new upstream release (3.3.0); modify package compatibility for Stretch

[ossec-hids.git] / debian / ossec-hids / var / ossec / rules / kesl_rules.xml

diff --git a/debian/ossec-hids/var/ossec/rules/kesl_rules.xml b/debian/ossec-hids/var/ossec/rules/kesl_rules.xml
new file mode 100644 (file)
index 0000000..c4633f9
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/kesl_rules.xml
@@ -0,0 +1,122 @@
+<!-- 
+  -
+  - Rules for Kaspersky Endpoint Security 10 for Linux
+  - IDs=53801-53825
+  -
+  - Set UseSysLog to yes in kesl appSettings.xml for eventlogging in syslog
+  -
+  -->
+
+<group name="kesl,">
+  <rule id="53801" level="0" noalert="1">
+    <decoded_as>kesl</decoded_as>
+    <description>kesl messages grouped</description>
+  </rule>
+
+  <rule id="53802" level="8">
+    <if_sid>53801</if_sid>
+    <match>UpdateError</match>
+    <description>An error occurred during an Update Task.</description>
+  </rule>
+
+  <rule id="53803" level="8">
+    <if_sid>53801</if_sid>
+    <status>AVBasesAreOutOfDate</status>
+    <description>AVBasesAreOutOfDate (kesl Task: update)</description>
+  </rule>
+
+  <rule id="53804" level="8">
+    <if_sid>53801</if_sid>
+    <status>AVBasesAreTotallyOutOfDate</status>
+    <description>AVBasesAreTotallyOutOfDate (kesl Task: update)</description>
+  </rule>
+  
+  <rule id="53805" level="8">
+    <if_sid>53801</if_sid>
+    <action>TaskStateChanged</action>
+    <status>Started|Stopped</status>
+    <extra_data>^Rollback</extra_data>
+    <description>An Update Rollback Task has been started / stopped</description>
+  </rule>
+  
+  <rule id="53806" level="8">
+    <if_sid>53801</if_sid>
+    <match>AVBasesRollbackError</match>
+    <description>An error occurred during AVBases Update Rollback Task</description>
+  </rule>
+
+  <rule id="53807" level="8">
+    <if_sid>53801</if_sid>
+    <action>TaskStateChanged</action>
+    <status>Started|Stopped</status>
+    <extra_data>^Retranslate</extra_data>
+    <description>An update distribution (Retranslate) Task has been started / stopped</description>
+  </rule>
+
+  <rule id="53808" level="8">
+    <if_sid>53801</if_sid>
+    <match>RetranslationError</match>
+    <description>An error occurred during an update distribution (Retranslate) Task</description>
+  </rule>
+
+  <rule id="53809" level="3">
+    <if_sid>53801</if_sid>
+    <action>TaskStateChanged</action>
+    <status>Started</status>
+    <description>A kesl Task has been started.</description>
+  </rule>
+
+  <rule id="53810" level="8">
+    <if_sid>53801</if_sid>
+    <action>TaskStateChanged</action>
+    <status>Suspended</status>
+    <description>A kesl Task has been suspended.</description>
+  </rule>
+ 
+  <rule id="53811" level="8">
+    <if_sid>53801</if_sid>
+    <action>TaskStateChanged</action>
+    <status>Stopped</status>
+    <extra_data>^Backup|^License|^OAS</extra_data>
+    <description>A kesl Task has been stopped.</description>
+  </rule>
+
+  <rule id="53812" level="2">
+    <if_sid>53801</if_sid>
+    <action>TaskStateChanged</action>
+    <status>Stopped</status>
+    <extra_data>^ODS|^BootScan|^MemoryScan|^Update</extra_data>
+    <description>A kesl Task has been stopped.</description>
+  </rule>
+  
+  <rule id="53813" level="8">
+    <if_sid>53801</if_sid>
+    <status>ThreatDetected</status>
+    <description>Kesl detected a Threat (kesl Task: File_Monitoring)</description>
+  </rule>
+  
+  <rule id="53814" level="3">
+    <if_sid>53801</if_sid>
+    <match>ObjectSavedToBackup</match>
+    <description>Threat Object was saved to Backup (kesl Task: File_Monitoring)</description>
+  </rule>
+
+  <rule id="53815" level="3">
+    <if_sid>53801</if_sid>
+    <match>ObjectNotDisinfected</match>
+    <description>Threat Object could not be disinfected (kesl Task: File_Monitoring)</description>
+  </rule>
+
+  <rule id="53816" level="3">
+    <if_sid>53801</if_sid>
+    <match>ObjectDeleted</match>
+    <description>Threat Object was deleted (kesl Task: File_Monitoring)</description>
+  </rule>
+
+  <rule id="53817" level="8">
+    <if_sid>53801</if_sid>
+    <match>ObjectProcessingError</match>
+    <description>An error occurred during kesl scan</description>
+  </rule>
+
+</group>