+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/mcafee_av_rules.xml, 2011/09/08 dcid Exp $
-
- - McAfee AV rules for OSSEC.
- -
- - Copyright (C) 2008 Michael Starks
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
- - Foundation.
- -->
-
-<var name="MCAFEE_ERROR">^259$|^100$|^1000$|^1001$|^1002$|^1003$|^1004$|^1005$|^1006$|^1007$|^1008$|^5003$|^5005$|^5008$|^5010$|^5011$|^5019$|^5020$|^5021$|^5022$|^5030$|^5031$|^5032$|^5033$|^5034$|^5035$|^5046$|^5047$|^5048$|^5049$|^5051$|^5054$|^5057$|^5059$|^5060$|^5063$|^5063$</var>
-<var name="MCAFEE_WARN">^258$|^5001$|^5028$|^5036$|^5037$|^5038$|^5039$|^5040$|^5041$|^5053$|^5056$|^5061$|^5062$|^5065$</var>
-<var name="MCAFEE_INFO">^257$|^5000$|^5026$|^5052$|^5055$</var>
-<var name="MCAFEE_VIRUS_OK">quarantined|moved to quarantine|file was deleted|deleted successfully|has been deleted|message deleted|deleted after|cleaned|successfully deleted</var>
-<var name="MCAFEE_VIRUS">The file \.+ contain|infected with|User defined detection|scan found|error attempting to clean</var>
-<var name="MCAFEE_FREQ">10</var>
-
-<group name="mcafee,">
- <rule id="7500" level="0">
- <if_sid>18101,18102,18103</if_sid>
- <category>windows</category>
- <extra_data>^McLogEvent</extra_data>
- <description>Grouping of McAfee Windows AV rules.</description>
- </rule>
-
- <rule id="7501" level="2">
- <if_sid>7500</if_sid>
- <id>$MCAFEE_INFO</id>
- <description>McAfee Windows AV informational event.</description>
- </rule>
-
- <rule id="7502" level="3">
- <if_sid>7500</if_sid>
- <id>$MCAFEE_WARN</id>
- <description>McAfee Windows AV warning event.</description>
- </rule>
-
- <rule id="7503" level="4">
- <if_sid>7500</if_sid>
- <id>$MCAFEE_ERROR</id>
- <description>McAfee Windows AV error event.</description>
- </rule>
-
- <rule id="7504" level="12">
- <if_sid>7500</if_sid>
- <regex>$MCAFEE_VIRUS</regex>
- <group>virus</group>
- <description>McAfee Windows AV - Virus detected and not removed.</description>
- </rule>
-
- <rule id="7505" level="7">
- <if_sid>7504</if_sid>
- <match>$MCAFEE_VIRUS_OK</match>
- <group>virus</group>
- <description>McAfee Windows AV - Virus detected and properly removed.</description>
- </rule>
-
- <rule id="7506" level="7">
- <if_sid>7504</if_sid>
- <match>Will be deleted</match>
- <group>virus</group>
- <description>McAfee Windows AV - Virus detected and file will be deleted.</description>
- </rule>
-
- <rule id="7507" level="3">
- <if_sid>7500</if_sid>
- <match>scan started|scan stopped</match>
- <description>McAfee Windows AV - Scan started or stopped.</description>
- </rule>
-
- <rule id="7508" level="3">
- <if_sid>7501</if_sid>
- <id>^257</id>
- <match>completed. No detections</match>
- <description>McAfee Windows AV - Scan completed with no viruses found.</description>
- </rule>
-
- <rule id="7509" level="5">
- <if_sid>7500</if_sid>
- <match>scan was cancelled |has taken too long</match>
- <description>McAfee Windows AV - Virus scan cancelled.</description>
- </rule>
-
- <rule id="7510" level="5">
- <if_sid>7500</if_sid>
- <match>scan was canceled because</match>
- <description>McAfee Windows AV - Virus scan cancelled due to shutdown.</description>
- </rule>
-
- <rule id="7511" level="3">
- <if_sid>7500</if_sid>
- <match>update was successful</match>
- <description>McAfee Windows AV - Virus program or DAT update succeeded.</description>
- </rule>
-
- <rule id="07512" level="7">
- <if_sid>7500</if_sid>
- <match>update failed</match>
- <description>McAfee Windows AV - Virus program or DAT update failed.</description>
- </rule>
-
- <rule id="7513" level="7">
- <if_sid>7500</if_sid>
- <match>update was cancelled</match>
- <description>McAfee Windows AV - Virus program or DAT update cancelled.</description>
- </rule>
-
- <rule id="7514" level="5">
- <if_sid>7505</if_sid>
- <match>contains the EICAR test file</match>
- <options>alert_by_email</options>
- <description>McAfee Windows AV - EICAR test file detected.</description>
- </rule>
-
- <!-- Composite rules -->
-
- <rule id="7550" level="10" frequency="$MCAFEE_FREQ" timeframe="240">
- <if_matched_sid>7502</if_matched_sid>
- <description>Multiple McAfee AV warning events.</description>
- </rule>
-
-</group>
-