1 <!-- @(#) $Id: ./etc/rules/ossec_rules.xml, 2012/03/30 dcid Exp $
3 - Official ossec rules for OSSEC.
5 - Copyright (C) 2009 Trend Micro Inc.
8 - This program is a free software; you can redistribute it
9 - and/or modify it under the terms of the GNU General Public
10 - License (version 2) as published by the FSF - Free Software
13 - License details: http://www.ossec.net/en/licensing.html
19 <rule id="500" level="0">
20 <category>ossec</category>
21 <decoded_as>ossec</decoded_as>
22 <description>Grouping of ossec rules.</description>
25 <rule id="501" level="3">
28 <options>alert_by_email</options>
29 <match>Agent started</match>
30 <description>New ossec agent connected.</description>
33 <rule id="502" level="3">
35 <options>alert_by_email</options>
36 <match>Ossec started</match>
37 <description>Ossec server started.</description>
40 <rule id="503" level="3">
42 <options>alert_by_email</options>
43 <match>Agent started</match>
44 <description>Ossec agent started.</description>
47 <rule id="504" level="3">
49 <options>alert_by_email</options>
50 <match>Agent disconnected</match>
51 <description>Ossec agent disconnected.</description>
54 <rule id="509" level="0">
55 <category>ossec</category>
56 <decoded_as>rootcheck</decoded_as>
57 <description>Rootcheck event.</description>
58 <group>rootcheck,</group>
61 <rule id="510" level="7">
63 <description>Host-based anomaly detection event (rootcheck).</description>
64 <group>rootcheck,</group>
68 <rule id="511" level="0">
70 <match>^NTFS Alternate data stream found</match>
71 <regex>Thumbs.db:encryptable'.|:Zone.Identifier'.|</regex>
72 <regex>Exchsrvr/Mailroot/vsi</regex>
73 <description>Ignored common NTFS ADS entries.</description>
74 <group>rootcheck,</group>
77 <rule id="512" level="3">
79 <match>^Windows Audit</match>
80 <description>Windows Audit event.</description>
81 <group>rootcheck,</group>
84 <rule id="513" level="9">
86 <match>^Windows Malware</match>
87 <description>Windows malware detected.</description>
88 <group>rootcheck,</group>
91 <rule id="514" level="2">
93 <match>^Application Found</match>
94 <description>Windows application monitor event.</description>
95 <group>rootcheck,</group>
98 <rule id="515" level="0">
100 <match>^Starting rootcheck scan|^Ending rootcheck scan.|</match>
101 <match>^Starting syscheck scan|^Ending syscheck scan.</match>
102 <description>Ignoring rootcheck/syscheck scan messages.</description>
103 <group>rootcheck,syscheck</group>
106 <rule id="516" level="3">
108 <match>^System Audit</match>
109 <description>System Audit event.</description>
110 <group>rootcheck,</group>
113 <rule id="518" level="9">
115 <match>Adware|Spyware</match>
116 <description>Windows Adware/Spyware application found.</description>
117 <group>rootcheck,</group>
120 <rule id="519" level="7">
122 <match>^System Audit: Web vulnerability</match>
123 <description>System Audit: Vulnerable web application found.</description>
124 <group>rootcheck,</group>
127 <!-- Process monitoring rules -->
128 <rule id="530" level="0">
130 <match>^ossec: output: </match>
131 <description>OSSEC process monitoring rules.</description>
132 <group>process_monitor,</group>
135 <rule id="531" level="7" ignore="7200">
137 <match>ossec: output: 'df -P': /dev/</match>
139 <description>Partition usage reached 100% (disk space monitor).</description>
140 <group>low_diskspace,</group>
143 <rule id="532" level="0">
145 <match>cdrom|/media|usb|/mount|floppy|dvd</match>
146 <description>Ignoring external medias.</description>
149 <rule id="533" level="7">
151 <match>ossec: output: 'netstat -tan</match>
153 <description>Listened ports status (netstat) changed (new port opened or closed).</description>
156 <rule id="534" level="1">
158 <match>ossec: output: 'w'</match>
160 <options>no_log</options>
161 <description>List of logged in users. It will not be alerted by default.</description>
164 <rule id="535" level="1">
166 <match>ossec: output: 'last -n </match>
168 <options>no_log</options>
169 <description>List of the last logged in users.</description>
172 <rule id="550" level="7">
173 <category>ossec</category>
174 <decoded_as>syscheck_integrity_changed</decoded_as>
175 <description>Integrity checksum changed.</description>
176 <group>syscheck,</group>
179 <rule id="551" level="7">
180 <category>ossec</category>
181 <decoded_as>syscheck_integrity_changed_2nd</decoded_as>
182 <description>Integrity checksum changed again (2nd time).</description>
183 <group>syscheck,</group>
186 <rule id="552" level="7">
187 <category>ossec</category>
188 <decoded_as>syscheck_integrity_changed_3rd</decoded_as>
189 <description>Integrity checksum changed again (3rd time).</description>
190 <group>syscheck,</group>
193 <rule id="553" level="7">
194 <category>ossec</category>
195 <decoded_as>syscheck_deleted</decoded_as>
196 <description>File deleted. Unable to retrieve checksum.</description>
197 <group>syscheck,</group>
200 <rule id="554" level="5">
201 <category>ossec</category>
202 <decoded_as>syscheck_new_entry</decoded_as>
203 <description>File added to the system.</description>
204 <group>syscheck,</group>
207 <rule id="555" level="7">
209 <match>^ossec: agentless: </match>
210 <description>Integrity checksum for agentless device changed.</description>
211 <group>syscheck,agentless</group>
214 <!-- Hostinfo rules -->
215 <rule id="580" level="8">
216 <category>ossec</category>
217 <decoded_as>hostinfo_modified</decoded_as>
218 <description>Host information changed.</description>
219 <group>hostinfo,</group>
222 <rule id="581" level="8">
223 <category>ossec</category>
224 <decoded_as>hostinfo_new</decoded_as>
225 <description>Host information added.</description>
226 <group>hostinfo,</group>
230 <!-- File rotation/reducded rules -->
231 <rule id="591" level="3">
233 <match>^ossec: File rotated </match>
234 <description>Log file rotated.</description>
237 <rule id="592" level="8">
239 <match>^ossec: File size reduced</match>
240 <description>Log file size reduced.</description>
241 <group>attacks,</group>
244 <rule id="593" level="9">
246 <match>^ossec: Event log cleared</match>
247 <description>Microsoft Event log cleared.</description>
248 <group>logs_cleared,</group>
251 <rule id="594" level="5">
252 <category>ossec</category>
254 <hostname>syscheck-registry</hostname>
255 <group>syscheck,</group>
256 <description>Registry Integrity Checksum Changed</description>
259 <rule id="595" level="5">
260 <category>ossec</category>
262 <hostname>syscheck-registry</hostname>
263 <group>syscheck,</group>
264 <description>Registry Integrity Checksum Changed Again (2nd time)</description>
267 <rule id="596" level="5">
268 <category>ossec</category>
270 <hostname>syscheck-registry</hostname>
271 <group>syscheck,</group>
272 <description>Registry Integrity Checksum Changed Again (3rd time)</description>
275 <rule id="597" level="5">
276 <category>ossec</category>
278 <hostname>syscheck-registry</hostname>
279 <group>syscheck,</group>
280 <description>Registry Entry Deleted. Unable to Retrieve Checksum</description>
283 <rule id="598" level="5">
284 <category>ossec</category>
286 <hostname>syscheck-registry</hostname>
287 <group>syscheck,</group>
288 <description>Registry Entry Added to the System</description>
291 <!-- active response rules
293 Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
296 <rule id="600" level="0">
297 <decoded_as>ar_log</decoded_as>
298 <description>Active Response Messages Grouped</description>
299 <group>active_response,</group>
302 <rule id="601" level="3">
304 <action>firewall-drop.sh</action>
306 <description>Host Blocked by firewall-drop.sh Active Response</description>
307 <group>active_response,</group>
310 <rule id="602" level="3">
312 <action>firewall-drop.sh</action>
313 <status>delete</status>
314 <description>Host Unblocked by firewall-drop.sh Active Response</description>
315 <group>active_response,</group>
318 <rule id="603" level="3">
320 <action>host-deny.sh</action>
322 <description>Host Blocked by host-deny.sh Active Response</description>
323 <group>active_response,</group>
326 <rule id="604" level="3">
328 <action>host-deny.sh</action>
329 <status>delete</status>
330 <description>Host Unblocked by host-deny.sh Active Response</description>
331 <group>active_response,</group>
334 <rule id="605" level="3">
336 <action>route-null.sh</action>
338 <description>Host Blocked by route-null.sh Active Response</description>
339 <group>active_response,</group>
342 <rule id="606" level="3">
344 <action>route-null.sh</action>
345 <status>delete</status>
346 <description>Host Unblocked by route-null.sh Active Response</description>
347 <group>active_response,</group>
350 <rule id="700" level="0">
351 <category>ossec</category>
352 <decoded_as>ossec-logcollector</decoded_as>
353 <description>Logcollector Messages Grouped</description>
356 <rule id="701" level="0">
358 <match>INFO: </match>
359 <description>Ignore informational messages (usually at startup)</description>
362 </group> <!-- OSSEC -->