<!-- Bad words matching. Any log containing these messages
- will be triggered.
-->
-<var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
+<var name="BAD_WORDS">core_dumped|failure|error|attack| bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
<!-- Syslog errors. -->
<match>PPM exceeds tolerance</match>
<description>Ignoring known false positives on rule 1002..</description>
</rule>
+
+ <rule id="1010" level="5">
+ <match>segfault at </match>
+ <description>Process segfaulted.</description>
+ <group>service_availability,</group>
+ </rule>
</group> <!-- SYSLOG,ERRORS -->
<match>Authentication failed for|invalid password for|</match>
<match>LOGIN FAILURE|auth failure: |authentication error|</match>
<match>authinternal failed|Failed to authorize|</match>
- <match>Wrong password given for|login failed|Auth: Login incorrect</match>
+ <match>Wrong password given for|login failed|Auth: Login incorrect|</match>
+ <match>Failed to authenticate user</match>
<group>authentication_failed,</group>
<description>User authentication failure.</description>
</rule>
<rule id="5106" level="0">
<if_sid>5100</if_sid>
<match>svc: unknown program 100227 (me 100003)</match>
- <description>NFS incompability between Linux and Solaris.</description>
+ <description>NFS incompatibility between Linux and Solaris.</description>
</rule>
<rule id="5107" level="0">
<if_sid>5100</if_sid>
<match>svc: bad direction </match>
- <description>NFS incompability between Linux and Solaris.</description>
+ <description>NFS incompatibility between Linux and Solaris.</description>
</rule>
<rule id="5108" level="12">
<rule id="5301" level="5">
<if_sid>5300</if_sid>
- <match>authentication failure; |failed|BAD su|^-| - </match>
+ <match>authentication failure; |failed|BAD su|^-</match>
<description>User missed the password to change UID (user id).</description>
<group>authentication_failed,</group>
</rule>
<match>^changed user</match>
<description>Information from the user was changed</description>
</rule>
+
+ <rule id="5905" level="0">
+ <program_name>useradd</program_name>
+ <match>failed adding user </match>
+ <description>useradd failed.</description>
+ </rule>
+
</group> <!-- SYSLOG,ADDUSER -->
<description>Initial group for sudo messages</description>
</rule>
- <rule id="5401" level="10">
+ <rule id="5401" level="5">
<if_sid>5400</if_sid>
- <match>3 incorrect password attempts</match>
- <description>Three failed attempts to run sudo</description>
+ <match>incorrect password attempt</match>
+ <description>Failed attempt to run sudo</description>
</rule>
<rule id="5402" level="3">
<if_sid>5400</if_sid>
- <match> ; USER=root ; COMMAND=</match>
+ <regex> ; USER=root ; COMMAND=| ; USER=root ; TSID=\S+ ; COMMAND=</regex>
<description>Successful sudo to ROOT executed</description>
</rule>
<options>alert_by_email</options>
<if_fts></if_fts>
<description>First time user executed sudo.</description>
- </rule>
+ </rule>
+
+ <rule id="5404" level="10">
+ <if_sid>5401</if_sid>
+ <match>3 incorrect password attempts</match>
+ <description>Three failed attempts to run sudo</description>
+ </rule>
+
+ <rule id="5405" level="5">
+ <if_sid>5400</if_sid>
+ <match>user NOT in sudoers</match>
+ <description>Unauthorized user attempted to use sudo.</description>
+ </rule>
+
</group> <!-- SYSLOG, SUDO -->
<group name="syslog,dpkg,">
<rule id="2900" level="0">
<decoded_as>windows-date-format</decoded_as>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d \w+ </regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d startup |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d configure |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d trigproc |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d conffile |</regex>
+ <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d upgrade </regex>
<description>Dpkg (Debian Package) log.</description>
</rule>
<rule id="2937" level="12">
<if_sid>2935</if_sid>
<status>FAILED</status>
- <description>Posible Disk failure. SCSI controller error.</description>
+ <description>Possible Disk failure. SCSI controller error.</description>
</rule>
<rule id="2938" level="12">
<description>SCSI RAID is now in a degraded status.</description>
</rule>
+ <rule id="2940" level="0">
+ <program_name>^NetworkManager</program_name>
+ <description>NetworkManager grouping.</description>
+ </rule>
+
+ <rule id="2941" level="3">
+ <if_sid>2940</if_sid>
+ <match> No chain/target/match by that name.$</match>
+ <description>Incorrect chain/target/match.</description>
+ </rule>
+
+ <rule id="2942" level="0">
+ <if_sid>1002</if_sid>
+ <match>g_slice_set_config: assertion `sys_page_size == 0' failed</match>
+ <description>Uninteresting gnome error.</description>
+ </rule>
+
+ <rule id="2943" level="0">
+ <match>^nouveau </match>
+ <description>nouveau driver grouping</description>
+ </rule>
+
+ <rule id="2944" level="1">
+ <if_sid>2943</if_sid>
+ <match> DATA_ERROR BEGIN_END_ACTIVE$| DATA_ERROR$</match>
+ <description>Uninteresting nouveau error.</description>
+ </rule>
+
+ <rule id="2945" level="4">
+ <program_name>^rsyslogd</program_name>
+ <match>^imuxsock begins to drop messages </match>
+ <info>https://isc.sans.edu/diary/Are+you+losing+system+logging+information+%28and+don%27t+know+it%29%3F/15106</info>
+ <description>rsyslog may be dropping messages due to rate-limiting.</description>
+ </rule>
+
</group>