-<!-- @(#) $Id: syslog_rules.xml,v 1.87 2009/12/01 15:40:07 dcid Exp $
+<!-- @(#) $Id: syslog_rules.xml,v 1.22 2010/11/25 17:06:17 ddp Exp $
- Official Generic Syslog rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
+ - License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
<description>File system full.</description>
<group>low_diskspace,</group>
</rule>
+
+ <rule id="1008" level="5">
+ <match>killed by SIGTERM</match>
+ <description>Process exiting (killed).</description>
+ <group>service_availability,</group>
+ </rule>
+
+ <rule id="1009" level="0">
+ <if_sid>1002</if_sid>
+ <match>terminated without error|can't verify hostname: getaddrinfo|</match>
+ <match>PPM exceeds tolerance</match>
+ <description>Ignoring known false positives on rule 1002..</description>
+ </rule>
</group> <!-- SYSLOG,ERRORS -->
<match>^Authentication passed</match>
<description>Pop3 Authentication passed.</description>
</rule>
+
+ <rule id="2507" level="0">
+ <decoded_as>openldap</decoded_as>
+ <description>OpenLDAP group.</description>
+ </rule>
+
+ <rule id="2508" level="3">
+ <if_sid>2507</if_sid>
+ <match>ACCEPT from</match>
+ <description>OpenLDAP connection open.</description>
+ </rule>
+
+ <rule id="2509" level="5" timeframe="10" frequency="0">
+ <if_sid>2507</if_sid>
+ <if_matched_sid>2508</if_matched_sid>
+ <same_id />
+ <match>RESULT tag=97 err=49</match>
+ <description>OpenLDAP authentication failed.</description>
+ </rule>
+
</group> <!-- SYSLOG,ACESSCONTROL -->
+<!-- rshd -->
+<group name="syslog,access_control,">
+ <rule id="2550" level="0" noalert="1">
+ <decoded_as>rshd</decoded_as>
+ <description>rshd messages grouped.</description>
+ </rule>
+
+ <rule id="2551" level="10">
+ <if_sid>2550</if_sid>
+ <regex>^Connection from \S+ on illegal port$</regex>
+ <description>Connection to rshd from unprivileged port. Possible network scan.</description>
+ <group>connection_attempt,</group>
+ </rule>
+</group>
+
+
+
<!-- Mail/Procmail messages -->
<group name="syslog,mail,">
<rule id="2701" level="0">
<rule id="5111" level="0">
<if_sid>5100</if_sid>
- <match>ipw2200: Firmware error detected.</match>
+ <match>ipw2200: Firmware error detected.| ACPI Error</match>
<description>Kernel device error.</description>
</rule>
<options>alert_by_email</options>
<description>First time (su) is executed by user.</description>
</rule>
+
+ <rule id="5306" level="0">
+ <if_sid>5300</if_sid>
+ <match>unknown class</match>
+ <info>OpenBSD uses login classes, and an inappropriate login class was used.</info>
+ <description>A user has attempted to su to an unknown class.</description>
+ </rule>
+
</group> <!-- SYSLOG,SU -->
<if_sid>9100</if_sid>
<regex>^GRE: \S+ from \S+ failed: status = -1 </regex>
<description>PPTPD failed message (communication error)</description>
- <info>poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml</info>
+ <info type="link">http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml</info>
</rule>
<rule id="9102" level="0">
projects / ossec-hids.git / blobdiff