1 <!-- @(#) $Id: ./etc/rules/netscreenfw_rules.xml, 2011/09/08 dcid Exp $
3 - Official Netscreen Firewall rules for OSSEC.
5 - Copyright (C) 2009 Trend Micro Inc.
8 - This program is a free software; you can redistribute it
9 - and/or modify it under the terms of the GNU General Public
10 - License (version 2) as published by the FSF - Free Software
13 - License details: http://www.ossec.net/en/licensing.html
17 <group name="netscreenfw,">
18 <rule id="4500" level="0">
19 <decoded_as>netscreenfw</decoded_as>
20 <description>Grouping for the Netscreen Firewall rules</description>
23 <rule id="4501" level="3">
25 <action>notification</action>
26 <description>Netscreen notification message.</description>
29 <rule id="4502" level="4">
31 <action>warning</action>
32 <description>Netscreen warning message.</description>
35 <rule id="4503" level="5">
37 <action>critical</action>
38 <description>Netscreen critical/alert message.</description>
41 <rule id="4513" level="5">
43 <action>alert</action>
44 <description>Netscreen critical/alert message.</description>
47 <rule id="4504" level="5">
49 <action>information</action>
50 <description>Netscreen informational message.</description>
53 <!-- ns204: NetScreen device_id=ns204 [Root]system-critical-00027:
54 - Configuration Erase sequence accepted -->
55 <rule id="4505" level="11">
58 <description>Netscreen Erase sequence started.</description>
59 <group>service_availability,</group>
62 <rule id="4506" level="8">
65 <description>Successfull admin login to the Netscreen firewall</description>
66 <group>authentication_success,</group>
69 <rule id="4507" level="8">
72 <description>Successfull admin login to the Netscreen firewall</description>
73 <group>authentication_success,</group>
76 <rule id="4508" level="8">
79 <description>Firewall policy changed.</description>
80 <group>config_changed,</group>
83 <rule id="4509" level="8">
86 <description>Firewall configuration changed.</description>
87 <group>config_changed,</group>
90 <rule id="4550" level="10" frequency="4" timeframe="180" ignore="60">
91 <if_matched_sid>4503</if_matched_sid>
93 <description>Multiple Netscreen critical messages from </description>
94 <description>same source IP.</description>
97 <rule id="4551" level="10" frequency="6" timeframe="180" ignore="60">
98 <if_matched_sid>4503</if_matched_sid>
99 <description>Multiple Netscreen critical messages.</description>
102 <rule id="4552" level="10" frequency="4" timeframe="180" ignore="60">
103 <if_matched_sid>4513</if_matched_sid>
105 <description>Multiple Netscreen alert messages from </description>
106 <description>same source IP.</description>
109 <rule id="4553" level="10" frequency="8" timeframe="100" ignore="60">
110 <if_matched_sid>4513</if_matched_sid>
111 <description>Multiple Netscreen alert messages.</description>
113 </group> <!-- SYSLOG,NETSCREENFW -->