group>exploit_attempt,</group>
+  </rule>
+
+  <rule id="40104" level="13">
+    <match>?????????????????????</match>
+    <description>Possible buffer overflow attempt.</description>
+    <group>exploit_attempt,</group>
+  </rule>
+
+  <rule id="40105" level="12">
+    <match>changed by \(\(null\)</match>
+    <description>"Null" user changed some information.</description>
+    <group>exploit_attempt,</group>
+  </rule>
+
+  <rule id="40106" level="12">
+    <match>@@@@@@@@@@@@@@@@@@@@@@@@@</match>
+    <description>Buffer overflow attempt (probably on yppasswd).</description>
+    <group>exploit_attempt,</group>
+  </rule>
+
+  <rule id="40107" level="14">
+    <regex>cachefsd: Segmentation Fault - core dumped</regex>
+    <description>Heap overflow in the Solaris cachefsd service.</description>
+    <info type='cve'>2002-0033</info>
+    <group>exploit_attempt,</group>
+  </rule>
+
+  <rule id="40109" level="12">
+    <match>attempt to execute code on stack by</match>
+    <description>Stack overflow attempt or program exiting </description>
+    <description>with SEGV (Solaris).</description>
+    <info type="link">http://snap.nlc.dcccd.edu/reference/sysadmin/julian/ch18/389-392.html</info>
+    <group>exploit_attempt,</group>
+  </rule>
+
+  <rule id="40111" level="10" frequency="10" timeframe="160">
+    <if_matched_group>authentication_failed</if_matched_group>
+    <description>Multiple authentication failures.</description>
+    <group>authentication_failures,</group>
+  </rule>
+
+  <rule id="40112" level="12" timeframe="240">
+    <if_group>authentication_success</if_group>
+    <if_matched_group>authentication_failures</if_matched_group>
+    <same_source_ip />
+    <description>Multiple authentication failures followed </description>
+    <description>by a success.</description>
+  </rule>
+
+  <rule id="40113" level="12" frequency="6" timeframe="360">
+    <if_matched_group>virus</if_matched_group>
+    <description>Multiple viruses detected - Possible outbreak.</description>
+    <group>virus,</group>
+  </rule>
+  
+</group> <!-- SYSLOG, ATTACKS, -->
+
+
+
+<!-- Privilege escalation messages -->
+<group name="syslog,elevation_of_privilege,">
+  <rule id="40501" level="15" timeframe="300" frequency="2">
+    <if_group>adduser</if_group>
+    <if_matched_group>attacks</if_matched_group>
+    <description>Attacks followed by the addition </description>
+    <description>of an user.</description>
+  </rule>
+</group> <!-- SYSLOG, ELEVATION_OF_PRIVILEGE, -->
+
+
+
+<!-- Scan signatures -->
+<group name="syslog,recon,">
+  <rule id="40601" level="10" frequency="10" timeframe="90" ignore="90">
+    <if_matched_group>connection_attempt</if_matched_group>
+    <description>Network scan from same source ip.</description>
+    <same_source_ip />
+    <info type="link">http://project.honeynet.org/papers/enemy2/</info>
+  </rule>
+</group> <!-- SYSLOG,SCANS -->
+
+
+<!-- EOF -->
ossec-hids