X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fsquid_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fsquid_rules.xml;h=d74ef2ebf11de9a3177a3b393530b79c9c46c19d;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b
diff --git a/debian/ossec-hids/var/ossec/rules/squid_rules.xml b/debian/ossec-hids/var/ossec/rules/squid_rules.xml
new file mode 100644
index 0000000..d74ef2e
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/squid_rules.xml
@@ -0,0 +1,212 @@
+
+
+
+
+
+
+
+8
+
+
+
+
+ squid
+ Squid messages grouped.
+
+
+
+
+
+ 35000
+ ^4|^5|^6
+ Squid generic error codes.
+
+
+
+ 35002
+ ^400
+ Bad request/Invalid syntax.
+
+
+
+ 35002
+ ^401
+ Unauthorized: Failed attempt to access
+ authorization-required file or directory.
+
+
+
+ 35002
+ ^403
+ Forbidden: Attempt to access forbidden file
+ or directory.
+
+
+
+ 35002
+ ^404
+ Not Found: Attempt to access non-existent
+ file or directory.
+
+
+
+ 35002
+ ^407
+ Proxy Authentication Required: User is not
+ authorized to use proxy.
+
+
+
+ 35002
+ ^4
+ Squid 400 error code (request failed).
+
+
+
+ 35002
+ ^5|^6
+ Squid 500/600 error code (server error).
+
+
+
+ 35009
+ ^503
+ Squid 503 error code (server unavailable).
+
+
+
+
+ 35006
+ blst.php|xxx3.php|ngr7.php|ngr2.php|/nul.php$|/mul.php$|/444.php
+ Attempt to access a Beagle worm (or variant)
+ file.
+ http://www.symantec.com/avcenter/venc/data/w32.beagle.dp.html
+ W32.Beagle.DP is a Worm that drops Trojan.Lodear and opens a back door on the compromised computer.
+ automatic_attack,
+
+
+
+
+ 35006
+ /jk/exp.wmf$|/PopupSh.ocx$
+ Attempt to access a worm/trojan related site.
+ automatic_attack,
+
+
+
+
+ 35004, 35005, 35006, 35009
+ .jpg|.gif|favicon.ico$|.png$|.swf|.txt$|.zip|.css|.xml|.js|.bmp$|
+ windowsupdate/redir/wuredir.cab|
+ ^http://codecs.microsoft.com/isapi/ocget.dll|
+ ^http://activex.microsoft.com/objects/ocget.dll|
+ ^http://webmessenger.msn.com/session/null|
+ ^http://sqm.msn.com/sqm/wmp/sqmserver.dll|
+ ^http://config.messenger.msn.com/Config/MsgrConfig.asmx|
+ kaspersky-labs.com/|
+ ^http://liveupdate.symantecliveupdate.com/|
+ _vti_bin/owssvr.dll|MSOffice/cltreq.asp|
+ google.com/mt?|
+ google.com/kh?|
+ ^http://kh.google.com/flatfile
+
+
+
+ Ignored files on a 40x error.
+
+
+
+
+ 35005
+
+
+ Multiple attempts to access forbidden file
+ or directory from same source ip.
+
+
+
+ 35007
+
+ Multiple unauthorized attempts to use proxy.
+
+
+
+ 35003
+
+
+ Multiple Bad requests/Invalid syntax.
+
+
+
+ 35021
+
+ Infected machine with W32.Beagle.DP.
+ http://www.symantec.com/avcenter/venc/data/w32.beagle.dp.html
+ W32.Beagle.DP is a Worm that drops Trojan.Lodear and opens a back door on the compromised computer.
+
+
+
+ 35006
+
+
+ Multiple attempts to access a non-existent file.
+
+
+
+ 35022
+
+ Multiple attempts to access a worm/trojan/virus
+ related web site. System probably infected.
+
+
+
+ 35008
+
+
+ Multiple 400 error codes (requests failed).
+
+
+
+ 35009
+
+
+ Multiple 500/600 error codes (server error).
+
+
+
+ 35055
+
+ Ignoring multiple attempts from same source ip
+ (alert only once).
+
+
+
+
+
+