X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fids_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fids_rules.xml;h=0000000000000000000000000000000000000000;hp=7fe49937718219dfefffd06b94b0fdb03f2054cd;hb=946517cefb8751a43a89bda4220221f065f4e5d1;hpb=3f728675941dc69d4e544d3a880a56240a6e394a

diff --git a/debian/ossec-hids/var/ossec/rules/ids_rules.xml b/debian/ossec-hids/var/ossec/rules/ids_rules.xml
deleted file mode 100644
index 7fe4993..0000000
--- a/debian/ossec-hids/var/ossec/rules/ids_rules.xml
+++ /dev/null
@@ -1,104 +0,0 @@
-<!-- @(#) $Id: ./etc/rules/ids_rules.xml, 2011/09/08 dcid Exp $
-
-  -  Official IDS rules for OSSEC.
-  -
-  -  Copyright (C) 2009 Trend Micro Inc.
-  -  All rights reserved.
-  -
-  -  This program is a free software; you can redistribute it
-  -  and/or modify it under the terms of the GNU General Public
-  -  License (version 2) as published by the FSF - Free Software
-  -  Foundation.
-  -
-  -  License details: http://www.ossec.net/en/licensing.html
-  -->
-
-
-<var name="IDS_FREQ">8</var>      
-
-<group name="ids,">
-  <rule id="20100" level="8">
-    <category>ids</category>
-    <if_fts></if_fts>
-    <description>First time this IDS alert is generated.</description>
-    <group>fts,</group>
-  </rule>
-
-  <rule id="20101" level="6">
-    <category>ids</category>
-    <check_if_ignored>srcip, id</check_if_ignored>
-    <description>IDS event.</description>
-  </rule>
-
-  <!-- This rule ignores some Ids that cause too much
-    -  false positives. Snort specific.
-    -->
-  <rule id="20102" level="0">
-    <if_sid>20100, 20101</if_sid>
-    <decoded_as>snort</decoded_as>
-    <!-- 1:1852 -> robots.txt access
-       - 1:368 - ICMP ping.
-       - 1:384 - ICMP ping.
-       - 1:366 - ICMP ping.
-       - 1:399 - ICMP host unreachable
-       - 1:402 - ICMP port unreachable
-       - 1:408 - ICMP reply
-       - 1:480 - ICMP ping speedera.
-       - 1:1365 - RM commant attempt (too many false positives)
-       - 1:2925 - web bug 0x0 gif attempt
-       -->
-    <id>^1:1852:|^1:368:|^1:384:|^1:366:|^1:402:|^1:408:|^1:1365:|</id>
-    <id>^1:480:|^1:399:|^1:2925:</id>
-    <description>Ignored snort ids.</description>
-  </rule>
-
-  <!-- Ignored Dragon ids -->
-  <rule id="20103" level="0">
-    <if_sid>20100, 20101</if_sid>
-    <decoded_as>dragon-nids</decoded_as>
-    <!-- EOL -> end of line
-       - SOF -> start of file
-       - HEARTBEAT -> Heartbeat
-       - DYNAMIC-TCP -> ?
-       - DYNAMIC-UDP -> ?
-       -->
-    <id>^EOL$|^SOF$|^HEARTBEAT$|^DYNAMIC-TCP$|^DYNAMIC-UDP$</id>
-    <description>Ignored snort ids.</description>
-  </rule>
-
-  <rule id="20152" level="10" frequency="$IDS_FREQ" timeframe="120" ignore="90">
-    <if_matched_sid>20101</if_matched_sid>
-    <same_id />
-    <check_if_ignored>id</check_if_ignored>
-    <description>Multiple IDS alerts for same id.</description>
-  </rule>  
-
-  <rule id="20151" level="10" frequency="$IDS_FREQ" timeframe="120" ignore="90">
-    <if_matched_sid>20101</if_matched_sid>
-    <same_source_ip />
-    <check_if_ignored>srcip, id</check_if_ignored>
-    <description>Multiple IDS events from same source ip.</description>
-  </rule>
-  
-  
-  <!-- This rule is to detect bad configured IDSs alerting on
-     - the same thing all the time. We will skip those events
-     - since they became just noise.
-     -->
-  <rule id="20161" level="11" frequency="3" timeframe="3800">
-    <if_matched_sid>20151</if_matched_sid>
-    <same_source_ip />
-    <same_id />
-    <ignore>srcip, id</ignore>
-    <description>Multiple IDS events from same source ip </description>
-    <description>(ignoring now this srcip and id).</description>
-  </rule>
-
-  <rule id="20162" level="11" frequency="3" timeframe="3800">
-    <if_matched_sid>20152</if_matched_sid>
-    <same_id />
-    <ignore>id</ignore>
-    <description>Multiple IDS alerts for same id </description>
-    <description>(ignoring now this id).</description>
-  </rule>    
-</group>
