-<!-- @(#) $Id: syslog_rules.xml,v 1.87 2009/12/01 15:40:07 dcid Exp $
+<!-- @(#) $Id: syslog_rules.xml,v 1.22 2010/11/25 17:06:17 ddp Exp $
- Official Generic Syslog rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
+ - License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
<!-- Bad words matching. Any log containing these messages
- will be triggered.
-->
-<var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
+<var name="BAD_WORDS">core_dumped|failure|error|attack| bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
<!-- Syslog errors. -->
<description>File system full.</description>
<group>low_diskspace,</group>
</rule>
+
+ <rule id="1008" level="5">
+ <match>killed by SIGTERM</match>
+ <description>Process exiting (killed).</description>
+ <group>service_availability,</group>
+ </rule>
+
+ <rule id="1009" level="0">
+ <if_sid>1002</if_sid>
+ <match>terminated without error|can't verify hostname: getaddrinfo|</match>
+ <match>PPM exceeds tolerance</match>
+ <description>Ignoring known false positives on rule 1002..</description>
+ </rule>
+
+ <rule id="1010" level="5">
+ <match>segfault at </match>
+ <description>Process segfaulted.</description>
+ <group>service_availability,</group>
+ </rule>
</group> <!-- SYSLOG,ERRORS -->
<match>Authentication failed for|invalid password for|</match>
<match>LOGIN FAILURE|auth failure: |authentication error|</match>
<match>authinternal failed|Failed to authorize|</match>
- <match>Wrong password given for|login failed|Auth: Login incorrect</match>
+ <match>Wrong password given for|login failed|Auth: Login incorrect|</match>
+ <match>Failed to authenticate user</match>
<group>authentication_failed,</group>
<description>User authentication failure.</description>
</rule>
<match>^Authentication passed</match>
<description>Pop3 Authentication passed.</description>
</rule>
+
+ <rule id="2507" level="0">
+ <decoded_as>openldap</decoded_as>
+ <description>OpenLDAP group.</description>
+ </rule>
+
+ <rule id="2508" level="3">
+ <if_sid>2507</if_sid>
+ <match>ACCEPT from</match>
+ <description>OpenLDAP connection open.</description>
+ </rule>
+
+ <rule id="2509" level="5" timeframe="10" frequency="0">
+ <if_sid>2507</if_sid>
+ <if_matched_sid>2508</if_matched_sid>
+ <same_id />
+ <match>RESULT tag=97 err=49</match>
+ <description>OpenLDAP authentication failed.</description>
+ </rule>
+
</group> <!-- SYSLOG,ACESSCONTROL -->
+<!-- rshd -->
+<group name="syslog,access_control,">
+ <rule id="2550" level="0" noalert="1">
+ <decoded_as>rshd</decoded_as>
+ <description>rshd messages grouped.</description>
+ </rule>
+
+ <rule id="2551" level="10">
+ <if_sid>2550</if_sid>
+ <regex>^Connection from \S+ on illegal port$</regex>
+ <description>Connection to rshd from unprivileged port. Possible network scan.</description>
+ <group>connection_attempt,</group>
+ </rule>
+</group>
+
+
+
<!-- Mail/Procmail messages -->
<group name="syslog,mail,">
<rule id="2701" level="0">
<rule id="5106" level="0">
<if_sid>5100</if_sid>
<match>svc: unknown program 100227 (me 100003)</match>
- <description>NFS incompability between Linux and Solaris.</description>
+ <description>NFS incompatibility between Linux and Solaris.</description>
</rule>
<rule id="5107" level="0">
<if_sid>5100</if_sid>
<match>svc: bad direction </match>
- <description>NFS incompability between Linux and Solaris.</description>
+ <description>NFS incompatibility between Linux and Solaris.</description>
</rule>
<rule id="5108" level="12">
<rule id="5111" level="0">
<if_sid>5100</if_sid>
- <match>ipw2200: Firmware error detected.</match>
+ <match>ipw2200: Firmware error detected.| ACPI Error</match>
<description>Kernel device error.</description>
</rule>
<rule id="5301" level="5">
<if_sid>5300</if_sid>
- <match>authentication failure; |failed|BAD su|^-| - </match>
+ <match>authentication failure; |failed|BAD su|^-</match>
<description>User missed the password to change UID (user id).</description>
<group>authentication_failed,</group>
</rule>
<options>alert_by_email</options>
<description>First time (su) is executed by user.</description>
</rule>
+
+ <rule id="5306" level="0">
+ <if_sid>5300</if_sid>
+ <match>unknown class</match>
+ <info>OpenBSD uses login classes, and an inappropriate login class was used.</info>
+ <description>A user has attempted to su to an unknown class.</description>
+ </rule>
+
</group> <!-- SYSLOG,SU -->
<match>^changed user</match>
<description>Information from the user was changed</description>
</rule>
+
+ <rule id="5905" level="0">
+ <program_name>useradd</program_name>
+ <match>failed adding user </match>
+ <description>useradd failed.</description>
+ </rule>
+
</group> <!-- SYSLOG,ADDUSER -->
<description>Initial group for sudo messages</description>
</rule>
- <rule id="5401" level="10">
+ <rule id="5401" level="5">
<if_sid>5400</if_sid>
- <match>3 incorrect password attempts</match>
- <description>Three failed attempts to run sudo</description>
+ <match>incorrect password attempt</match>
+ <description>Failed attempt to run sudo</description>
</rule>
<rule id="5402" level="3">
<if_sid>5400</if_sid>
- <match> ; USER=root ; COMMAND=</match>
+ <regex> ; USER=root ; COMMAND=| ; USER=root ; TSID=\S+ ; COMMAND=</regex>
<description>Successful sudo to ROOT executed</description>
</rule>
<options>alert_by_email</options>
<if_fts></if_fts>
<description>First time user executed sudo.</description>
- </rule>
+ </rule>
+
+ <rule id="5404" level="10">
+ <if_sid>5401</if_sid>
+ <match>3 incorrect password attempts</match>
+ <description>Three failed attempts to run sudo</description>
+ </rule>
+
+ <rule id="5405" level="5">
+ <if_sid>5400</if_sid>
+ <match>user NOT in sudoers</match>
+ <description>Unauthorized user attempted to use sudo.</description>
+ </rule>
+
</group> <!-- SYSLOG, SUDO -->
<if_sid>9100</if_sid>
<regex>^GRE: \S+ from \S+ failed: status = -1 </regex>
<description>PPTPD failed message (communication error)</description>
- <info>poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml</info>
+ <info type="link">http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml</info>
</rule>
<rule id="9102" level="0">
<group name="syslog,dpkg,">
<rule id="2900" level="0">
<decoded_as>windows-date-format</decoded_as>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d \w+ </regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d startup |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d configure |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d trigproc |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d conffile |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d upgrade </regex>
<description>Dpkg (Debian Package) log.</description>
</rule>
<group>config_changed,</group>
<description>Yum package deleted.</description>
</rule>
+
+ <!-- SCSI CONTROLLER -->
+ <rule id="2935" level="0" noalert="1">
+ <if_sid>5100</if_sid>
+ <id>mptscsih</id>
+ <description>Grouping for the mptscrih rules.</description>
+ </rule>
+
+ <rule id="2936" level="0" noalert="1">
+ <if_sid>5100</if_sid>
+ <id>mptbase</id>
+ <description>Grouping for the mptbase rules.</description>
+ </rule>
+
+ <rule id="2937" level="12">
+ <if_sid>2935</if_sid>
+ <status>FAILED</status>
+ <description>Possible Disk failure. SCSI controller error.</description>
+ </rule>
+
+ <rule id="2938" level="12">
+ <if_sid>2936</if_sid>
+ <action>failed</action>
+ <description>SCSI RAID ARRAY ERROR, drive failed.</description>
+ </rule>
+
+ <rule id="2939" level="12">
+ <if_sid>2936</if_sid>
+ <action>degraded</action>
+ <description>SCSI RAID is now in a degraded status.</description>
+ </rule>
+
+ <rule id="2940" level="0">
+ <program_name>^NetworkManager</program_name>
+ <description>NetworkManager grouping.</description>
+ </rule>
+
+ <rule id="2941" level="3">
+ <if_sid>2940</if_sid>
+ <match> No chain/target/match by that name.$</match>
+ <description>Incorrect chain/target/match.</description>
+ </rule>
+
+ <rule id="2942" level="0">
+ <if_sid>1002</if_sid>
+ <match>g_slice_set_config: assertion `sys_page_size == 0' failed</match>
+ <description>Uninteresting gnome error.</description>
+ </rule>
+
+ <rule id="2943" level="0">
+ <match>^nouveau </match>
+ <description>nouveau driver grouping</description>
+ </rule>
+
+ <rule id="2944" level="1">
+ <if_sid>2943</if_sid>
+ <match> DATA_ERROR BEGIN_END_ACTIVE$| DATA_ERROR$</match>
+ <description>Uninteresting nouveau error.</description>
+ </rule>
+
+ <rule id="2945" level="4">
+ <program_name>^rsyslogd</program_name>
+ <match>^imuxsock begins to drop messages </match>
+ <info>https://isc.sans.edu/diary/Are+you+losing+system+logging+information+%28and+don%27t+know+it%29%3F/15106</info>
+ <description>rsyslog may be dropping messages due to rate-limiting.</description>
+ </rule>
+
</group>