X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fmcafee_av_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fmcafee_av_rules.xml;h=d3b2aab721b9fd0a6f1e8297a487aba85ba6c874;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/debian/ossec-hids/var/ossec/rules/mcafee_av_rules.xml b/debian/ossec-hids/var/ossec/rules/mcafee_av_rules.xml
new file mode 100644
index 0000000..d3b2aab
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/mcafee_av_rules.xml
@@ -0,0 +1,125 @@
+<!-- @(#) $Id: ./etc/rules/mcafee_av_rules.xml, 2011/09/08 dcid Exp $
+
+  -  McAfee AV rules for OSSEC.
+  -
+  -  Copyright (C) 2008 Michael Starks
+  -
+  -  This program is a free software; you can redistribute it
+  -  and/or modify it under the terms of the GNU General Public
+  -  License (version 3) as published by the FSF - Free Software
+  -  Foundation.
+  -->
+
+<var name="MCAFEE_ERROR">^259$|^100$|^1000$|^1001$|^1002$|^1003$|^1004$|^1005$|^1006$|^1007$|^1008$|^5003$|^5005$|^5008$|^5010$|^5011$|^5019$|^5020$|^5021$|^5022$|^5030$|^5031$|^5032$|^5033$|^5034$|^5035$|^5046$|^5047$|^5048$|^5049$|^5051$|^5054$|^5057$|^5059$|^5060$|^5063$|^5063$</var>
+<var name="MCAFEE_WARN">^258$|^5001$|^5028$|^5036$|^5037$|^5038$|^5039$|^5040$|^5041$|^5053$|^5056$|^5061$|^5062$|^5065$</var>
+<var name="MCAFEE_INFO">^257$|^5000$|^5026$|^5052$|^5055$</var>
+<var name="MCAFEE_VIRUS_OK">quarantined|moved to quarantine|file was deleted|deleted successfully|has been deleted|message deleted|deleted after|cleaned|successfully deleted</var> 
+<var name="MCAFEE_VIRUS">The file \.+ contain|infected with|User defined detection|scan found|error attempting to clean</var>
+<var name="MCAFEE_FREQ">10</var>
+
+<group name="mcafee,">
+  <rule id="7500" level="0">
+    <if_sid>18101,18102,18103</if_sid>
+    <category>windows</category>
+    <extra_data>^McLogEvent</extra_data>
+    <description>Grouping of McAfee Windows AV rules.</description>
+  </rule>
+
+  <rule id="7501" level="2">
+    <if_sid>7500</if_sid>
+    <id>$MCAFEE_INFO</id>
+    <description>McAfee Windows AV informational event.</description>
+  </rule>
+
+  <rule id="7502" level="3">
+    <if_sid>7500</if_sid>
+    <id>$MCAFEE_WARN</id>
+    <description>McAfee Windows AV warning event.</description>
+  </rule>
+
+  <rule id="7503" level="4">
+    <if_sid>7500</if_sid>
+    <id>$MCAFEE_ERROR</id>
+    <description>McAfee Windows AV error event.</description>
+  </rule>
+
+  <rule id="7504" level="12">
+    <if_sid>7500</if_sid>
+    <regex>$MCAFEE_VIRUS</regex>
+    <group>virus</group>
+    <description>McAfee Windows AV - Virus detected and not removed.</description>
+  </rule>
+
+  <rule id="7505" level="7">
+    <if_sid>7504</if_sid>
+    <match>$MCAFEE_VIRUS_OK</match>
+    <group>virus</group>
+    <description>McAfee Windows AV - Virus detected and properly removed.</description>
+  </rule>
+
+  <rule id="7506" level="7">
+    <if_sid>7504</if_sid>
+    <match>Will be deleted</match>
+    <group>virus</group>
+    <description>McAfee Windows AV - Virus detected and file will be deleted.</description>
+  </rule>
+
+  <rule id="7507" level="3">
+    <if_sid>7500</if_sid>
+    <match>scan started|scan stopped</match>
+    <description>McAfee Windows AV - Scan started or stopped.</description>
+  </rule>
+
+  <rule id="7508" level="3">
+    <if_sid>7501</if_sid>
+    <id>^257</id>
+    <match>completed.  No detections</match>
+    <description>McAfee Windows AV - Scan completed with no viruses found.</description>
+  </rule>
+
+  <rule id="7509" level="5">
+    <if_sid>7500</if_sid>
+    <match>scan was cancelled |has taken too long</match>
+    <description>McAfee Windows AV - Virus scan cancelled.</description>
+  </rule>
+
+  <rule id="7510" level="5">
+    <if_sid>7500</if_sid>
+    <match>scan was canceled because</match>
+    <description>McAfee Windows AV - Virus scan cancelled due to shutdown.</description>
+  </rule>
+
+  <rule id="7511" level="3">
+    <if_sid>7500</if_sid>
+    <match>update was successful</match>
+    <description>McAfee Windows AV - Virus program or DAT update succeeded.</description>
+  </rule>
+
+  <rule id="07512" level="7">
+    <if_sid>7500</if_sid>
+    <match>update failed</match>
+    <description>McAfee Windows AV - Virus program or DAT update failed.</description>
+  </rule>
+
+  <rule id="7513" level="7">
+    <if_sid>7500</if_sid>
+    <match>update was cancelled</match>
+    <description>McAfee Windows AV - Virus program or DAT update cancelled.</description>
+  </rule>
+
+  <rule id="7514" level="5">
+    <if_sid>7505</if_sid>
+    <match>contains the EICAR test file</match>
+    <options>alert_by_email</options>
+    <description>McAfee Windows AV - EICAR test file detected.</description>
+  </rule>
+
+  <!-- Composite rules -->
+
+  <rule id="7550" level="10" frequency="$MCAFEE_FREQ" timeframe="240">
+    <if_matched_sid>7502</if_matched_sid>
+    <description>Multiple McAfee AV warning events.</description>
+  </rule>
+
+</group>
+