X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fsyslog_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fsyslog_rules.xml;h=24b0b5fabda98b7353770b1c1bd2e62b54b52c36;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/debian/ossec-hids/var/ossec/rules/syslog_rules.xml b/debian/ossec-hids/var/ossec/rules/syslog_rules.xml
new file mode 100644
index 0000000..24b0b5f
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/syslog_rules.xml
@@ -0,0 +1,725 @@
+<!-- @(#) $Id: syslog_rules.xml,v 1.22 2010/11/25 17:06:17 ddp Exp $
+  -  Official Generic Syslog rules for OSSEC.
+  -
+  -  Copyright (C) 2009 Trend Micro Inc.
+  -  All rights reserved.
+  -
+  -  This program is a free software; you can redistribute it
+  -  and/or modify it under the terms of the GNU General Public
+  -  License (version 2) as published by the FSF - Free Software
+  -  Foundation.
+  -
+  -  License details: http://www.ossec.net/en/licensing.html
+  -->
+  
+
+<!-- Default variables for the SYSLOG rules. -->
+
+<!-- Bad words matching. Any log containing these messages
+  -  will be triggered.
+  -->
+<var name="BAD_WORDS">core_dumped|failure|error|attack| bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
+
+
+<!-- Syslog errors. -->
+<group name="syslog,errors,">
+  <rule id="1001" level="2">
+    <match>^Couldn't open /etc/securetty</match>
+    <description>File missing. Root access unrestricted.</description>
+  </rule>
+
+  <rule id="1002" level="2">
+    <match>$BAD_WORDS</match>
+    <options>alert_by_email</options>
+    <description>Unknown problem somewhere in the system.</description>
+  </rule>
+
+  <rule id="1003" level="13" maxsize="1025">
+    <description>Non standard syslog message (size too large).</description>
+  </rule>  
+
+  <rule id="1004" level="5">
+    <match>^exiting on signal</match>
+    <description>Syslogd exiting (logging stopped).</description>
+  </rule>
+  
+  <rule id="1005" level="5">
+    <program_name>syslogd</program_name>
+    <match>^restart</match>
+    <description>Syslogd restarted.</description>
+  </rule>
+
+  <rule id="1006" level="5">
+    <regex>^syslogd \S+ restart</regex>
+    <description>Syslogd restarted.</description>
+  </rule>
+  
+  <rule id="1007" level="7">
+    <match>file system full|No space left on device</match>
+    <description>File system full.</description>
+    <group>low_diskspace,</group>
+  </rule>
+
+  <rule id="1008" level="5">
+    <match>killed by SIGTERM</match>
+    <description>Process exiting (killed).</description>
+    <group>service_availability,</group>
+  </rule>
+
+  <rule id="1009" level="0">
+    <if_sid>1002</if_sid>
+    <match>terminated without error|can't verify hostname: getaddrinfo|</match>
+    <match>PPM exceeds tolerance</match>
+    <description>Ignoring known false positives on rule 1002..</description>
+  </rule>
+
+  <rule id="1010" level="5">
+    <match>segfault at </match>
+    <description>Process segfaulted.</description>
+    <group>service_availability,</group>
+  </rule>
+</group> <!-- SYSLOG,ERRORS -->
+
+
+
+<!-- NFS messages -->
+<group name="syslog,nfs,">
+  <!-- XXX All These NFS rules need to be fixed. -->
+  <rule id="2100" level="0" noalert="1">
+    <program_name>^automount|^mount</program_name>
+    <description>NFS rules grouped.</description>
+  </rule>
+  
+  <rule id="2101" level="4">
+    <if_sid>2100</if_sid>
+    <match>nfs: mount failure</match>
+    <description>Unable to mount the NFS share.</description>
+  </rule>
+
+  <rule id="2102" level="4">
+    <if_sid>2100</if_sid>
+    <match>reason given by server: Permission denied</match>
+    <description>Unable to mount the NFS directory.</description>
+  </rule>
+ 
+  <rule id="2103" level="4">
+    <match>^rpc.mountd: refused mount request from</match>
+    <description>Unable to mount the NFS directory.</description>
+  </rule>
+
+  <rule id="2104" level="2">
+    <if_sid>2100</if_sid>
+    <regex>lookup for \S+ failed</regex>
+    <description>Automount informative message</description>
+  </rule>
+</group> <!-- SYSLOG,NFS -->
+  
+  
+
+<!-- xinetd messages -->  
+<group name="syslog,xinetd,">
+  <rule id="2301" level="10">
+    <match>^Deactivating service </match>
+    <description>Excessive number connections to a service.</description>
+  </rule>
+</group> <!-- SYSLOG,XINETD -->
+
+
+
+<!-- Access control messages -->
+<group name="syslog,access_control,">
+  <rule id="2501" level="5">
+    <match>FAILED LOGIN |authentication failure|</match>
+    <match>Authentication failed for|invalid password for|</match>
+    <match>LOGIN FAILURE|auth failure: |authentication error|</match>
+    <match>authinternal failed|Failed to authorize|</match>
+    <match>Wrong password given for|login failed|Auth: Login incorrect|</match>
+    <match>Failed to authenticate user</match>
+    <group>authentication_failed,</group>
+    <description>User authentication failure.</description>
+  </rule>
+
+  <rule id="2502" level="10">
+    <match>more authentication failures;|REPEATED login failures</match>
+    <description>User missed the password more than one time</description>
+    <group>authentication_failed,</group>
+  </rule>
+
+  <rule id="2503" level="5">
+    <regex>^refused connect from|</regex>
+    <regex>^libwrap refused connection|</regex>
+    <regex>Connection from \S+ denied</regex>
+    <description>Connection blocked by Tcp Wrappers.</description>
+    <group>access_denied,</group>
+  </rule>
+
+  <rule id="2504" level="9">
+    <match>ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED</match>
+    <description>Illegal root login. </description>
+    <group>invalid_login,</group>
+  </rule>
+
+  <rule id="2505" level="3">
+    <match>^ROOT LOGIN  on</match>
+    <description>Physical root login.</description>
+  </rule>  
+
+  <rule id="2506" level="3">
+    <match>^Authentication passed</match>
+    <description>Pop3 Authentication passed.</description>
+  </rule>
+
+  <rule id="2507" level="0">
+    <decoded_as>openldap</decoded_as>
+    <description>OpenLDAP group.</description>
+  </rule>
+
+  <rule id="2508" level="3">
+    <if_sid>2507</if_sid>
+    <match>ACCEPT from</match>
+    <description>OpenLDAP connection open.</description>
+  </rule>
+
+  <rule id="2509" level="5" timeframe="10" frequency="0">
+    <if_sid>2507</if_sid>
+    <if_matched_sid>2508</if_matched_sid>
+    <same_id />
+    <match>RESULT tag=97 err=49</match>
+    <description>OpenLDAP authentication failed.</description>
+  </rule>
+
+</group> <!-- SYSLOG,ACESSCONTROL -->
+
+
+
+<!-- rshd -->
+<group name="syslog,access_control,">
+  <rule id="2550" level="0" noalert="1">
+    <decoded_as>rshd</decoded_as>
+    <description>rshd messages grouped.</description>
+  </rule>
+
+  <rule id="2551" level="10">
+    <if_sid>2550</if_sid>
+    <regex>^Connection from \S+ on illegal port$</regex>
+    <description>Connection to rshd from unprivileged port. Possible network scan.</description>
+    <group>connection_attempt,</group>
+  </rule>
+</group>
+
+
+
+<!-- Mail/Procmail messages -->
+<group name="syslog,mail,">
+  <rule id="2701" level="0">
+    <program_name>^procmail</program_name>
+    <description>Ignoring procmail messages.</description>
+  </rule>
+</group> <!-- SYSLOG,SENDMAIL -->
+  
+
+
+<!-- Smartd messages -->
+<group name="syslog,smartd,">
+  <rule id="2800" level="0" noalert="1">
+    <program_name>^smart</program_name>
+    <description>Pre-match rule for smartd.</description>
+  </rule>
+  
+  <rule id="2801" level="0">
+    <if_sid>2800</if_sid>
+    <match>No configuration file /etc/smartd.conf found</match>
+    <description>Smartd Started but not configured</description>
+  </rule>
+
+  <rule id="2802" level="0">
+    <if_sid>2800</if_sid>
+    <match>Unable to register ATA device</match>
+    <description>Smartd configuration problem</description>
+  </rule>
+
+  <rule id="2803" level="0">
+    <if_sid>2800</if_sid>
+    <match>No such device or address</match>
+    <description>Device configured but not available to Smartd</description>
+  </rule>  
+</group> <!-- SYSLOG,SMARTD -->
+
+
+
+<!-- Linux Kernel messages -->
+<group name="syslog,linuxkernel,">
+  <rule id="5100" level="0" noalert="1">
+    <program_name>^kernel</program_name>
+    <description>Pre-match rule for kernel messages</description>
+  </rule>
+
+  <rule id="5101" level="0">
+    <if_sid>5100</if_sid>
+    <match>PCI: if you experience problems, try using option</match>
+    <description>Informative message from the kernel.</description>
+  </rule>
+
+  <rule id="5102" level="0">
+    <if_sid>5100</if_sid>
+    <match>modprobe: Can't locate module sound</match>
+    <description>Informative message from the kernel</description>
+  </rule>
+  
+  <rule id="5103" level="9">
+    <if_sid>5100</if_sid>
+    <match>Oversized packet received from</match>
+    <description>Error message from the kernel. </description>
+    <description>Ping of death attack.</description>
+  </rule>  
+
+  <rule id="5104" level="8">
+    <if_sid>5100</if_sid>
+    <regex>Promiscuous mode enabled|</regex>
+    <regex>device \S+ entered promiscuous mode</regex>
+    <description>Interface entered in promiscuous(sniffing) mode.</description>
+    <group>promisc,</group>
+  </rule>
+
+  <rule id="5105" level="0">
+    <if_sid>5100</if_sid>
+    <match>end_request: I/O error, dev fd0, sector 0|</match>
+    <match>Buffer I/O error on device fd0, logical block 0</match>
+    <description>Invalid request to /dev/fd0 (bug on the kernel).</description>
+  </rule>
+
+  <rule id="5106" level="0">
+    <if_sid>5100</if_sid>
+    <match>svc: unknown program 100227 (me 100003)</match>
+    <description>NFS incompatibility between Linux and Solaris.</description>
+  </rule>
+
+  <rule id="5107" level="0">
+    <if_sid>5100</if_sid>
+    <match>svc: bad direction </match>
+    <description>NFS incompatibility between Linux and Solaris.</description>
+  </rule>
+
+  <rule id="5108" level="12">
+    <if_sid>5100</if_sid>
+    <match>Out of Memory: </match>
+    <description>System running out of memory. </description>
+    <description>Availability of the system is in risk.</description>
+    <group>service_availability,</group>
+  </rule>
+
+  <rule id="5109" level="4">
+    <if_sid>5100</if_sid>
+    <match>I/O error: dev |end_request: I/O error, dev</match>
+    <description>Kernel Input/Output error</description>
+  </rule>
+
+  <rule id="5110" level="4">
+    <if_sid>5100</if_sid>
+    <match>Forged DCC command from</match>
+    <description>IRC misconfiguration</description>
+  </rule>
+
+  <rule id="5111" level="0">
+    <if_sid>5100</if_sid>
+    <match>ipw2200: Firmware error detected.| ACPI Error</match>
+    <description>Kernel device error.</description>
+  </rule>
+
+  <rule id="5112" level="0">
+    <if_sid>5100</if_sid>
+    <match>usbhid: probe of</match>
+    <description>Kernel usbhid probe error (ignored).</description>
+  </rule>
+
+  <rule id="5113" level="7">
+    <if_sid>5100</if_sid>
+    <match>Kernel log daemon terminating</match>
+    <group>system_shutdown,</group>
+    <description>System is shutting down.</description>
+  </rule>
+
+  <rule id="5130" level="7">
+    <if_sid>5100</if_sid>
+    <match>ADSL line is down</match>
+    <description>Monitor ADSL line is down.</description>
+  </rule>
+  
+  <rule id="5131" level="3">
+    <if_sid>5100</if_sid>
+    <match>ADSL line is up</match>
+    <description>Monitor ADSL line is up.</description>
+  </rule>                         
+
+  <rule id="5200" level="0">
+    <match>^hpiod: unable to ParDevice</match>
+    <description>Ignoring hpiod for producing useless logs.</description>
+  </rule>
+</group> <!-- SYSLOG,LINUXKERNEL -->
+
+
+
+<!-- Cron messages -->
+<group name="syslog,cron,">
+  <rule id="2830" level="0">
+    <program_name>crond|crontab</program_name>
+    <description>Crontab rule group.</description>
+  </rule>
+  
+  <rule id="2831" level="0">
+    <if_sid>2830</if_sid>
+    <match>^unable to exec</match>
+    <description>Wrong crond configuration</description>
+  </rule>
+  
+  <rule id="2834" level="5">
+    <if_sid>2830</if_sid>
+    <match>BEGIN EDIT</match>
+    <description>Crontab opened for editing.</description>
+  </rule>
+  
+  <rule id="2832" level="5">
+    <if_sid>2830</if_sid>
+    <match>REPLACE</match>
+    <description>Crontab entry changed.</description>
+  </rule>
+
+  <rule id="2833" level="8">
+    <if_sid>2832</if_sid>
+    <match>^(root)</match>
+    <description>Root's crontab entry changed.</description>
+  </rule>
+
+</group> <!-- SYSLOG,CRON -->
+
+
+
+<!-- Su messages -->
+<group name="syslog, su,">
+  <rule id="5300" level="0" noalert="1">
+    <decoded_as>su</decoded_as>
+    <description>Initial grouping for su messages.</description>
+  </rule>
+  
+  <rule id="5301" level="5">
+   <if_sid>5300</if_sid>
+   <match>authentication failure; |failed|BAD su|^-</match>
+   <description>User missed the password to change UID (user id).</description> 
+   <group>authentication_failed,</group>
+  </rule>
+
+  <rule id="5302" level="9">
+    <if_sid>5301</if_sid>
+    <user>^root</user>
+    <description>User missed the password to change UID to root.</description>
+    <group>authentication_failed,</group>
+  </rule>
+
+  <rule id="5303" level="3">
+    <if_sid>5300</if_sid>
+    <regex>session opened for user root|^'su root'|</regex>
+    <regex>^+ \S+ \S+\proot$|^\S+ to root on|^SU \S+ \S+ + \S+ \S+-root$</regex>
+    <description>User successfully changed UID to root.</description>
+    <group>authentication_success,</group>
+  </rule>
+
+  <rule id="5304" level="3">
+    <if_sid>5300</if_sid>
+    <regex>session opened for user|succeeded for|</regex>
+    <regex>^+|^\S+ to |^SU \S+ \S+ + </regex>
+    <description>User successfully changed UID.</description>
+    <group>authentication_success,</group>
+  </rule>
+
+  <rule id="5305" level="4">
+    <if_sid>5303, 5304</if_sid>
+    <if_fts></if_fts>
+    <options>alert_by_email</options>
+    <description>First time (su) is executed by user.</description>
+  </rule>
+
+  <rule id="5306" level="0">
+    <if_sid>5300</if_sid>
+    <match>unknown class</match>
+    <info>OpenBSD uses login classes, and an inappropriate login class was used.</info>
+    <description>A user has attempted to su to an unknown class.</description>
+  </rule>
+
+</group> <!-- SYSLOG,SU -->
+
+
+
+<!-- Tripwire messages -->
+<group name="syslog,tripwire,">
+  <rule id="7101" level="8">
+    <match>Integrity Check failed: File could not</match>
+    <description>Problems with the tripwire checking</description>
+  </rule>
+</group> <!-- SYSLOG,TRIPWIRE -->
+
+
+
+<!-- Adduser messages -->
+<group name="syslog,adduser">
+  <rule id="5901" level="8">
+    <match>^new group</match>
+    <description>New group added to the system</description>
+  </rule>
+
+  <rule id="5902" level="8">
+    <match>^new user|^new account added</match>
+    <description>New user added to the system</description>
+  </rule>
+
+  <rule id="5903" level="2">
+    <match>^delete user|^account deleted|^remove group</match>
+    <description>Group (or user) deleted from the system</description>
+  </rule>
+
+  <rule id="5904" level="8">
+    <match>^changed user</match>
+    <description>Information from the user was changed</description>
+  </rule>
+
+  <rule id="5905" level="0">
+    <program_name>useradd</program_name>
+    <match>failed adding user </match>
+    <description>useradd failed.</description>
+  </rule>
+
+</group> <!-- SYSLOG,ADDUSER -->
+
+
+
+<!-- Sudo messages -->
+<group name="syslog,sudo">
+  <rule id="5400" level="0" noalert="1">
+    <decoded_as>sudo</decoded_as>
+    <description>Initial group for sudo messages</description>
+  </rule>
+  
+  <rule id="5401" level="5">
+    <if_sid>5400</if_sid>
+    <match>incorrect password attempt</match>
+    <description>Failed attempt to run sudo</description>
+  </rule>
+
+  <rule id="5402" level="3">
+    <if_sid>5400</if_sid>
+    <regex> ; USER=root ; COMMAND=| ; USER=root ; TSID=\S+ ; COMMAND=</regex>
+    <description>Successful sudo to ROOT executed</description>
+  </rule>
+
+  <rule id="5403" level="4">
+    <if_sid>5400</if_sid>
+    <options>alert_by_email</options>
+    <if_fts></if_fts>
+    <description>First time user executed sudo.</description>
+  </rule>
+
+  <rule id="5404" level="10">
+    <if_sid>5401</if_sid>
+    <match>3 incorrect password attempts</match>
+    <description>Three failed attempts to run sudo</description>
+  </rule>
+
+  <rule id="5405" level="5">
+    <if_sid>5400</if_sid>
+    <match>user NOT in sudoers</match>
+    <description>Unauthorized user attempted to use sudo.</description>
+  </rule>
+
+</group> <!-- SYSLOG, SUDO -->
+
+
+<!-- PPTP messages -->
+<group name="syslog,pptp">
+  <rule id="9100" level="0" noalert="1">
+    <program_name>^pptpd</program_name>
+    <description>PPTPD messages grouped</description>
+  </rule>
+  
+  <rule id="9101" level="0">
+    <if_sid>9100</if_sid>
+    <regex>^GRE: \S+ from \S+ failed: status = -1 </regex>
+    <description>PPTPD failed message (communication error)</description>
+    <info type="link">http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml</info>
+  </rule>
+  
+  <rule id="9102" level="0">
+    <if_sid>9100</if_sid>
+    <match>^tcflush failed: Bad file descriptor</match>
+    <description>PPTPD communication error</description>
+  </rule>
+</group>
+
+
+
+<!-- Syslog FTS -->
+<group name="syslog,fts,">
+  <rule id="10100" level="4">
+    <if_group>authentication_success</if_group>
+    <options>alert_by_email</options>
+    <if_fts></if_fts>
+    <group>authentication_success</group>
+    <description>First time user logged in.</description>
+  </rule>
+</group>
+
+                
+<group name="syslog,squid,">
+  <rule id="9200" level="0" noalert="1">
+    <program_name>^squid</program_name>
+    <description>Squid syslog messages grouped</description>
+  </rule>
+
+  <rule id="9201" level="0">
+    <if_sid>9200</if_sid>
+    <match>^ctx: enter level|^sslRead|^urlParse: Illegal |</match>
+    <match>^httpReadReply: Request not yet |^httpReadReply: Excess data</match>
+    <description>Squid debug message</description>
+  </rule>
+</group>
+
+
+<group name="syslog,dpkg,">
+  <rule id="2900" level="0">
+    <decoded_as>windows-date-format</decoded_as>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d startup |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d configure |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d trigproc |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d conffile |</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d upgrade </regex>
+    <description>Dpkg (Debian Package) log.</description>
+  </rule>
+  
+  <rule id="2901" level="3">
+    <if_sid>2900</if_sid>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install</regex>
+    <description>New dpkg (Debian Package) requested to install.</description>
+  </rule>
+
+ <rule id="2902" level="7">
+    <if_sid>2900</if_sid>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status installed</regex>
+    <description>New dpkg (Debian Package) installed.</description>
+    <group>config_changed,</group>
+  </rule>
+
+  <rule id="2903" level="7">
+    <if_sid>2900</if_sid>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove|</regex>
+    <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge</regex>
+    <description>Dpkg (Debian Package) removed.</description>
+    <group>config_changed,</group>
+  </rule>
+</group>
+
+
+<group name="syslog,yum,">
+  <rule id="2930" level="0">
+    <program_name>^yum</program_name>
+    <description>Yum logs.</description>
+  </rule>
+
+  <rule id="2931" level="0">
+    <hostname>yum.log$</hostname>
+    <match>^Installed|^Updated|^Erased</match>
+    <description>Yum logs.</description>
+  </rule>
+
+  <rule id="2932" level="7">
+    <if_sid>2930,2931</if_sid>
+    <match>^Installed</match>
+    <group>config_changed,</group>
+    <description>New Yum package installed.</description>
+  </rule>
+
+  <rule id="2933" level="7">
+    <if_sid>2930,2931</if_sid>
+    <match>^Updated</match>
+    <group>config_changed,</group>
+    <description>Yum package updated.</description>
+  </rule>
+
+  <rule id="2934" level="7">
+    <if_sid>2930,2931</if_sid>
+    <match>^Erased</match>
+    <group>config_changed,</group>
+    <description>Yum package deleted.</description>
+  </rule>
+
+  <!-- SCSI CONTROLLER -->
+  <rule id="2935" level="0" noalert="1">
+    <if_sid>5100</if_sid>
+    <id>mptscsih</id>
+    <description>Grouping for the mptscrih rules.</description>
+  </rule>
+
+  <rule id="2936" level="0" noalert="1">
+    <if_sid>5100</if_sid>
+    <id>mptbase</id>
+    <description>Grouping for the mptbase rules.</description>
+  </rule>
+
+  <rule id="2937" level="12">
+    <if_sid>2935</if_sid>
+    <status>FAILED</status>
+    <description>Possible Disk failure. SCSI controller error.</description>
+  </rule>
+
+  <rule id="2938" level="12">
+    <if_sid>2936</if_sid>
+    <action>failed</action>
+    <description>SCSI RAID ARRAY ERROR, drive failed.</description>
+  </rule>
+
+  <rule id="2939" level="12">
+    <if_sid>2936</if_sid>
+    <action>degraded</action>
+    <description>SCSI RAID is now in a degraded status.</description>
+  </rule>
+
+  <rule id="2940" level="0">
+    <program_name>^NetworkManager</program_name>
+    <description>NetworkManager grouping.</description>
+  </rule>
+
+  <rule id="2941" level="3">
+    <if_sid>2940</if_sid>
+    <match> No chain/target/match by that name.$</match>
+    <description>Incorrect chain/target/match.</description>
+  </rule>
+
+  <rule id="2942" level="0">
+    <if_sid>1002</if_sid>
+    <match>g_slice_set_config: assertion `sys_page_size == 0' failed</match>
+    <description>Uninteresting gnome error.</description>
+  </rule>
+
+  <rule id="2943" level="0">
+    <match>^nouveau </match>
+    <description>nouveau driver grouping</description>
+  </rule>
+
+  <rule id="2944" level="1">
+    <if_sid>2943</if_sid>
+    <match> DATA_ERROR BEGIN_END_ACTIVE$| DATA_ERROR$</match>
+    <description>Uninteresting nouveau error.</description>
+  </rule>
+
+  <rule id="2945" level="4">
+    <program_name>^rsyslogd</program_name>
+    <match>^imuxsock begins to drop messages </match>
+    <info>https://isc.sans.edu/diary/Are+you+losing+system+logging+information+%28and+don%27t+know+it%29%3F/15106</info>
+    <description>rsyslog may be dropping messages due to rate-limiting.</description>
+  </rule>
+
+</group>
+
+
+<!-- EOF -->