+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/ids_rules.xml, 2011/09/08 dcid Exp $
-
- - Official IDS rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<var name="IDS_FREQ">8</var>
-
-<group name="ids,">
- <rule id="20100" level="8">
- <category>ids</category>
- <if_fts></if_fts>
- <description>First time this IDS alert is generated.</description>
- <group>fts,</group>
- </rule>
-
- <rule id="20101" level="6">
- <category>ids</category>
- <check_if_ignored>srcip, id</check_if_ignored>
- <description>IDS event.</description>
- </rule>
-
- <!-- This rule ignores some Ids that cause too much
- - false positives. Snort specific.
- -->
- <rule id="20102" level="0">
- <if_sid>20100, 20101</if_sid>
- <decoded_as>snort</decoded_as>
- <!-- 1:1852 -> robots.txt access
- - 1:368 - ICMP ping.
- - 1:384 - ICMP ping.
- - 1:366 - ICMP ping.
- - 1:399 - ICMP host unreachable
- - 1:402 - ICMP port unreachable
- - 1:408 - ICMP reply
- - 1:480 - ICMP ping speedera.
- - 1:1365 - RM commant attempt (too many false positives)
- - 1:2925 - web bug 0x0 gif attempt
- -->
- <id>^1:1852:|^1:368:|^1:384:|^1:366:|^1:402:|^1:408:|^1:1365:|</id>
- <id>^1:480:|^1:399:|^1:2925:</id>
- <description>Ignored snort ids.</description>
- </rule>
-
- <!-- Ignored Dragon ids -->
- <rule id="20103" level="0">
- <if_sid>20100, 20101</if_sid>
- <decoded_as>dragon-nids</decoded_as>
- <!-- EOL -> end of line
- - SOF -> start of file
- - HEARTBEAT -> Heartbeat
- - DYNAMIC-TCP -> ?
- - DYNAMIC-UDP -> ?
- -->
- <id>^EOL$|^SOF$|^HEARTBEAT$|^DYNAMIC-TCP$|^DYNAMIC-UDP$</id>
- <description>Ignored snort ids.</description>
- </rule>
-
- <rule id="20152" level="10" frequency="$IDS_FREQ" timeframe="120" ignore="90">
- <if_matched_sid>20101</if_matched_sid>
- <same_id />
- <check_if_ignored>id</check_if_ignored>
- <description>Multiple IDS alerts for same id.</description>
- </rule>
-
- <rule id="20151" level="10" frequency="$IDS_FREQ" timeframe="120" ignore="90">
- <if_matched_sid>20101</if_matched_sid>
- <same_source_ip />
- <check_if_ignored>srcip, id</check_if_ignored>
- <description>Multiple IDS events from same source ip.</description>
- </rule>
-
-
- <!-- This rule is to detect bad configured IDSs alerting on
- - the same thing all the time. We will skip those events
- - since they became just noise.
- -->
- <rule id="20161" level="11" frequency="3" timeframe="3800">
- <if_matched_sid>20151</if_matched_sid>
- <same_source_ip />
- <same_id />
- <ignore>srcip, id</ignore>
- <description>Multiple IDS events from same source ip </description>
- <description>(ignoring now this srcip and id).</description>
- </rule>
-
- <rule id="20162" level="11" frequency="3" timeframe="3800">
- <if_matched_sid>20152</if_matched_sid>
- <same_id />
- <ignore>id</ignore>
- <description>Multiple IDS alerts for same id </description>
- <description>(ignoring now this id).</description>
- </rule>
-</group>