projects / ossec-hids.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
obrisane nepotrebne datoteke od zadnjeg builda
[ossec-hids.git] / debian / ossec-hids / var / ossec / rules / mcafee_av_rules.xml
diff --git a/debian/ossec-hids/var/ossec/rules/mcafee_av_rules.xml b/debian/ossec-hids/var/ossec/rules/mcafee_av_rules.xml
deleted file mode 100644 (file)
index d3b2aab..0000000
--- a/debian/ossec-hids/var/ossec/rules/mcafee_av_rules.xml
+++ /dev/null
@@ -1,125 +0,0 @@
-<!-- @(#) $Id: ./etc/rules/mcafee_av_rules.xml, 2011/09/08 dcid Exp $
-
-  -  McAfee AV rules for OSSEC.
-  -
-  -  Copyright (C) 2008 Michael Starks
-  -
-  -  This program is a free software; you can redistribute it
-  -  and/or modify it under the terms of the GNU General Public
-  -  License (version 3) as published by the FSF - Free Software
-  -  Foundation.
-  -->
-
-<var name="MCAFEE_ERROR">^259$|^100$|^1000$|^1001$|^1002$|^1003$|^1004$|^1005$|^1006$|^1007$|^1008$|^5003$|^5005$|^5008$|^5010$|^5011$|^5019$|^5020$|^5021$|^5022$|^5030$|^5031$|^5032$|^5033$|^5034$|^5035$|^5046$|^5047$|^5048$|^5049$|^5051$|^5054$|^5057$|^5059$|^5060$|^5063$|^5063$</var>
-<var name="MCAFEE_WARN">^258$|^5001$|^5028$|^5036$|^5037$|^5038$|^5039$|^5040$|^5041$|^5053$|^5056$|^5061$|^5062$|^5065$</var>
-<var name="MCAFEE_INFO">^257$|^5000$|^5026$|^5052$|^5055$</var>
-<var name="MCAFEE_VIRUS_OK">quarantined|moved to quarantine|file was deleted|deleted successfully|has been deleted|message deleted|deleted after|cleaned|successfully deleted</var> 
-<var name="MCAFEE_VIRUS">The file \.+ contain|infected with|User defined detection|scan found|error attempting to clean</var>
-<var name="MCAFEE_FREQ">10</var>
-
-<group name="mcafee,">
-  <rule id="7500" level="0">
-    <if_sid>18101,18102,18103</if_sid>
-    <category>windows</category>
-    <extra_data>^McLogEvent</extra_data>
-    <description>Grouping of McAfee Windows AV rules.</description>
-  </rule>
-
-  <rule id="7501" level="2">
-    <if_sid>7500</if_sid>
-    <id>$MCAFEE_INFO</id>
-    <description>McAfee Windows AV informational event.</description>
-  </rule>
-
-  <rule id="7502" level="3">
-    <if_sid>7500</if_sid>
-    <id>$MCAFEE_WARN</id>
-    <description>McAfee Windows AV warning event.</description>
-  </rule>
-
-  <rule id="7503" level="4">
-    <if_sid>7500</if_sid>
-    <id>$MCAFEE_ERROR</id>
-    <description>McAfee Windows AV error event.</description>
-  </rule>
-
-  <rule id="7504" level="12">
-    <if_sid>7500</if_sid>
-    <regex>$MCAFEE_VIRUS</regex>
-    <group>virus</group>
-    <description>McAfee Windows AV - Virus detected and not removed.</description>
-  </rule>
-
-  <rule id="7505" level="7">
-    <if_sid>7504</if_sid>
-    <match>$MCAFEE_VIRUS_OK</match>
-    <group>virus</group>
-    <description>McAfee Windows AV - Virus detected and properly removed.</description>
-  </rule>
-
-  <rule id="7506" level="7">
-    <if_sid>7504</if_sid>
-    <match>Will be deleted</match>
-    <group>virus</group>
-    <description>McAfee Windows AV - Virus detected and file will be deleted.</description>
-  </rule>
-
-  <rule id="7507" level="3">
-    <if_sid>7500</if_sid>
-    <match>scan started|scan stopped</match>
-    <description>McAfee Windows AV - Scan started or stopped.</description>
-  </rule>
-
-  <rule id="7508" level="3">
-    <if_sid>7501</if_sid>
-    <id>^257</id>
-    <match>completed.  No detections</match>
-    <description>McAfee Windows AV - Scan completed with no viruses found.</description>
-  </rule>
-
-  <rule id="7509" level="5">
-    <if_sid>7500</if_sid>
-    <match>scan was cancelled |has taken too long</match>
-    <description>McAfee Windows AV - Virus scan cancelled.</description>
-  </rule>
-
-  <rule id="7510" level="5">
-    <if_sid>7500</if_sid>
-    <match>scan was canceled because</match>
-    <description>McAfee Windows AV - Virus scan cancelled due to shutdown.</description>
-  </rule>
-
-  <rule id="7511" level="3">
-    <if_sid>7500</if_sid>
-    <match>update was successful</match>
-    <description>McAfee Windows AV - Virus program or DAT update succeeded.</description>
-  </rule>
-
-  <rule id="07512" level="7">
-    <if_sid>7500</if_sid>
-    <match>update failed</match>
-    <description>McAfee Windows AV - Virus program or DAT update failed.</description>
-  </rule>
-
-  <rule id="7513" level="7">
-    <if_sid>7500</if_sid>
-    <match>update was cancelled</match>
-    <description>McAfee Windows AV - Virus program or DAT update cancelled.</description>
-  </rule>
-
-  <rule id="7514" level="5">
-    <if_sid>7505</if_sid>
-    <match>contains the EICAR test file</match>
-    <options>alert_by_email</options>
-    <description>McAfee Windows AV - EICAR test file detected.</description>
-  </rule>
-
-  <!-- Composite rules -->
-
-  <rule id="7550" level="10" frequency="$MCAFEE_FREQ" timeframe="240">
-    <if_matched_sid>7502</if_matched_sid>
-    <description>Multiple McAfee AV warning events.</description>
-  </rule>
-
-</group>
-
ossec-hids