--- /dev/null
+<!-- @(#) $Id: ./etc/rules/symantec-ws_rules.xml, 2011/09/08 dcid Exp $
+
+ - Official Symantec Web Security rules for OSSEC.
+ -
+ - Copyright (C) 2009 Trend Micro Inc.
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 2) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
+ -->
+
+
+<!-- For more info:
+ - http://www.ossec.net/wiki/index.php/Symantec_WebSecurity
+ - Data submited by: Michael Starks
+ -->
+
+<!-- Still BETA -->
+
+<group name="symantec,">
+ <rule id="7400" level="0">
+ <decoded_as>symantec-websecurity</decoded_as>
+ <description>Grouping of Symantec Web Security rules.</description>
+ </rule>
+
+ <rule id="7410" level="5">
+ <if_sid>7400</if_sid>
+ <id>^3=2,2=1</id>
+ <description>Login failed accessing the web proxy.</description>
+ <group>authentication_failed,</group>
+ </rule>
+
+ <rule id="7415" level="3">
+ <if_sid>7400</if_sid>
+ <id>^3=1,2=1</id>
+ <description>Login success accessing the web proxy.</description>
+ <group>authentication_success,</group>
+ </rule>
+
+ <rule id="7420" level="3">
+ <if_sid>7415</if_sid>
+ <user>virtadmin</user>
+ <description>Admin Login success to the web proxy.</description>
+ <group>authentication_success,</group>
+ </rule>
+
+ <!-- Example alerting using the url (event id 2=27 is for web access
+ <rule id="7425" level="3">
+ <if_sid>7400</if_sid>
+ <id>^2=27</id>
+ <description>Web access message.</description>
+ <url>abc.exe</url>
+ </rule>
+
+ -->
+
+</group> <!-- symantec -->
+
+
+<!-- EOF -->