X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fvmware_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fvmware_rules.xml;h=1b49b508f3945e1578252fa9c69bae1525b9bba8;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/debian/ossec-hids/var/ossec/rules/vmware_rules.xml b/debian/ossec-hids/var/ossec/rules/vmware_rules.xml
new file mode 100644
index 0000000..1b49b50
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/vmware_rules.xml
@@ -0,0 +1,157 @@
+<!-- @(#) $Id: ./etc/rules/vmware_rules.xml, 2011/09/08 dcid Exp $
+
+  -  Official VMWare ESX rules for OSSEC.
+  -
+  -  Copyright (C) 2009 Trend Micro Inc.
+  -  All rights reserved.
+  -
+  -  This program is a free software; you can redistribute it
+  -  and/or modify it under the terms of the GNU General Public
+  -  License (version 2) as published by the FSF - Free Software
+  -  Foundation.
+  -
+  -  License details: http://www.ossec.net/en/licensing.html
+  -->
+  
+
+<!-- SonicWall Log messages -->
+<group name="vmware,">
+  <rule id="19100" level="0">
+    <decoded_as>vmware</decoded_as>
+    <description>VMWare messages grouped.</description>
+  </rule>
+
+  <rule id="19101" level="0">
+    <decoded_as>vmware-syslog</decoded_as>
+    <description>VMWare ESX syslog messages grouped.</description>
+  </rule>
+
+  <rule id="19102" level="8">
+    <if_sid>19100</if_sid>
+    <status>^crit|^fatal</status>
+    <description>VMware ESX critical message.</description>
+  </rule>
+  
+ <rule id="19103" level="4">
+    <if_sid>19100</if_sid>
+    <status>^error</status>
+    <description>VMware ESX error message.</description>
+  </rule>
+
+  <rule id="19104" level="3">
+    <if_sid>19100</if_sid>
+    <status>^warn</status>
+    <description>VMware ESX warning message.</description>
+  </rule>
+
+  <rule id="19105" level="0">
+    <if_sid>19100</if_sid>
+    <status>^notice</status>
+    <description>VMware ESX notice message.</description>
+  </rule>
+  
+  <rule id="19106" level="0">
+    <if_sid>19100</if_sid>
+    <status>^info</status>
+    <description>VMware ESX informational message.</description>
+  </rule>
+  
+  <rule id="19107" level="0">
+    <if_sid>19100</if_sid>
+    <status>^verbose</status>
+    <description>VMware ESX verbose message.</description>
+  </rule>
+
+
+  <!-- Authentication messages. -->
+  
+  <rule id="19110" level="3">
+    <if_sid>19106</if_sid>
+    <match>logged in$</match>
+    <description>VMWare ESX authentication success.</description>
+    <group>authentication_success,</group>
+  </rule>
+
+  <rule id="19111" level="5">
+    <if_sid>19106</if_sid>
+    <match>Failed login attempt for</match>
+    <description>VMWare ESX authentication failure.</description>
+    <group>authentication_failed,</group>
+  </rule>
+
+  <rule id="19112" level="3">
+    <if_sid>19101</if_sid>
+    <program_name>vmware-hostd|vmware-authd</program_name>
+    <match>Accepted password for|login from</match>
+    <description>VMWare ESX user login.</description>
+    <group>authentication_success,</group>
+  </rule>
+
+  <rule id="19113" level="3">
+    <if_sid>19101</if_sid>
+    <program_name>vmware-hostd|vmware-authd</program_name>
+    <match>Rejected password for</match>
+    <description>VMWare ESX user authentication failure.</description>
+    <group>authentication_failed,</group>
+  </rule>
+
+
+  <!-- Guest OS messages. -->
+  <rule id="19120" level="8">
+    <if_sid>19106</if_sid>
+    <match>-> VM_STATE_OFF</match>
+    <description>Virtual machine state changed to OFF.</description>
+    <group>service_availability,</group>
+  </rule>
+
+  <rule id="19121" level="3">
+    <if_sid>19106</if_sid>
+    <match>-> VM_STATE_POWERING_ON</match>
+    <description>Virtual machine being turned ON.</description>
+  </rule>
+
+  <rule id="19122" level="3">
+    <if_sid>19106</if_sid>
+    <match>-> VM_STATE_ON</match>
+    <description>Virtual machine state changed to ON.</description>
+    <options>alert_by_email</options>
+  </rule>
+
+  <rule id="19123" level="5">
+    <if_sid>19106</if_sid>
+    <match>-> VM_STATE_RECONFIGURING</match>
+    <description>Virtual machine being reconfigured.</description>
+    <group>config_changed,</group>
+    <options>alert_by_email</options>
+  </rule>
+
+
+  <!-- Composite rules. -->
+
+  <rule id="19150" level="10" frequency="6" timeframe="120" ignore="60">
+    <if_matched_sid>19104</if_matched_sid>
+    <description>Multiple VMWare ESX warning messages.</description>
+    <group>service_availability,</group>
+  </rule>
+  
+  <rule id="19151" level="10" frequency="6" timeframe="120" ignore="60">
+    <if_matched_sid>19103</if_matched_sid>
+    <description>Multiple VMWare ESX error messages.</description>
+    <group>service_availability,</group>
+  </rule>
+
+  <rule id="19152" level="10" frequency="6" timeframe="120">
+    <if_matched_sid>19111</if_matched_sid>
+    <description>Multiple VMWare ESX authentication failures.</description>
+    <group>authentication_failures,</group>
+  </rule>
+
+  <rule id="19153" level="10" frequency="6" timeframe="120">
+    <if_matched_sid>19113</if_matched_sid>
+    <description>Multiple VMWare ESX user authentication failures.</description>
+    <group>authentication_failures,</group>
+  </rule>
+
+</group> <!-- VMware ESX -->
+
+<!-- EOF -->