X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=etc%2Frules%2Fossec_rules.xml;h=2abebdb0d08fef606a33ca821c3d40c22748f285;hp=7ec55593553349a0f0325b5c9c54a16e72a87867;hb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a

diff --git a/etc/rules/ossec_rules.xml b/etc/rules/ossec_rules.xml
index 7ec5559..2abebdb 100755
--- a/etc/rules/ossec_rules.xml
+++ b/etc/rules/ossec_rules.xml
@@ -1,4 +1,5 @@
-<!-- @(#) $Id: ossec_rules.xml,v 1.23 2009/11/04 18:45:37 dcid Exp $
+<!-- @(#) $Id: ./etc/rules/ossec_rules.xml, 2012/03/30 dcid Exp $
+
   -  Official ossec rules for OSSEC.
   -
   -  Copyright (C) 2009 Trend Micro Inc.
@@ -6,7 +7,7 @@
   -
   -  This program is a free software; you can redistribute it
   -  and/or modify it under the terms of the GNU General Public
-  -  License (version 3) as published by the FSF - Free Software
+  -  License (version 2) as published by the FSF - Free Software
   -  Foundation.
   -
   -  License details: http://www.ossec.net/en/licensing.html
@@ -116,6 +117,13 @@
     <group>rootcheck,</group>
   </rule>
 
+  <rule id="519" level="7">
+    <if_sid>516</if_sid>
+    <match>^System Audit: Web vulnerability</match>
+    <description>System Audit: Vulnerable web application found.</description>
+    <group>rootcheck,</group>
+  </rule>
+
   <!-- Process monitoring rules -->
   <rule id="530" level="0">
     <if_sid>500</if_sid>
@@ -137,7 +145,30 @@
     <match>cdrom|/media|usb|/mount|floppy|dvd</match>
     <description>Ignoring external medias.</description> 
   </rule>
-  
+
+  <rule id="533" level="7">
+    <if_sid>530</if_sid>
+    <match>ossec: output: 'netstat -tan</match>
+    <check_diff />
+    <description>Listened ports status (netstat) changed (new port opened or closed).</description> 
+  </rule>
+
+  <rule id="534" level="1">
+    <if_sid>530</if_sid>
+    <match>ossec: output: 'w'</match>
+    <check_diff />
+    <options>no_log</options>
+    <description>List of logged in users. It will not be alerted by default.</description> 
+  </rule>
+
+  <rule id="535" level="1">
+    <if_sid>530</if_sid>
+    <match>ossec: output: 'last -n </match>
+    <check_diff />
+    <options>no_log</options>
+    <description>List of the last logged in users.</description> 
+  </rule>
+
   <rule id="550" level="7">
     <category>ossec</category>
     <decoded_as>syscheck_integrity_changed</decoded_as>
@@ -216,4 +247,104 @@
     <description>Microsoft Event log cleared.</description>
     <group>logs_cleared,</group>
   </rule>
+
+  <rule id="594" level="5">
+    <category>ossec</category>
+    <if_sid>550</if_sid>
+    <hostname>syscheck-registry</hostname>
+    <group>syscheck,</group>
+    <description>Registry Integrity Checksum Changed</description>
+  </rule>
+
+  <rule id="595" level="5">
+    <category>ossec</category>
+    <if_sid>551</if_sid>
+    <hostname>syscheck-registry</hostname>
+    <group>syscheck,</group>
+    <description>Registry Integrity Checksum Changed Again (2nd time)</description>
+  </rule>
+
+  <rule id="596" level="5">
+    <category>ossec</category>
+    <if_sid>552</if_sid>
+    <hostname>syscheck-registry</hostname>
+    <group>syscheck,</group>
+    <description>Registry Integrity Checksum Changed Again (3rd time)</description>
+  </rule>
+
+  <rule id="597" level="5">
+    <category>ossec</category>
+    <if_sid>553</if_sid>
+    <hostname>syscheck-registry</hostname>
+    <group>syscheck,</group>
+    <description>Registry Entry Deleted. Unable to Retrieve Checksum</description>
+  </rule>
+
+  <rule id="598" level="5">
+    <category>ossec</category>
+    <if_sid>554</if_sid>
+    <hostname>syscheck-registry</hostname>
+    <group>syscheck,</group>
+    <description>Registry Entry Added to the System</description>
+  </rule>
+
+<!-- active response rules
+Example:
+Sat May  7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
+-->
+
+<rule id="600" level="0">
+    <decoded_as>ar_log</decoded_as>
+    <description>Active Response Messages Grouped</description>
+    <group>active_response,</group>
+  </rule>
+
+  <rule id="601" level="3">
+    <if_sid>600</if_sid>
+    <action>firewall-drop.sh</action>
+    <status>add</status>
+    <description>Host Blocked by firewall-drop.sh Active Response</description>
+    <group>active_response,</group>
+  </rule>
+
+  <rule id="602" level="3">
+    <if_sid>600</if_sid>
+    <action>firewall-drop.sh</action>
+    <status>delete</status>
+    <description>Host Unblocked by firewall-drop.sh Active Response</description>
+    <group>active_response,</group>
+  </rule>
+
+  <rule id="603" level="3">
+    <if_sid>600</if_sid>
+    <action>host-deny.sh</action>
+    <status>add</status>
+    <description>Host Blocked by host-deny.sh Active Response</description>
+    <group>active_response,</group>
+  </rule>
+
+  <rule id="604" level="3">
+    <if_sid>600</if_sid>
+    <action>host-deny.sh</action>
+    <status>delete</status>
+    <description>Host Unblocked by host-deny.sh Active Response</description>
+    <group>active_response,</group>
+  </rule>
+
+  <rule id="605" level="3">
+    <if_sid>600</if_sid>
+    <action>route-null.sh</action>
+    <status>add</status>
+    <description>Host Blocked by route-null.sh Active Response</description>
+    <group>active_response,</group>
+  </rule>
+
+  <rule id="606" level="3">
+    <if_sid>600</if_sid>
+    <action>route-null.sh</action>
+    <status>delete</status>
+    <description>Host Unblocked by route-null.sh Active Response</description>
+    <group>active_response,</group>
+  </rule>
+
 </group> <!-- OSSEC -->