X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fopenbsd_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fopenbsd_rules.xml;h=6675e9e8b3d34af2e86a7a3992985b4aab331b08;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/debian/ossec-hids/var/ossec/rules/openbsd_rules.xml b/debian/ossec-hids/var/ossec/rules/openbsd_rules.xml
new file mode 100644
index 0000000..6675e9e
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/openbsd_rules.xml
@@ -0,0 +1,299 @@
+  <!-- Copyright 2010 Dan Parriott (ddpbsd@gmail.com)
+  -  This program is a free software; you can redistribute it
+  -  and/or modify it under the terms of the GNU General Public
+  -  License (version 2) as published by the FSF - Free Software
+  -  Foundation.
+  -
+  -  License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+  -->
+
+
+
+  <!-- Modify it at your will. -->
+
+<group name="local,syslog,openbsd">
+
+  <rule id="51500" level="0" noalert="1">
+    <decoded_as>bsd_kernel</decoded_as>
+    <description>Grouping of bsd_kernel alerts</description>
+  </rule>
+
+  <rule id="51501" level="1">
+    <if_sid>51500</if_sid>
+    <match>ichiic0: abort failed, status 0x40</match> 
+    <description>A timeout occurred waiting for a transfer.</description>
+  </rule>
+
+  <rule id="51502" level="0">
+    <if_sid>51500</if_sid>
+    <match>Check Condition (error 0x70) on opcode 0x0</match>
+    <description>Check media in optical drive.</description>
+  </rule>
+
+  <rule id="51503" level="1"> 
+    <if_sid>51500</if_sid>
+    <match>BBB bulk-in clear stall failed</match> 
+    <description>A disk has timed out.</description>
+  </rule>
+
+  <rule id="51504" level="1">
+    <if_sid>51500</if_sid>
+    <match>arp info overwritten for</match>
+    <description>arp info has been overwritten for a host</description>
+  </rule>
+
+  <rule id="51505" level="5">
+    <if_sid>51500</if_sid>
+    <match>was not properly unmounted</match>
+    <description>A filesystem was not properly unmounted, likely system crash</description>
+  </rule>
+
+  <rule id="51506" level="1">
+    <if_sid>51500</if_sid>
+    <match>UKC> quit</match>
+    <description>UKC was used, possibly modifying a kernel at boot time.</description>
+  </rule>
+
+  <rule id="51507" level="1">
+    <if_sid>51500</if_sid>
+    <match>Michael MIC failure</match>
+    <description>Michael MIC failure: Checksum failure in the tkip protocol.</description>
+  </rule>
+
+  <rule id="51508" level="2">
+    <if_sid>51500</if_sid>
+    <match>soft error (corrected)</match>
+    <description>A soft error has been corrected on a hard drive, </description>
+    <description>this is a possible early sign of failure.</description>
+  </rule>
+
+  <rule id="51509" level="1">
+    <if_sid>51500</if_sid>
+    <regex>acpithinkpad\d:</regex>
+    <match>unknown event</match>
+    <description>Unknown acpithinkpad event</description>
+  </rule>
+
+  <rule id="51510" level="5">
+    <if_sid>51500</if_sid>
+    <match>Critical temperature, shutting down</match>
+    <description>System shutdown due to temperature</description>
+  </rule>
+
+  <rule id="51511" level="1">
+    <if_sid>51500</if_sid>
+    <match>_AL0[0] _PR0 failed</match>
+    <description>Unknown ACPI event (bug 6299 in OpenBSD bug tracking system).</description>
+  </rule>
+
+  <rule id="51512" level="1">
+    <if_sid>51500</if_sid>
+    <match>ehci_freex: xfer=0xffff8000003ef800 not busy, 0x4f4e5155</match>
+    <description>USB diagnostic message.</description>
+  </rule>
+
+  <rule id="51513" level="1">
+    <if_sid>51500</if_sid>
+    <match>ichiic0: abort failed, status 0x0</match>
+    <description>Possible APM or ACPI event.</description>
+  </rule>
+
+  <rule id="51514" level="3">
+    <if_sid>51500</if_sid>
+    <match>Filesystem is not clean - run fsck</match>
+    <description>Unclean filesystem, run fsck.</description>
+  </rule>
+  
+  <rule id="51515" level="0">
+    <if_sid>51500</if_sid>
+    <match>atascsi_passthru_done, timeout</match>
+    <description>Timeout in atascsi_passthru_done.</description>
+  </rule>
+
+  <rule id="51516" level="0">
+    <if_sid>51500</if_sid>
+    <regex>RTC BIOS diagnostic error 80\pclock_battery\p</regex>
+    <description>Clock battery error 80</description>
+  </rule>
+
+  <rule id="51518" level="3">
+    <if_sid>51500</if_sid>
+    <match>i/o error on block</match>
+    <description>I/O error on a storage device</description>
+  </rule>
+
+  <rule id="51519" level="1">
+    <if_sid>51500</if_sid>
+    <match>kbc: cmd word write error</match>
+    <description>kbc error.</description>
+  </rule>
+
+  <rule id="51520" level="1">
+    <if_sid>51500</if_sid>
+    <match>BBB reset failed, IOERROR</match>
+    <description>USB reset failed, IOERROR.</description>
+  </rule>
+
+  <rule id="51521" level="0" noalert="1">
+    <decoded_as>groupdel</decoded_as>
+    <description>Grouping for groupdel rules.</description>
+    <group>groupdel,</group>
+  </rule>
+
+  <rule id="51522" level="2">
+    <if_sid>51521</if_sid>
+    <match>group deleted</match>
+    <description>Group deleted.</description>
+    <group>groupdel,</group>
+  </rule>
+
+  <rule id="51523" level="0">
+    <program_name>savecore</program_name>
+    <match>no core dump</match>
+    <description>No core dumps.</description>
+  </rule>
+
+  <rule id="51524" level="4">
+    <program_name>reboot</program_name>
+    <match>rebooted by</match>
+    <description>System was rebooted.</description>
+  </rule>
+
+  <rule id="51525" level="0">
+    <program_name>^ftp-proxy</program_name>
+    <match>proxy cannot connect to server</match>
+    <description>ftp-proxy cannot connect to a server.</description>
+  </rule>
+
+  <rule id="51526" level="0">
+    <decoded_as>bsd_kernel</decoded_as>
+    <match>uncorrectable data error reading fsbn</match>
+    <description>Hard drive is dying.</description>
+  </rule>
+
+  <rule id="51527" level="0">
+    <decoded_as>bsd_kernel</decoded_as>
+    <match>^carp</match>
+    <action>state transition</action>
+    <status>MASTER -> BACKUP</status>
+    <description>CARP master to backup.</description>
+  </rule>
+
+  <rule id="51528" level="0">
+    <decoded_as>bsd_kernel</decoded_as>
+    <match>duplicate IP6 address</match>
+    <description>Duplicate IPv6 address.</description>
+  </rule>
+
+  <rule id="51529" level="0">
+    <decoded_as>bsd_kernel</decoded_as>
+    <match>failed loadfirmware of file</match>
+    <description>Could not load a firmware.</description>
+  </rule>
+
+  <rule id="51530" level="0">
+    <program_name>^hotplugd</program_name>
+    <match>Permission denied$</match>
+    <description>hotplugd could not open a file.</description>
+  </rule>
+
+  <rule id="51531" level="3">
+    <decoded_as>open-userdel</decoded_as>
+    <match>user removed: name=</match>
+    <description>User account deleted.</description>
+    <group>account_changed,</group>
+  </rule>
+
+  <rule id="51532" level="0">
+    <decoded_as>ntpd</decoded_as>
+    <match>bad peer from </match>
+    <description>Bad ntp peer.</description>
+  </rule>
+
+  <rule id="51533" level="1">
+    <program_name>^dhclient$</program_name>
+    <if_sid>1002</if_sid>
+    <match>receive_packet failed on </match>
+    <description>dhclient receive_packet failed.</description>
+  </rule>
+
+  <rule id="51534" level="1">
+    <if_sid>51533</if_sid>
+    <match>Input/output error$</match>
+    <description>dhclient receive_packet failed due to I/O error.</description>
+  </rule>
+
+  <rule id="51535" level="1">
+    <program_name>^dhclient$</program_name>
+    <if_sid>1002</if_sid>
+    <match>SIOCDIFADDR failed </match>
+    <description>SIOCDIFADDR failed</description>
+  </rule>
+
+  <rule id="51536" level="1">
+    <if_sid>51535</if_sid>
+    <match> Device not configured$</match>
+    <description>dhclient: device not configured.</description>
+  </rule>
+
+</group>
+
+<group name="local,syslog,openbsd,doas">
+
+  <rule id="51550" level="0">
+    <decoded_as>doas</decoded_as>
+    <description>doas grouping</description>
+  </rule>
+
+  <rule id="51551" level="1">
+    <if_sid>51550</if_sid>
+    <match>cannot stat</match>
+    <description>doas cannot stat a file.</description>
+  </rule>
+
+  <rule id="51552" level="2">
+    <if_sid>51551</if_sid>
+    <match>: Permission denied$</match>
+    <description>doas cannot stat a file due to permissions.</description>
+  </rule>
+
+  <rule id="51553" level="5">
+    <if_sid>51550</if_sid>
+    <match>path not secure$</match>
+    <description>A critical path for doas does not have secure permissions.</description>
+  </rule>
+
+  <rule id="51554" level="5">
+    <if_sid>51550</if_sid>
+    <match>failed command for </match>
+    <description>Failed doas command.</description>
+  </rule>
+
+  <rule id="51555" level="1">
+    <if_sid>51550</if_sid>
+    <match>ran command</match>
+    <description>A command was run using doas.</description>
+  </rule>
+
+  <rule id="51556" level="2">
+    <if_sid>51555</if_sid>
+    <match> as root </match>
+    <description>A doas command was run as root.</description>
+  </rule>
+
+  <rule id="51557" level="5">
+    <if_sid>51550</if_sid>
+    <match>failed auth for</match>
+    <description>doas authentication failed.</description>
+  </rule>
+
+  <rule id="51558" level="4">
+    <program_name>sendsyslog</program_name>
+    <match>^dropped </match>
+    <description>sendsyslog dropped log messages.</description>
+  </rule>
+
+</group> <!-- SYSLOG,LOCAL -->
+
+
+  <!-- EOF -->