new upstream release (3.3.0); modify package compatibility for Stretch

[ossec-hids.git] / etc / rules / ossec_rules.xml

diff --git a/etc/rules/ossec_rules.xml b/etc/rules/ossec_rules.xml
old mode 100755 (executable)
new mode 100644 (file)
index 2abebdb..7de90f5
--- a/etc/rules/ossec_rules.xml
+++ b/etc/rules/ossec_rules.xml
@@ -134,7 +134,7 @@
 
   <rule id="531" level="7" ignore="7200">
     <if_sid>530</if_sid>
-    <match>ossec: output: 'df -h': /dev/</match>
+    <match>ossec: output: 'df -P': /dev/</match>
     <regex>100%</regex>
     <description>Partition usage reached 100% (disk space monitor).</description> 
     <group>low_diskspace,</group>
@@ -197,7 +197,7 @@
     <group>syscheck,</group>
   </rule>
   
-  <rule id="554" level="0">
+  <rule id="554" level="5">
     <category>ossec</category>
     <decoded_as>syscheck_new_entry</decoded_as>
     <description>File added to the system.</description>
@@ -293,7 +293,7 @@ Example:
 Sat May  7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
 -->
 
-<rule id="600" level="0">
+  <rule id="600" level="0">
     <decoded_as>ar_log</decoded_as>
     <description>Active Response Messages Grouped</description>
     <group>active_response,</group>
@@ -347,4 +347,16 @@ Sat May  7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh del
     <group>active_response,</group>
   </rule>
 
+  <rule id="700" level="0">
+    <category>ossec</category>
+    <decoded_as>ossec-logcollector</decoded_as>
+    <description>Logcollector Messages Grouped</description>
+  </rule>
+
+  <rule id="701" level="0">
+    <if_sid>700</if_sid>
+    <match>INFO: </match>
+    <description>Ignore informational messages (usually at startup)</description>
+  </rule>
+
 </group> <!-- OSSEC -->