--- /dev/null
+
+<!-- @(#) $Id: ./etc/rules/ms_dhcp_rules.xml, 2011/09/08 dcid Exp $
+
+ - Microsoft Windows 2003 ipv4, Windows 2008 ipv4/ipv6 DHCP rules for OSSEC.
+ - Author: phishphreek@gmail.com
+ - License: http://www.ossec.net/en/licensing.html (http://gplv3.fsf.org)
+ -->
+
+
+<!--Server 2003 and 2008 IPv4 Event ID Meaning
+00 The log was started.
+01 The log was stopped.
+02 The log was temporarily paused due to low disk space.
+10 A new IP address was leased to a client.
+11 A lease was renewed by a client.
+12 A lease was released by a client.
+13 An IP address was found to be in use on the network.
+14 A lease request could not be satisfied because the scope's address pool was exhausted.
+15 A lease was denied.
+16 A lease was deleted.
+17 A lease was expired.
+18 A lease was expired and DNS records were deleted. (Server 2008 Only)
+20 A BOOTP address was leased to a client.
+21 A dynamic BOOTP address was leased to a client.
+22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
+23 A BOOTP IP address was deleted after checking to see it was not in use.
+24 IP address cleanup operation has began.
+25 IP address cleanup statistics.
+30 DNS update request to the named DNS server
+31 DNS update failed
+32 DNS update successful
+33 Packet dropped due to NAP policy. Server 2008 Only)
+50+ Codes above 50 are used for Rogue Server Detection information.
+-->
+
+
+<!--Server 2003 IPv4 Log Sample
+ID,Date,Time,Description,IP Address,Host Name,MAC Address
+24,3/10/2009,0:00:46,Database Cleanup Begin,,,,
+31,3/10/2009,0:00:46,DNS Update Failed,192.168.10.201,OPS03W034.,2,
+30,3/10/2009,0:00:46,DNS Update Request,201.10.168.192,OPS03W034.,,
+25,3/10/2009,0:00:46,0 leases expired and 0 leases deleted,,,,
+11,3/10/2009,0:01:40,Renew,192.168.10.201,OPS03W034.,001AA0DA3062,
+32,3/10/2009,0:01:55,DNS Update Successful,192.168.10.204,ex03.domain.local,,
+15,3/10/2009,8:49:10,NACK,192.168.10.205,,000B97A0B7E8,
+10,3/10/2009,8:49:10,Assign,192.168.10.205,6ftya92251.domain.local,000B97A0B7E8,
+12,3/10/2009,15:52:38,Release,192.168.112.32,6ftya91701.,000B97A0B41D,
+18,3/10/2009,19:59:11,Expired,192.168.10.205,,,
+17,3/10/2009,23:59:16,DNS record not deleted,192.168.10.205,,,
+-->
+
+
+<group name="windows,dhcp,">
+ <rule id="6300" level="0">
+ <decoded_as>ms-dhcp-ipv4</decoded_as>
+ <description>Grouping for the MS-DHCP rules.</description>
+ </rule>
+
+ <rule id="6301" level="2">
+ <if_sid>6300</if_sid>
+ <id>^00</id>
+ <description>The log was started.</description>
+ <group>service_start,</group>
+ </rule>
+
+ <rule id="6302" level="3">
+ <if_sid>6300</if_sid>
+ <id>^01</id>
+ <description>The log was stopped.</description>
+ <group>service_availability,</group>
+ </rule>
+
+ <rule id="6303" level="10">
+ <if_sid>6300</if_sid>
+ <id>^02</id>
+ <description>The log was temporarily paused due to low disk space.</description>
+ <group>system_error,</group>
+ </rule>
+
+ <rule id="6304" level="0">
+ <if_sid>6300</if_sid>
+ <id>^10</id>
+ <description>A new IP address was leased to a client.</description>
+ <group>dhcp_lease_action,</group>
+ </rule>
+
+ <rule id="6305" level="0">
+ <if_sid>6300</if_sid>
+ <id>^11</id>
+ <description>A lease was renewed by a client.</description>
+ <group>dhcp_lease_action,</group>
+ </rule>
+
+ <rule id="6306" level="0">
+ <if_sid>6300</if_sid>
+ <id>^12</id>
+ <description>A lease was released by a client.</description>
+ <group>dhcp_lease_action,</group>
+ </rule>
+
+ <rule id="6307" level="0">
+ <if_sid>6300</if_sid>
+ <id>^13</id>
+ <description>An IP address was found to be in use on the network.</description>
+ <group>dhcp_lease_action,</group>
+ </rule>
+
+ <rule id="6308" level="12">
+ <if_sid>6300</if_sid>
+ <id>^14</id>
+ <description>A lease request could not be satisfied because the scope's address pool was exhausted.</description>
+ <group>service_availability,dhcp_lease_action,</group>
+ </rule>
+
+ <rule id="6309" level="7">
+ <if_sid>6300</if_sid>
+ <id>^15</id>
+ <description>A lease was denied.</description>
+ <group>dhcp_lease_action,</group>
+ </rule>
+
+ <rule id="6310" level="0">
+ <if_sid>6300</if_sid>
+ <id>^16</id>
+ <description>A lease was deleted.</description>
+ <group>dhcp_lease_action,</group>
+ </rule>
+
+ <rule id="6311" level="0">
+ <if_sid>6300</if_sid>
+ <id>^17</id>
+ <description>A lease was expired and DNS records for an expired leases have not been deleted.</description>
+ <group>dhcp_lease_action,</group>
+ </rule>
+
+ <rule id="6322" level="0">
+ <if_sid>6300</if_sid>
+ <id>^18</id>
+ <description>A lease was expired and DNS records were deleted.</description>
+ <group>dhcp_lease_action,dhcp_dns_maintenance</group>
+ </rule>
+
+ <rule id="6312" level="0">
+ <if_sid>6300</if_sid>
+ <id>^20</id>
+ <description>A BOOTP address was leased to a client.</description>
+ <group>dhcp_lease_action,</group>
+ </rule>
+
+ <rule id="6313" level="0">
+ <if_sid>6300</if_sid>
+ <id>^21</id>
+ <description>A dynamic BOOTP address was leased to a client.</description>
+ <group>dhcp_lease_action,</group>
+ </rule>
+
+
+ <rule id="6314" level="10">
+ <if_sid>6300</if_sid>
+ <id>^22</id>
+ <description>A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.</description>
+ <group>dhcp_lease_action,</group>
+ </rule>
+
+ <rule id="6315" level="0">
+ <if_sid>6300</if_sid>
+ <id>^23</id>
+ <description>A BOOTP IP address was deleted after checking to see it was not in use.</description>
+ <group>dhcp_lease_action,</group>
+ </rule>
+
+ <rule id="6316" level="3">
+ <if_sid>6300</if_sid>
+ <id>^24</id>
+ <description>IP address cleanup operation has began.</description>
+ <group>dhcp_maintenance,</group>
+ </rule>
+
+ <rule id="6317" level="2">
+ <if_sid>6300</if_sid>
+ <id>^25</id>
+ <description>IP address cleanup statistics.</description>
+ <group>dhcp_maintenance,</group>
+ </rule>
+
+ <rule id="6318" level="0">
+ <if_sid>6300</if_sid>
+ <id>^30</id>
+ <description>DNS update request to the named DNS server.</description>
+ <group>dhcp_dns_maintenance,</group>
+ </rule>
+
+ <rule id="6319" level="7">
+ <if_sid>6300</if_sid>
+ <id>^31</id>
+ <description>DNS update failed.</description>
+ <group>dhcp_dns_maintenance,</group>
+ </rule>
+
+ <rule id="6320" level="0">
+ <if_sid>6300</if_sid>
+ <id>^32</id>
+ <description>DNS update successful.</description>
+ <group>dhcp_dns_maintenance,</group>
+ </rule>
+
+ <rule id="6323" level="12">
+ <if_sid>6300</if_sid>
+ <id>^33</id>
+ <description>Packet dropped due to NAP policy.</description>
+ <group>dhcp_lease_action,</group>
+
+ </rule>
+
+ <rule id="6321" level="12">
+ <if_sid>6300</if_sid>
+ <id>^5</id>
+ <description>Codes above 50 are used for Rogue Server Detection information.</description>
+ <group>dhcp_rogue_server,</group>
+ </rule>
+
+
+
+<!--
+Server 2008 IPv6 Event ID Meaning
+11000 Solicit.
+11001 Advertise.
+11002 Request.
+11003 Confirm.
+11004 Renew.
+11005 Rebind.
+11006 Decline.
+11007 Release.
+11008 Information Request.
+11009 Scope Full.
+11010 Started.
+11011 Stopped.
+11012 Audit log paused.
+11013 DHCP Log File.
+11014 Bad Address.
+11015 Address is already in use.
+11016 Client deleted.
+11017 DNS record not deleted.
+11018 Expired.
+11019 Expired and Deleted count.
+11020 Database cleanup begin.
+11021 Database cleanup end.
+11023 Service not authorized in AD.
+11024 Service authorized in AD.
+11025 Service has not determined if it authorized in AD.
+-->
+<!--Server 2008 IPv6 Log Sample (short on samples, not currently using)
+11020,05/05/09,00:00:38,DHCPV6 Database Cleanup Begin,,,,,,
+11019,05/05/09,00:00:38,DHCPV6 0 leases expired and 0 leases deleted,,,,,,
+11021,05/05/09,00:00:38,DHCPV6 Database Cleanup End,,,,,,
+11011,05/05/09,10:50:55,DHCPV6 Stopped,,,,,,
+11010,05/05/09,10:55:58,DHCPV6 Started,,,,,,
+-->
+
+ <rule id="6350" level="0">
+ <decoded_as>ms-dhcp-ipv6</decoded_as>
+ <description>Grouping for the MS-DHCP rules.</description>
+ </rule>
+
+ <rule id="6351" level="0">
+ <if_sid>6350</if_sid>
+ <id>^11000</id>
+ <description>Solicit.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6352" level="0">
+ <if_sid>6350</if_sid>
+ <id>^11001|^11002</id>
+ <description>Advertise.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6354" level="0">
+ <if_sid>6350</if_sid>
+ <id>^11003</id>
+ <description>Confirm.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6355" level="0">
+ <if_sid>6350</if_sid>
+ <id>^11004</id>
+ <description>Renew.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6356" level="0">
+ <if_sid>6350</if_sid>
+ <id>^11005</id>
+ <description>Rebind.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+
+ <rule id="6357" level="7">
+ <if_sid>6350</if_sid>
+ <id>^11006</id>
+ <description>DHCP Decline.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6358" level="0">
+ <if_sid>6350</if_sid>
+ <id>^11007</id>
+ <description>Release.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6359" level="0">
+ <if_sid>6350</if_sid>
+ <id>^11008</id>
+ <description>Information Request.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6360" level="12">
+ <if_sid>6350</if_sid>
+ <id>^11009</id>
+ <description>Scope Full.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6361" level="3">
+ <if_sid>6350</if_sid>
+ <id>^11010</id>
+ <description>Started.</description>
+ <group>service_start,</group>
+ </rule>
+
+ <rule id="6362" level="7">
+ <if_sid>6350</if_sid>
+ <id>^11011</id>
+ <description>Stopped.</description>
+ <group>service_availability,</group>
+ </rule>
+
+ <rule id="6363" level="10">
+ <if_sid>6350</if_sid>
+ <id>^11012</id>
+ <description>Audit log paused.</description>
+ <group>service_availability,</group>
+ </rule>
+
+
+ <rule id="6364" level="7">
+ <if_sid>6350</if_sid>
+ <id>^11013</id>
+ <description>DHCP Log File.</description>
+ <group>system_error,</group>
+ </rule>
+
+ <rule id="6365" level="7">
+ <if_sid>6350</if_sid>
+ <id>^11014</id>
+ <description>Bad Address.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6366" level="4">
+ <if_sid>6350</if_sid>
+ <id>^11015</id>
+ <description>Address is already in use.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6367" level="0">
+ <if_sid>6350</if_sid>
+ <id>^11016</id>
+ <description>Client deleted.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6368" level="0">
+ <if_sid>6350</if_sid>
+ <id>^11017</id>
+ <description>DNS record not deleted.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6369" level="0">
+ <if_sid>6350</if_sid>
+ <id>^11018</id>
+ <description>Expired.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6370" level="0">
+ <if_sid>6350</if_sid>
+ <id>^11019</id>
+ <description>Expired and Deleted count.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6371" level="2">
+ <if_sid>6350</if_sid>
+ <id>^11020</id>
+ <description>Database cleanup begin.</description>
+ <group>dhcp_ipv6,</group>
+
+ </rule>
+
+ <rule id="6372" level="2">
+ <if_sid>6350</if_sid>
+ <id>^11021</id>
+ <description>Database cleanup end.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6373" level="12">
+ <if_sid>6350</if_sid>
+ <id>^11023</id>
+ <description>Service not authorized in AD.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6374" level="3">
+ <if_sid>6350</if_sid>
+ <id>^11024</id>
+ <description>Service authorized in AD.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+
+ <rule id="6376" level="12">
+ <if_sid>6350</if_sid>
+ <id>^11025</id>
+ <description>Service has not determined if it is authorized in AD.</description>
+ <group>dhcp_ipv6,</group>
+ </rule>
+</group>
+
projects / ossec-hids.git / blobdiff