+++ /dev/null
-
-<!-- @(#) $Id: ./etc/rules/ms_dhcp_rules.xml, 2011/09/08 dcid Exp $
-
- - Microsoft Windows 2003 ipv4, Windows 2008 ipv4/ipv6 DHCP rules for OSSEC.
- - Author: phishphreek@gmail.com
- - License: http://www.ossec.net/en/licensing.html (http://gplv3.fsf.org)
- -->
-
-
-<!--Server 2003 and 2008 IPv4 Event ID Meaning
-00 The log was started.
-01 The log was stopped.
-02 The log was temporarily paused due to low disk space.
-10 A new IP address was leased to a client.
-11 A lease was renewed by a client.
-12 A lease was released by a client.
-13 An IP address was found to be in use on the network.
-14 A lease request could not be satisfied because the scope's address pool was exhausted.
-15 A lease was denied.
-16 A lease was deleted.
-17 A lease was expired.
-18 A lease was expired and DNS records were deleted. (Server 2008 Only)
-20 A BOOTP address was leased to a client.
-21 A dynamic BOOTP address was leased to a client.
-22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
-23 A BOOTP IP address was deleted after checking to see it was not in use.
-24 IP address cleanup operation has began.
-25 IP address cleanup statistics.
-30 DNS update request to the named DNS server
-31 DNS update failed
-32 DNS update successful
-33 Packet dropped due to NAP policy. Server 2008 Only)
-50+ Codes above 50 are used for Rogue Server Detection information.
--->
-
-
-<!--Server 2003 IPv4 Log Sample
-ID,Date,Time,Description,IP Address,Host Name,MAC Address
-24,3/10/2009,0:00:46,Database Cleanup Begin,,,,
-31,3/10/2009,0:00:46,DNS Update Failed,192.168.10.201,OPS03W034.,2,
-30,3/10/2009,0:00:46,DNS Update Request,201.10.168.192,OPS03W034.,,
-25,3/10/2009,0:00:46,0 leases expired and 0 leases deleted,,,,
-11,3/10/2009,0:01:40,Renew,192.168.10.201,OPS03W034.,001AA0DA3062,
-32,3/10/2009,0:01:55,DNS Update Successful,192.168.10.204,ex03.domain.local,,
-15,3/10/2009,8:49:10,NACK,192.168.10.205,,000B97A0B7E8,
-10,3/10/2009,8:49:10,Assign,192.168.10.205,6ftya92251.domain.local,000B97A0B7E8,
-12,3/10/2009,15:52:38,Release,192.168.112.32,6ftya91701.,000B97A0B41D,
-18,3/10/2009,19:59:11,Expired,192.168.10.205,,,
-17,3/10/2009,23:59:16,DNS record not deleted,192.168.10.205,,,
--->
-
-
-<group name="windows,dhcp,">
- <rule id="6300" level="0">
- <decoded_as>ms-dhcp-ipv4</decoded_as>
- <description>Grouping for the MS-DHCP rules.</description>
- </rule>
-
- <rule id="6301" level="2">
- <if_sid>6300</if_sid>
- <id>^00</id>
- <description>The log was started.</description>
- <group>service_start,</group>
- </rule>
-
- <rule id="6302" level="3">
- <if_sid>6300</if_sid>
- <id>^01</id>
- <description>The log was stopped.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="6303" level="10">
- <if_sid>6300</if_sid>
- <id>^02</id>
- <description>The log was temporarily paused due to low disk space.</description>
- <group>system_error,</group>
- </rule>
-
- <rule id="6304" level="0">
- <if_sid>6300</if_sid>
- <id>^10</id>
- <description>A new IP address was leased to a client.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6305" level="0">
- <if_sid>6300</if_sid>
- <id>^11</id>
- <description>A lease was renewed by a client.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6306" level="0">
- <if_sid>6300</if_sid>
- <id>^12</id>
- <description>A lease was released by a client.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6307" level="0">
- <if_sid>6300</if_sid>
- <id>^13</id>
- <description>An IP address was found to be in use on the network.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6308" level="12">
- <if_sid>6300</if_sid>
- <id>^14</id>
- <description>A lease request could not be satisfied because the scope's address pool was exhausted.</description>
- <group>service_availability,dhcp_lease_action,</group>
- </rule>
-
- <rule id="6309" level="7">
- <if_sid>6300</if_sid>
- <id>^15</id>
- <description>A lease was denied.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6310" level="0">
- <if_sid>6300</if_sid>
- <id>^16</id>
- <description>A lease was deleted.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6311" level="0">
- <if_sid>6300</if_sid>
- <id>^17</id>
- <description>A lease was expired and DNS records for an expired leases have not been deleted.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6322" level="0">
- <if_sid>6300</if_sid>
- <id>^18</id>
- <description>A lease was expired and DNS records were deleted.</description>
- <group>dhcp_lease_action,dhcp_dns_maintenance</group>
- </rule>
-
- <rule id="6312" level="0">
- <if_sid>6300</if_sid>
- <id>^20</id>
- <description>A BOOTP address was leased to a client.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6313" level="0">
- <if_sid>6300</if_sid>
- <id>^21</id>
- <description>A dynamic BOOTP address was leased to a client.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
-
- <rule id="6314" level="10">
- <if_sid>6300</if_sid>
- <id>^22</id>
- <description>A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6315" level="0">
- <if_sid>6300</if_sid>
- <id>^23</id>
- <description>A BOOTP IP address was deleted after checking to see it was not in use.</description>
- <group>dhcp_lease_action,</group>
- </rule>
-
- <rule id="6316" level="3">
- <if_sid>6300</if_sid>
- <id>^24</id>
- <description>IP address cleanup operation has began.</description>
- <group>dhcp_maintenance,</group>
- </rule>
-
- <rule id="6317" level="2">
- <if_sid>6300</if_sid>
- <id>^25</id>
- <description>IP address cleanup statistics.</description>
- <group>dhcp_maintenance,</group>
- </rule>
-
- <rule id="6318" level="0">
- <if_sid>6300</if_sid>
- <id>^30</id>
- <description>DNS update request to the named DNS server.</description>
- <group>dhcp_dns_maintenance,</group>
- </rule>
-
- <rule id="6319" level="7">
- <if_sid>6300</if_sid>
- <id>^31</id>
- <description>DNS update failed.</description>
- <group>dhcp_dns_maintenance,</group>
- </rule>
-
- <rule id="6320" level="0">
- <if_sid>6300</if_sid>
- <id>^32</id>
- <description>DNS update successful.</description>
- <group>dhcp_dns_maintenance,</group>
- </rule>
-
- <rule id="6323" level="12">
- <if_sid>6300</if_sid>
- <id>^33</id>
- <description>Packet dropped due to NAP policy.</description>
- <group>dhcp_lease_action,</group>
-
- </rule>
-
- <rule id="6321" level="12">
- <if_sid>6300</if_sid>
- <id>^5</id>
- <description>Codes above 50 are used for Rogue Server Detection information.</description>
- <group>dhcp_rogue_server,</group>
- </rule>
-
-
-
-<!--
-Server 2008 IPv6 Event ID Meaning
-11000 Solicit.
-11001 Advertise.
-11002 Request.
-11003 Confirm.
-11004 Renew.
-11005 Rebind.
-11006 Decline.
-11007 Release.
-11008 Information Request.
-11009 Scope Full.
-11010 Started.
-11011 Stopped.
-11012 Audit log paused.
-11013 DHCP Log File.
-11014 Bad Address.
-11015 Address is already in use.
-11016 Client deleted.
-11017 DNS record not deleted.
-11018 Expired.
-11019 Expired and Deleted count.
-11020 Database cleanup begin.
-11021 Database cleanup end.
-11023 Service not authorized in AD.
-11024 Service authorized in AD.
-11025 Service has not determined if it authorized in AD.
--->
-<!--Server 2008 IPv6 Log Sample (short on samples, not currently using)
-11020,05/05/09,00:00:38,DHCPV6 Database Cleanup Begin,,,,,,
-11019,05/05/09,00:00:38,DHCPV6 0 leases expired and 0 leases deleted,,,,,,
-11021,05/05/09,00:00:38,DHCPV6 Database Cleanup End,,,,,,
-11011,05/05/09,10:50:55,DHCPV6 Stopped,,,,,,
-11010,05/05/09,10:55:58,DHCPV6 Started,,,,,,
--->
-
- <rule id="6350" level="0">
- <decoded_as>ms-dhcp-ipv6</decoded_as>
- <description>Grouping for the MS-DHCP rules.</description>
- </rule>
-
- <rule id="6351" level="0">
- <if_sid>6350</if_sid>
- <id>^11000</id>
- <description>Solicit.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6352" level="0">
- <if_sid>6350</if_sid>
- <id>^11001|^11002</id>
- <description>Advertise.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6354" level="0">
- <if_sid>6350</if_sid>
- <id>^11003</id>
- <description>Confirm.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6355" level="0">
- <if_sid>6350</if_sid>
- <id>^11004</id>
- <description>Renew.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6356" level="0">
- <if_sid>6350</if_sid>
- <id>^11005</id>
- <description>Rebind.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
-
- <rule id="6357" level="7">
- <if_sid>6350</if_sid>
- <id>^11006</id>
- <description>DHCP Decline.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6358" level="0">
- <if_sid>6350</if_sid>
- <id>^11007</id>
- <description>Release.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6359" level="0">
- <if_sid>6350</if_sid>
- <id>^11008</id>
- <description>Information Request.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6360" level="12">
- <if_sid>6350</if_sid>
- <id>^11009</id>
- <description>Scope Full.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6361" level="3">
- <if_sid>6350</if_sid>
- <id>^11010</id>
- <description>Started.</description>
- <group>service_start,</group>
- </rule>
-
- <rule id="6362" level="7">
- <if_sid>6350</if_sid>
- <id>^11011</id>
- <description>Stopped.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="6363" level="10">
- <if_sid>6350</if_sid>
- <id>^11012</id>
- <description>Audit log paused.</description>
- <group>service_availability,</group>
- </rule>
-
-
- <rule id="6364" level="7">
- <if_sid>6350</if_sid>
- <id>^11013</id>
- <description>DHCP Log File.</description>
- <group>system_error,</group>
- </rule>
-
- <rule id="6365" level="7">
- <if_sid>6350</if_sid>
- <id>^11014</id>
- <description>Bad Address.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6366" level="4">
- <if_sid>6350</if_sid>
- <id>^11015</id>
- <description>Address is already in use.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6367" level="0">
- <if_sid>6350</if_sid>
- <id>^11016</id>
- <description>Client deleted.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6368" level="0">
- <if_sid>6350</if_sid>
- <id>^11017</id>
- <description>DNS record not deleted.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6369" level="0">
- <if_sid>6350</if_sid>
- <id>^11018</id>
- <description>Expired.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6370" level="0">
- <if_sid>6350</if_sid>
- <id>^11019</id>
- <description>Expired and Deleted count.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6371" level="2">
- <if_sid>6350</if_sid>
- <id>^11020</id>
- <description>Database cleanup begin.</description>
- <group>dhcp_ipv6,</group>
-
- </rule>
-
- <rule id="6372" level="2">
- <if_sid>6350</if_sid>
- <id>^11021</id>
- <description>Database cleanup end.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6373" level="12">
- <if_sid>6350</if_sid>
- <id>^11023</id>
- <description>Service not authorized in AD.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6374" level="3">
- <if_sid>6350</if_sid>
- <id>^11024</id>
- <description>Service authorized in AD.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-
- <rule id="6376" level="12">
- <if_sid>6350</if_sid>
- <id>^11025</id>
- <description>Service has not determined if it is authorized in AD.</description>
- <group>dhcp_ipv6,</group>
- </rule>
-</group>
-