X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fsyslog_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fsyslog_rules.xml;h=24b0b5fabda98b7353770b1c1bd2e62b54b52c36;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b
diff --git a/debian/ossec-hids/var/ossec/rules/syslog_rules.xml b/debian/ossec-hids/var/ossec/rules/syslog_rules.xml
new file mode 100644
index 0000000..24b0b5f
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/syslog_rules.xml
@@ -0,0 +1,725 @@
+
+
+
+
+
+
+core_dumped|failure|error|attack| bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted
+
+
+
+
+
+ ^Couldn't open /etc/securetty
+ File missing. Root access unrestricted.
+
+
+
+ $BAD_WORDS
+ alert_by_email
+ Unknown problem somewhere in the system.
+
+
+
+ Non standard syslog message (size too large).
+
+
+
+ ^exiting on signal
+ Syslogd exiting (logging stopped).
+
+
+
+ syslogd
+ ^restart
+ Syslogd restarted.
+
+
+
+ ^syslogd \S+ restart
+ Syslogd restarted.
+
+
+
+ file system full|No space left on device
+ File system full.
+ low_diskspace,
+
+
+
+ killed by SIGTERM
+ Process exiting (killed).
+ service_availability,
+
+
+
+ 1002
+ terminated without error|can't verify hostname: getaddrinfo|
+ PPM exceeds tolerance
+ Ignoring known false positives on rule 1002..
+
+
+
+ segfault at
+ Process segfaulted.
+ service_availability,
+
+
+
+
+
+
+
+
+
+ ^automount|^mount
+ NFS rules grouped.
+
+
+
+ 2100
+ nfs: mount failure
+ Unable to mount the NFS share.
+
+
+
+ 2100
+ reason given by server: Permission denied
+ Unable to mount the NFS directory.
+
+
+
+ ^rpc.mountd: refused mount request from
+ Unable to mount the NFS directory.
+
+
+
+ 2100
+ lookup for \S+ failed
+ Automount informative message
+
+
+
+
+
+
+
+
+ ^Deactivating service
+ Excessive number connections to a service.
+
+
+
+
+
+
+
+
+ FAILED LOGIN |authentication failure|
+ Authentication failed for|invalid password for|
+ LOGIN FAILURE|auth failure: |authentication error|
+ authinternal failed|Failed to authorize|
+ Wrong password given for|login failed|Auth: Login incorrect|
+ Failed to authenticate user
+ authentication_failed,
+ User authentication failure.
+
+
+
+ more authentication failures;|REPEATED login failures
+ User missed the password more than one time
+ authentication_failed,
+
+
+
+ ^refused connect from|
+ ^libwrap refused connection|
+ Connection from \S+ denied
+ Connection blocked by Tcp Wrappers.
+ access_denied,
+
+
+
+ ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED
+ Illegal root login.
+ invalid_login,
+
+
+
+ ^ROOT LOGIN on
+ Physical root login.
+
+
+
+ ^Authentication passed
+ Pop3 Authentication passed.
+
+
+
+ openldap
+ OpenLDAP group.
+
+
+
+ 2507
+ ACCEPT from
+ OpenLDAP connection open.
+
+
+
+ 2507
+ 2508
+
+ RESULT tag=97 err=49
+ OpenLDAP authentication failed.
+
+
+
+
+
+
+
+
+
+ rshd
+ rshd messages grouped.
+
+
+
+ 2550
+ ^Connection from \S+ on illegal port$
+ Connection to rshd from unprivileged port. Possible network scan.
+ connection_attempt,
+
+
+
+
+
+
+
+
+ ^procmail
+ Ignoring procmail messages.
+
+
+
+
+
+
+
+
+ ^smart
+ Pre-match rule for smartd.
+
+
+
+ 2800
+ No configuration file /etc/smartd.conf found
+ Smartd Started but not configured
+
+
+
+ 2800
+ Unable to register ATA device
+ Smartd configuration problem
+
+
+
+ 2800
+ No such device or address
+ Device configured but not available to Smartd
+
+
+
+
+
+
+
+
+ ^kernel
+ Pre-match rule for kernel messages
+
+
+
+ 5100
+ PCI: if you experience problems, try using option
+ Informative message from the kernel.
+
+
+
+ 5100
+ modprobe: Can't locate module sound
+ Informative message from the kernel
+
+
+
+ 5100
+ Oversized packet received from
+ Error message from the kernel.
+ Ping of death attack.
+
+
+
+ 5100
+ Promiscuous mode enabled|
+ device \S+ entered promiscuous mode
+ Interface entered in promiscuous(sniffing) mode.
+ promisc,
+
+
+
+ 5100
+ end_request: I/O error, dev fd0, sector 0|
+ Buffer I/O error on device fd0, logical block 0
+ Invalid request to /dev/fd0 (bug on the kernel).
+
+
+
+ 5100
+ svc: unknown program 100227 (me 100003)
+ NFS incompatibility between Linux and Solaris.
+
+
+
+ 5100
+ svc: bad direction
+ NFS incompatibility between Linux and Solaris.
+
+
+
+ 5100
+ Out of Memory:
+ System running out of memory.
+ Availability of the system is in risk.
+ service_availability,
+
+
+
+ 5100
+ I/O error: dev |end_request: I/O error, dev
+ Kernel Input/Output error
+
+
+
+ 5100
+ Forged DCC command from
+ IRC misconfiguration
+
+
+
+ 5100
+ ipw2200: Firmware error detected.| ACPI Error
+ Kernel device error.
+
+
+
+ 5100
+ usbhid: probe of
+ Kernel usbhid probe error (ignored).
+
+
+
+ 5100
+ Kernel log daemon terminating
+ system_shutdown,
+ System is shutting down.
+
+
+
+ 5100
+ ADSL line is down
+ Monitor ADSL line is down.
+
+
+
+ 5100
+ ADSL line is up
+ Monitor ADSL line is up.
+
+
+
+ ^hpiod: unable to ParDevice
+ Ignoring hpiod for producing useless logs.
+
+
+
+
+
+
+
+
+ crond|crontab
+ Crontab rule group.
+
+
+
+ 2830
+ ^unable to exec
+ Wrong crond configuration
+
+
+
+ 2830
+ BEGIN EDIT
+ Crontab opened for editing.
+
+
+
+ 2830
+ REPLACE
+ Crontab entry changed.
+
+
+
+ 2832
+ ^(root)
+ Root's crontab entry changed.
+
+
+
+
+
+
+
+
+
+ su
+ Initial grouping for su messages.
+
+
+
+ 5300
+ authentication failure; |failed|BAD su|^-
+ User missed the password to change UID (user id).
+ authentication_failed,
+
+
+
+ 5301
+ ^root
+ User missed the password to change UID to root.
+ authentication_failed,
+
+
+
+ 5300
+ session opened for user root|^'su root'|
+ ^+ \S+ \S+\proot$|^\S+ to root on|^SU \S+ \S+ + \S+ \S+-root$
+ User successfully changed UID to root.
+ authentication_success,
+
+
+
+ 5300
+ session opened for user|succeeded for|
+ ^+|^\S+ to |^SU \S+ \S+ +
+ User successfully changed UID.
+ authentication_success,
+
+
+
+ 5303, 5304
+
+ alert_by_email
+ First time (su) is executed by user.
+
+
+
+ 5300
+ unknown class
+ OpenBSD uses login classes, and an inappropriate login class was used.
+ A user has attempted to su to an unknown class.
+
+
+
+
+
+
+
+
+
+ Integrity Check failed: File could not
+ Problems with the tripwire checking
+
+
+
+
+
+
+
+
+ ^new group
+ New group added to the system
+
+
+
+ ^new user|^new account added
+ New user added to the system
+
+
+
+ ^delete user|^account deleted|^remove group
+ Group (or user) deleted from the system
+
+
+
+ ^changed user
+ Information from the user was changed
+
+
+
+ useradd
+ failed adding user
+ useradd failed.
+
+
+
+
+
+
+
+
+
+ sudo
+ Initial group for sudo messages
+
+
+
+ 5400
+ incorrect password attempt
+ Failed attempt to run sudo
+
+
+
+ 5400
+ ; USER=root ; COMMAND=| ; USER=root ; TSID=\S+ ; COMMAND=
+ Successful sudo to ROOT executed
+
+
+
+ 5400
+ alert_by_email
+
+ First time user executed sudo.
+
+
+
+ 5401
+ 3 incorrect password attempts
+ Three failed attempts to run sudo
+
+
+
+ 5400
+ user NOT in sudoers
+ Unauthorized user attempted to use sudo.
+
+
+
+
+
+
+
+
+ ^pptpd
+ PPTPD messages grouped
+
+
+
+ 9100
+ ^GRE: \S+ from \S+ failed: status = -1
+ PPTPD failed message (communication error)
+ http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml
+
+
+
+ 9100
+ ^tcflush failed: Bad file descriptor
+ PPTPD communication error
+
+
+
+
+
+
+
+
+ authentication_success
+ alert_by_email
+
+ authentication_success
+ First time user logged in.
+
+
+
+
+
+
+ ^squid
+ Squid syslog messages grouped
+
+
+
+ 9200
+ ^ctx: enter level|^sslRead|^urlParse: Illegal |
+ ^httpReadReply: Request not yet |^httpReadReply: Excess data
+ Squid debug message
+
+
+
+
+
+
+ windows-date-format
+ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d startup |
+ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status |
+ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove |
+ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d configure |
+ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install |
+ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge |
+ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d trigproc |
+ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d conffile |
+ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d upgrade
+ Dpkg (Debian Package) log.
+
+
+
+ 2900
+ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d install
+ New dpkg (Debian Package) requested to install.
+
+
+
+ 2900
+ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d status installed
+ New dpkg (Debian Package) installed.
+ config_changed,
+
+
+
+ 2900
+ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d remove|
+ ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d purge
+ Dpkg (Debian Package) removed.
+ config_changed,
+
+
+
+
+
+
+ ^yum
+ Yum logs.
+
+
+
+ yum.log$
+ ^Installed|^Updated|^Erased
+ Yum logs.
+
+
+
+ 2930,2931
+ ^Installed
+ config_changed,
+ New Yum package installed.
+
+
+
+ 2930,2931
+ ^Updated
+ config_changed,
+ Yum package updated.
+
+
+
+ 2930,2931
+ ^Erased
+ config_changed,
+ Yum package deleted.
+
+
+
+
+ 5100
+ mptscsih
+ Grouping for the mptscrih rules.
+
+
+
+ 5100
+ mptbase
+ Grouping for the mptbase rules.
+
+
+
+ 2935
+ FAILED
+ Possible Disk failure. SCSI controller error.
+
+
+
+ 2936
+ failed
+ SCSI RAID ARRAY ERROR, drive failed.
+
+
+
+ 2936
+ degraded
+ SCSI RAID is now in a degraded status.
+
+
+
+ ^NetworkManager
+ NetworkManager grouping.
+
+
+
+ 2940
+ No chain/target/match by that name.$
+ Incorrect chain/target/match.
+
+
+
+ 1002
+ g_slice_set_config: assertion `sys_page_size == 0' failed
+ Uninteresting gnome error.
+
+
+
+ ^nouveau
+ nouveau driver grouping
+
+
+
+ 2943
+ DATA_ERROR BEGIN_END_ACTIVE$| DATA_ERROR$
+ Uninteresting nouveau error.
+
+
+
+ ^rsyslogd
+ ^imuxsock begins to drop messages
+ https://isc.sans.edu/diary/Are+you+losing+system+logging+information+%28and+don%27t+know+it%29%3F/15106
+ rsyslog may be dropping messages due to rate-limiting.
+
+
+
+
+
+