-<!-- @(#) $Id$
+<!-- @(#) $Id: ./etc/rules/ossec_rules.xml, 2012/03/30 dcid Exp $
+
- Official ossec rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
<group>rootcheck,</group>
</rule>
+ <rule id="519" level="7">
+ <if_sid>516</if_sid>
+ <match>^System Audit: Web vulnerability</match>
+ <description>System Audit: Vulnerable web application found.</description>
+ <group>rootcheck,</group>
+ </rule>
+
<!-- Process monitoring rules -->
<rule id="530" level="0">
<if_sid>500</if_sid>
<match>cdrom|/media|usb|/mount|floppy|dvd</match>
<description>Ignoring external medias.</description>
</rule>
-
+
+ <rule id="533" level="7">
+ <if_sid>530</if_sid>
+ <match>ossec: output: 'netstat -tan</match>
+ <check_diff />
+ <description>Listened ports status (netstat) changed (new port opened or closed).</description>
+ </rule>
+
+ <rule id="534" level="1">
+ <if_sid>530</if_sid>
+ <match>ossec: output: 'w'</match>
+ <check_diff />
+ <options>no_log</options>
+ <description>List of logged in users. It will not be alerted by default.</description>
+ </rule>
+
+ <rule id="535" level="1">
+ <if_sid>530</if_sid>
+ <match>ossec: output: 'last -n </match>
+ <check_diff />
+ <options>no_log</options>
+ <description>List of the last logged in users.</description>
+ </rule>
+
<rule id="550" level="7">
<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>
<description>Microsoft Event log cleared.</description>
<group>logs_cleared,</group>
</rule>
+
+ <rule id="594" level="5">
+ <category>ossec</category>
+ <if_sid>550</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Integrity Checksum Changed</description>
+ </rule>
+
+ <rule id="595" level="5">
+ <category>ossec</category>
+ <if_sid>551</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Integrity Checksum Changed Again (2nd time)</description>
+ </rule>
+
+ <rule id="596" level="5">
+ <category>ossec</category>
+ <if_sid>552</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Integrity Checksum Changed Again (3rd time)</description>
+ </rule>
+
+ <rule id="597" level="5">
+ <category>ossec</category>
+ <if_sid>553</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Entry Deleted. Unable to Retrieve Checksum</description>
+ </rule>
+
+ <rule id="598" level="5">
+ <category>ossec</category>
+ <if_sid>554</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Entry Added to the System</description>
+ </rule>
+
+<!-- active response rules
+Example:
+Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
+-->
+
+<rule id="600" level="0">
+ <decoded_as>ar_log</decoded_as>
+ <description>Active Response Messages Grouped</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="601" level="3">
+ <if_sid>600</if_sid>
+ <action>firewall-drop.sh</action>
+ <status>add</status>
+ <description>Host Blocked by firewall-drop.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="602" level="3">
+ <if_sid>600</if_sid>
+ <action>firewall-drop.sh</action>
+ <status>delete</status>
+ <description>Host Unblocked by firewall-drop.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="603" level="3">
+ <if_sid>600</if_sid>
+ <action>host-deny.sh</action>
+ <status>add</status>
+ <description>Host Blocked by host-deny.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="604" level="3">
+ <if_sid>600</if_sid>
+ <action>host-deny.sh</action>
+ <status>delete</status>
+ <description>Host Unblocked by host-deny.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="605" level="3">
+ <if_sid>600</if_sid>
+ <action>route-null.sh</action>
+ <status>add</status>
+ <description>Host Blocked by route-null.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="606" level="3">
+ <if_sid>600</if_sid>
+ <action>route-null.sh</action>
+ <status>delete</status>
+ <description>Host Unblocked by route-null.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
</group> <!-- OSSEC -->
projects / ossec-hids.git / blobdiff