--- /dev/null
+<!-- @(#) $Id: ./etc/rules/ids_rules.xml, 2011/09/08 dcid Exp $
+
+ - Official IDS rules for OSSEC.
+ -
+ - Copyright (C) 2009 Trend Micro Inc.
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 2) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
+ -->
+
+
+<var name="IDS_FREQ">8</var>
+
+<group name="ids,">
+ <rule id="20100" level="8">
+ <category>ids</category>
+ <if_fts></if_fts>
+ <description>First time this IDS alert is generated.</description>
+ <group>fts,</group>
+ </rule>
+
+ <rule id="20101" level="6">
+ <category>ids</category>
+ <check_if_ignored>srcip, id</check_if_ignored>
+ <description>IDS event.</description>
+ </rule>
+
+ <!-- This rule ignores some Ids that cause too much
+ - false positives. Snort specific.
+ -->
+ <rule id="20102" level="0">
+ <if_sid>20100, 20101</if_sid>
+ <decoded_as>snort</decoded_as>
+ <!-- 1:1852 -> robots.txt access
+ - 1:368 - ICMP ping.
+ - 1:384 - ICMP ping.
+ - 1:366 - ICMP ping.
+ - 1:399 - ICMP host unreachable
+ - 1:402 - ICMP port unreachable
+ - 1:408 - ICMP reply
+ - 1:480 - ICMP ping speedera.
+ - 1:1365 - RM commant attempt (too many false positives)
+ - 1:2925 - web bug 0x0 gif attempt
+ -->
+ <id>^1:1852:|^1:368:|^1:384:|^1:366:|^1:402:|^1:408:|^1:1365:|</id>
+ <id>^1:480:|^1:399:|^1:2925:</id>
+ <description>Ignored snort ids.</description>
+ </rule>
+
+ <!-- Ignored Dragon ids -->
+ <rule id="20103" level="0">
+ <if_sid>20100, 20101</if_sid>
+ <decoded_as>dragon-nids</decoded_as>
+ <!-- EOL -> end of line
+ - SOF -> start of file
+ - HEARTBEAT -> Heartbeat
+ - DYNAMIC-TCP -> ?
+ - DYNAMIC-UDP -> ?
+ -->
+ <id>^EOL$|^SOF$|^HEARTBEAT$|^DYNAMIC-TCP$|^DYNAMIC-UDP$</id>
+ <description>Ignored snort ids.</description>
+ </rule>
+
+ <rule id="20152" level="10" frequency="$IDS_FREQ" timeframe="120" ignore="90">
+ <if_matched_sid>20101</if_matched_sid>
+ <same_id />
+ <check_if_ignored>id</check_if_ignored>
+ <description>Multiple IDS alerts for same id.</description>
+ </rule>
+
+ <rule id="20151" level="10" frequency="$IDS_FREQ" timeframe="120" ignore="90">
+ <if_matched_sid>20101</if_matched_sid>
+ <same_source_ip />
+ <check_if_ignored>srcip, id</check_if_ignored>
+ <description>Multiple IDS events from same source ip.</description>
+ </rule>
+
+
+ <!-- This rule is to detect bad configured IDSs alerting on
+ - the same thing all the time. We will skip those events
+ - since they became just noise.
+ -->
+ <rule id="20161" level="11" frequency="3" timeframe="3800">
+ <if_matched_sid>20151</if_matched_sid>
+ <same_source_ip />
+ <same_id />
+ <ignore>srcip, id</ignore>
+ <description>Multiple IDS events from same source ip </description>
+ <description>(ignoring now this srcip and id).</description>
+ </rule>
+
+ <rule id="20162" level="11" frequency="3" timeframe="3800">
+ <if_matched_sid>20152</if_matched_sid>
+ <same_id />
+ <ignore>id</ignore>
+ <description>Multiple IDS alerts for same id </description>
+ <description>(ignoring now this id).</description>
+ </rule>
+</group>