X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=etc%2Frules%2Fbro-ids_rules.xml;fp=etc%2Frules%2Fbro-ids_rules.xml;h=b42657f4b43f1b7ce2128bfac6e9c6a8989aecdb;hp=0000000000000000000000000000000000000000;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hpb=301048b51990573e58a30dc4a5bb4ec285cad554

diff --git a/etc/rules/bro-ids_rules.xml b/etc/rules/bro-ids_rules.xml
new file mode 100755
index 0000000..b42657f
--- /dev/null
+++ b/etc/rules/bro-ids_rules.xml
@@ -0,0 +1,75 @@
+  <!-- Copyright 2010 Dan Parriott (ddpbsd@gmail.com)
+  -  This program is a free software; you can redistribute it
+  -  and/or modify it under the terms of the GNU General Public
+  -  License (version 2) as published by the FSF - Free Software
+  -  Foundation.
+  -
+  -  License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+  -->
+
+<group name="syslog,ids,bro">
+
+  <rule id="52000" level="0">
+    <decoded_as>bro-ids</decoded_as>
+    <description>Grouping for all bro-ids events.</description>
+  </rule>
+
+  <rule id="52001" level="0">
+    <if_sid>52000</if_sid>
+    <match>Starting incremental serialization</match>
+    <description>Bro-ids has been started.</description>
+  </rule>
+
+  <rule id="52002" level="0">
+    <if_sid>52000</if_sid>
+    <match>Finished incremental serialization</match>
+    <description>Bro-ids has been stopped.</description>
+  </rule>
+
+  <rule id="52003" level="8">
+    <if_sid>52000</if_sid>
+    <match>msg=AckAboveHole</match>
+    <description>XXX Ack Above Hole</description>
+  </rule>
+
+  <rule id="52004" level="8">
+    <if_sid>52000</if_sid>
+    <match>msg=ContentGap</match>
+    <description>XXX Content Gap</description>
+  </rule>
+
+  <rule id="52005" level="1">
+    <if_sid>52000</if_sid>
+    <match>no=ResourceSummary</match>
+    <description>Bro-ids resource summary.</description>
+  </rule>
+
+  <rule id="52006" level="7">
+    <if_sid>52000</if_sid>
+    <match>no=PortScanSummary</match>
+    <description>Bro-ids port scan summary.</description>
+  </rule>
+
+  <rule id="52007" level="4">
+    <if_sid>52000</if_sid>
+    <match>no=ZoneTransfer</match>
+    <description>Bro-ids Zone Transfer alert.</description>
+  </rule>
+
+  <rule id="52008" level="4">
+    <if_sid>52000</if_sid>
+    <match>no=SensitivePortMapperAccess</match>
+    <description>Bro-ids detected acces to the portmapper port.</description>
+  </rule>
+
+  <rule id="52009" level="4">
+    <if_sid>52000</if_sid>
+    <match>no=PortScan </match>
+    <description>Bro-ids detected a portscan.</description>
+  </rule>
+  
+   
+</group> <!-- SYSLOG,LOCAL -->
+
+
+<!-- EOF -->