X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fsyslog_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fsyslog_rules.xml;h=0000000000000000000000000000000000000000;hp=24b0b5fabda98b7353770b1c1bd2e62b54b52c36;hb=946517cefb8751a43a89bda4220221f065f4e5d1;hpb=3f728675941dc69d4e544d3a880a56240a6e394a
diff --git a/debian/ossec-hids/var/ossec/rules/syslog_rules.xml b/debian/ossec-hids/var/ossec/rules/syslog_rules.xml
deleted file mode 100644
index 24b0b5f..0000000
--- a/debian/ossec-hids/var/ossec/rules/syslog_rules.xml
+++ /dev/null
@@ -1,725 +0,0 @@
-
-
-
-
-
-
-core_dumped|failure|error|attack| bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted
-
-
-
-
-
- ^Couldn't open /etc/securetty
- File missing. Root access unrestricted.
-
-
-
- $BAD_WORDS
- alert_by_email
- Unknown problem somewhere in the system.
-
-
-
- Non standard syslog message (size too large).
-
-
-
- ^exiting on signal
- Syslogd exiting (logging stopped).
-
-
-
- syslogd
- ^restart
- Syslogd restarted.
-
-
-
- ^syslogd \S+ restart
- Syslogd restarted.
-
-
-
- file system full|No space left on device
- File system full.
- low_diskspace,
-
-
-
- killed by SIGTERM
- Process exiting (killed).
- service_availability,
-
-
-
- 1002
- terminated without error|can't verify hostname: getaddrinfo|
- PPM exceeds tolerance
- Ignoring known false positives on rule 1002..
-
-
-
- segfault at
- Process segfaulted.
- service_availability,
-
-
-
-
-
-
-
-
-
- ^automount|^mount
- NFS rules grouped.
-
-
-
- 2100
- nfs: mount failure
- Unable to mount the NFS share.
-
-
-
- 2100
- reason given by server: Permission denied
- Unable to mount the NFS directory.
-
-
-
- ^rpc.mountd: refused mount request from
- Unable to mount the NFS directory.
-
-
-
- 2100
- lookup for \S+ failed
- Automount informative message
-
-
-
-
-
-
-
-
- ^Deactivating service
- Excessive number connections to a service.
-
-
-
-
-
-
-
-
- FAILED LOGIN |authentication failure|
- Authentication failed for|invalid password for|
- LOGIN FAILURE|auth failure: |authentication error|
- authinternal failed|Failed to authorize|
- Wrong password given for|login failed|Auth: Login incorrect|
- Failed to authenticate user
- authentication_failed,
- User authentication failure.
-
-
-
- more authentication failures;|REPEATED login failures
- User missed the password more than one time
- authentication_failed,
-
-
-
- ^refused connect from|
- ^libwrap refused connection|
- Connection from \S+ denied
- Connection blocked by Tcp Wrappers.
- access_denied,
-
-
-
- ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED
- Illegal root login.
- invalid_login,
-
-
-
- ^ROOT LOGIN on
- Physical root login.
-
-
-
- ^Authentication passed
- Pop3 Authentication passed.
-
-
-
- openldap
- OpenLDAP group.
-
-
-
- 2507
- ACCEPT from
- OpenLDAP connection open.
-
-
-
- 2507
- 2508
-
- RESULT tag=97 err=49
- OpenLDAP authentication failed.
-
-
-
-
-
-
-
-
-
- rshd
- rshd messages grouped.
-
-
-
- 2550
- ^Connection from \S+ on illegal port$
- Connection to rshd from unprivileged port. Possible network scan.
- connection_attempt,
-
-
-
-
-
-
-
-
- ^procmail
- Ignoring procmail messages.
-
-
-
-
-
-
-
-
- ^smart
- Pre-match rule for smartd.
-
-
-
- 2800
- No configuration file /etc/smartd.conf found
- Smartd Started but not configured
-
-
-
- 2800
- Unable to register ATA device
- Smartd configuration problem
-
-
-
- 2800
- No such device or address
- Device configured but not available to Smartd
-
-
-
-
-
-
-
-
- ^kernel
- Pre-match rule for kernel messages
-
-
-
- 5100
- PCI: if you experience problems, try using option
- Informative message from the kernel.
-
-
-
- 5100
- modprobe: Can't locate module sound
- Informative message from the kernel
-
-
-
- 5100
- Oversized packet received from
- Error message from the kernel.
- Ping of death attack.
-
-
-
- 5100
- Promiscuous mode enabled|
- device \S+ entered promiscuous mode
- Interface entered in promiscuous(sniffing) mode.
- promisc,
-
-
-
- 5100
- end_request: I/O error, dev fd0, sector 0|
- Buffer I/O error on device fd0, logical block 0
- Invalid request to /dev/fd0 (bug on the kernel).
-
-
-
- 5100
- svc: unknown program 100227 (me 100003)
- NFS incompatibility between Linux and Solaris.
-
-
-
- 5100
- svc: bad direction
- NFS incompatibility between Linux and Solaris.
-
-
-
- 5100
- Out of Memory:
- System running out of memory.
- Availability of the system is in risk.
- service_availability,
-
-
-
- 5100
- I/O error: dev |end_request: I/O error, dev
- Kernel Input/Output error
-
-
-
- 5100
- Forged DCC command from
- IRC misconfiguration
-
-
-
- 5100
- ipw2200: Firmware error detected.| ACPI Error
- Kernel device error.
-
-
-
- 5100
- usbhid: probe of
- Kernel usbhid probe error (ignored).
-
-
-
- 5100
- Kernel log daemon terminating
- system_shutdown,
- System is shutting down.
-
-
-
- 5100
- ADSL line is down
- Monitor ADSL line is down.
-
-
-
- 5100
- ADSL line is up
- Monitor ADSL line is up.
-
-
-
- ^hpiod: unable to ParDevice
- Ignoring hpiod for producing useless logs.
-
-
-
-
-
-
-
-
- crond|crontab
- Crontab rule group.
-
-
-
- 2830
- ^unable to exec
- Wrong crond configuration
-
-
-
- 2830
- BEGIN EDIT
- Crontab opened for editing.
-
-
-
- 2830
- REPLACE
- Crontab entry changed.
-
-
-
- 2832
- ^(root)
- Root's crontab entry changed.
-
-
-
-
-
-
-
-
-
- su
- Initial grouping for su messages.
-
-
-
- 5300
- authentication failure; |failed|BAD su|^-
- User missed the password to change UID (user id).
- authentication_failed,
-
-
-
- 5301
- ^root
- User missed the password to change UID to root.
- authentication_failed,
-
-
-
- 5300
- session opened for user root|^'su root'|
- ^+ \S+ \S+\proot$|^\S+ to root on|^SU \S+ \S+ + \S+ \S+-root$
- User successfully changed UID to root.
- authentication_success,
-
-
-
- 5300
- session opened for user|succeeded for|
- ^+|^\S+ to |^SU \S+ \S+ +
- User successfully changed UID.
- authentication_success,
-
-
-
- 5303, 5304
-
- alert_by_email
- First time (su) is executed by user.
-
-
-
- 5300
- unknown class
- OpenBSD uses login classes, and an inappropriate login class was used.
- A user has attempted to su to an unknown class.
-
-
-
-
-
-
-
-
-
- Integrity Check failed: File could not
- Problems with the tripwire checking
-
-
-
-
-
-
-
-
- ^new group
- New group added to the system
-
-
-
- ^new user|^new account added
- New user added to the system
-
-
-
- ^delete user|^account deleted|^remove group
- Group (or user) deleted from the system
-
-
-
- ^changed user
- Information from the user was changed
-
-
-
- useradd
- failed adding user
- useradd failed.
-
-
-
-
-
-
-
-
-
- sudo
- Initial group for sudo messages
-
-
-
- 5400
- incorrect password attempt
- Failed attempt to run sudo
-
-
-
- 5400
- ; USER=root ; COMMAND=| ; USER=root ; TSID=\S+ ; COMMAND=
- Successful sudo to ROOT executed
-
-
-
- 5400
- alert_by_email
-
- First time user executed sudo.
-
-
-
- 5401
- 3 incorrect password attempts
- Three failed attempts to run sudo
-
-
-
- 5400
- user NOT in sudoers
- Unauthorized user attempted to use sudo.
-
-
-
-
-
-
-
-
- ^pptpd
- PPTPD messages grouped
-
-
-
- 9100
- ^GRE: \S+ from \S+ failed: status = -1
- PPTPD failed message (communication error)
- http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml
-
-
-
- 9100
- ^tcflush failed: Bad file descriptor
- PPTPD communication error
-
-
-
-
-
-
-
-
- authentication_success
- alert_by_email
-
- authentication_success
- First time user logged in.
-
-
-
-
-
-
- ^squid
- Squid syslog messages grouped
-
-
-
- 9200
- ^ctx: enter level|^sslRead|^urlParse: Illegal |
- ^httpReadReply: Request not yet |^httpReadReply: Excess data
- Squid debug message
-
-
-
-
-
-
- windows-date-format
- ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d startup |
- ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status |
- ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove |
- ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d configure |
- ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install |
- ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge |
- ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d trigproc |
- ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d conffile |
- ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d upgrade
- Dpkg (Debian Package) log.
-
-
-
- 2900
- ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install
- New dpkg (Debian Package) requested to install.
-
-
-
- 2900
- ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status installed
- New dpkg (Debian Package) installed.
- config_changed,
-
-
-
- 2900
- ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove|
- ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge
- Dpkg (Debian Package) removed.
- config_changed,
-
-
-
-
-
-
- ^yum
- Yum logs.
-
-
-
- yum.log$
- ^Installed|^Updated|^Erased
- Yum logs.
-
-
-
- 2930,2931
- ^Installed
- config_changed,
- New Yum package installed.
-
-
-
- 2930,2931
- ^Updated
- config_changed,
- Yum package updated.
-
-
-
- 2930,2931
- ^Erased
- config_changed,
- Yum package deleted.
-
-
-
-
- 5100
- mptscsih
- Grouping for the mptscrih rules.
-
-
-
- 5100
- mptbase
- Grouping for the mptbase rules.
-
-
-
- 2935
- FAILED
- Possible Disk failure. SCSI controller error.
-
-
-
- 2936
- failed
- SCSI RAID ARRAY ERROR, drive failed.
-
-
-
- 2936
- degraded
- SCSI RAID is now in a degraded status.
-
-
-
- ^NetworkManager
- NetworkManager grouping.
-
-
-
- 2940
- No chain/target/match by that name.$
- Incorrect chain/target/match.
-
-
-
- 1002
- g_slice_set_config: assertion `sys_page_size == 0' failed
- Uninteresting gnome error.
-
-
-
- ^nouveau
- nouveau driver grouping
-
-
-
- 2943
- DATA_ERROR BEGIN_END_ACTIVE$| DATA_ERROR$
- Uninteresting nouveau error.
-
-
-
- ^rsyslogd
- ^imuxsock begins to drop messages
- https://isc.sans.edu/diary/Are+you+losing+system+logging+information+%28and+don%27t+know+it%29%3F/15106
- rsyslog may be dropping messages due to rate-limiting.
-
-
-
-
-
-