--- /dev/null
+<!-- OSSEC Rules for Windows Firewall - https://www.csoonline.com/article/2619761/security/what-to-monitor-to-stop-hacker-and-malware-attacks.html?page=3, https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor -->
+
+
+<group name="windows, ipsec,">
+
+ <rule id="18651" level="8">
+ <if_sid>18104</if_sid>
+ <id>^4646$</id>
+ <description>IKE DoS-prevention mode started</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18652" level="8">
+ <if_sid>18105</if_sid>
+ <id>^4652$|^4653$</id>
+ <description>An IPsec Main Mode negotiation failed</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18653" level="8">
+ <if_sid>18105</if_sid>
+ <id>^4654$</id>
+ <description>An IPsec Quick Mode negotiation failed</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18654" level="8">
+ <if_sid>18104</if_sid>
+ <id>^4983$|^4984$</id>
+ <description>An IPsec Extended Mode negotiation failed</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18655" level="4">
+ <if_sid>18104</if_sid>
+ <id>^4960$</id>
+ <description>IPsec dropped an inbound packet that failed an integrity check</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18656" level="8">
+ <if_sid>18104</if_sid>
+ <id>^4961$|^4962$</id>
+ <description>IPsec dropped an inbound packet that failed a replay check</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18657" level="8">
+ <if_sid>18104</if_sid>
+ <id>^4963$</id>
+ <description>IPsec dropped an inbound clear text packet that should have been secured</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18658" level="4">
+ <if_sid>18104</if_sid>
+ <id>^4965$</id>
+ <description>IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI)</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18659" level="7">
+ <if_sid>18104</if_sid>
+ <id>^4976$</id>
+ <description>During Main Mode negotiation, IPsec received an invalid negotiation packet</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18660" level="7">
+ <if_sid>18104</if_sid>
+ <id>^4977$</id>
+ <description>During Quick Mode negotiation, IPsec received an invalid negotiation packet</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18661" level="7">
+ <if_sid>18104</if_sid>
+ <id>^4978$</id>
+ <description>During Extended Mode negotiation, IPsec received an invalid negotiation packet</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18662" level="8">
+ <if_sid>18104</if_sid>
+ <id>^5453$</id>
+ <description>An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18663" level="8">
+ <if_sid>18105</if_sid>
+ <id>^5480$</id>
+ <description>IPsec Services failed to get the complete list of network interfaces on the computer</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18664" level="8">
+ <if_sid>18105</if_sid>
+ <id>^5483$</id>
+ <description>IPsec Services failed to initialize RPC server. IPsec Services could not be started</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18665" level="8">
+ <if_sid>18105</if_sid>
+ <id>^5484$</id>
+ <description>IPsec Services has experienced a critical failure and has been shut down</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18666" level="8">
+ <if_sid>18105</if_sid>
+ <id>^5485$</id>
+ <description>IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18667" level="8">
+ <if_sid>18104</if_sid>
+ <id>^4710$</id>
+ <description>IPsec Services was disabled</description>
+ <group>windows,</group>
+ </rule>
+
+
+ <rule id="18668" level="8">
+ <if_sid>18105</if_sid>
+ <id>^4712$</id>
+ <description>IPsec Services encountered a potentially serious failure</description>
+ <group>windows,</group>
+ </rule>
+
+</group>
projects / ossec-hids.git / blobdiff