Imported Upstream version 2.7

[ossec-hids.git] / etc / rules / syslog_rules.xml

diff --git a/etc/rules/syslog_rules.xml b/etc/rules/syslog_rules.xml
index b536e43..80a00ee 100755 (executable)
--- a/etc/rules/syslog_rules.xml
+++ b/etc/rules/syslog_rules.xml
@@ -1,4 +1,4 @@
-<!-- @(#) $Id$
+<!-- @(#) $Id: syslog_rules.xml,v 1.22 2010/11/25 17:06:17 ddp Exp $
   -  Official Generic Syslog rules for OSSEC.
   -
   -  Copyright (C) 2009 Trend Micro Inc.
@@ -65,6 +65,13 @@
     <description>Process exiting (killed).</description>
     <group>service_availability,</group>
   </rule>
+
+  <rule id="1009" level="0">
+    <if_sid>1002</if_sid>
+    <match>terminated without error|can't verify hostname: getaddrinfo|</match>
+    <match>PPM exceeds tolerance</match>
+    <description>Ignoring known false positives on rule 1002..</description>
+  </rule>
 </group> <!-- SYSLOG,ERRORS -->
 
 
@@ -154,6 +161,26 @@
     <match>^Authentication passed</match>
     <description>Pop3 Authentication passed.</description>
   </rule>
+
+  <rule id="2507" level="0">
+    <decoded_as>openldap</decoded_as>
+    <description>OpenLDAP group.</description>
+  </rule>
+
+  <rule id="2508" level="3">
+    <if_sid>2507</if_sid>
+    <match>ACCEPT from</match>
+    <description>OpenLDAP connection open.</description>
+  </rule>
+
+  <rule id="2509" level="5" timeframe="10" frequency="0">
+    <if_sid>2507</if_sid>
+    <if_matched_sid>2508</if_matched_sid>
+    <same_id />
+    <match>RESULT tag=97 err=49</match>
+    <description>OpenLDAP authentication failed.</description>
+  </rule>
+
 </group> <!-- SYSLOG,ACESSCONTROL -->
 
 
@@ -288,7 +315,7 @@
 
   <rule id="5111" level="0">
     <if_sid>5100</if_sid>
-    <match>ipw2200: Firmware error detected.</match>
+    <match>ipw2200: Firmware error detected.| ACPI Error</match>
     <description>Kernel device error.</description>
   </rule>
 
@@ -403,6 +430,14 @@
     <options>alert_by_email</options>
     <description>First time (su) is executed by user.</description>
   </rule>
+
+  <rule id="5306" level="0">
+    <if_sid>5300</if_sid>
+    <match>unknown class</match>
+    <info>OpenBSD uses login classes, and an inappropriate login class was used.</info>
+    <description>A user has attempted to su to an unknown class.</description>
+  </rule>
+
 </group> <!-- SYSLOG,SU -->