1 <!-- @(#) $Id: squid_rules.xml,v 1.38 2009/06/24 17:06:19 dcid Exp $
2 - Official Squid rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 3) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
14 - Contributed by: Ahmet Ozturk
18 <!-- More information about squid codes below:
19 - http://www.uniar.ukrnet.net/tools/Squid-FAQ/FAQ-6.html
23 <!-- Squid frequency -->
24 <var name="SQUID_FREQ">8</var>
28 <rule id="35000" level="0">
29 <category>squid</category>
30 <description>Squid messages grouped.</description>
33 <!-- Pre-rule with all the 400 error codes.
34 - This will make searching faster for most
38 <rule id="35002" level="4">
39 <if_sid>35000</if_sid>
41 <description>Squid generic error codes.</description>
44 <rule id="35003" level="5">
45 <if_sid>35002</if_sid>
47 <description>Bad request/Invalid syntax.</description>
50 <rule id="35004" level="5">
51 <if_sid>35002</if_sid>
53 <description>Unauthorized: Failed attempt to access </description>
54 <description>authorization-required file or directory.</description>
57 <rule id="35005" level="5">
58 <if_sid>35002</if_sid>
60 <description>Forbidden: Attempt to access forbidden file </description>
61 <description>or directory.</description>
64 <rule id="35006" level="5">
65 <if_sid>35002</if_sid>
67 <description>Not Found: Attempt to access non-existent </description>
68 <description>file or directory.</description>
71 <rule id="35007" level="5">
72 <if_sid>35002</if_sid>
74 <description>Proxy Authentication Required: User is not </description>
75 <description>authorized to use proxy.</description>
78 <rule id="35008" level="5">
79 <if_sid>35002</if_sid>
81 <description>Squid 400 error code (request failed).</description>
84 <rule id="35009" level="5">
85 <if_sid>35002</if_sid>
87 <description>Squid 500/600 error code (server error).</description>
90 <rule id="35010" level="4">
91 <if_sid>35009</if_sid>
93 <description>Squid 503 error code (server unavailable).</description>
96 <!-- Special rules for 403/404 errors -->
97 <rule id="35021" level="6">
98 <if_sid>35006</if_sid>
99 <url>blst.php|xxx3.php|ngr7.php|ngr2.php|/nul.php$|/mul.php$|/444.php</url>
100 <description>Attempt to access a Beagle worm (or variant) </description>
101 <description>file.</description>
102 <info>http://www.symantec.com/avcenter/venc/data/w32.beagle.dp.html</info>
103 <group>automatic_attack,</group>
107 <rule id="35022" level="6">
108 <if_sid>35006</if_sid>
109 <url>/jk/exp.wmf$|/PopupSh.ocx$</url>
110 <description>Attempt to access a worm/trojan related site.</description>
111 <group>automatic_attack,</group>
114 <!-- Ignoring google earth, ms web site access and some other
115 - common extensions to cause false positives (specially anti virus).
116 - It includes most of the time bugs on IE that always
117 - access these pages (causing 403/404 errors).
119 <rule id="35023" level="0">
120 <if_sid>35004, 35005, 35006, 35009</if_sid>
121 <url>.jpg|.gif|favicon.ico$|.png$|.swf|.txt$|.zip|.css|.xml|.js|.bmp$|</url>
122 <url>windowsupdate/redir/wuredir.cab|</url>
123 <url>^http://codecs.microsoft.com/isapi/ocget.dll|</url>
124 <url>^http://activex.microsoft.com/objects/ocget.dll|</url>
125 <url>^http://webmessenger.msn.com/session/null|</url>
126 <url>^http://sqm.msn.com/sqm/wmp/sqmserver.dll|</url>
127 <url>^http://config.messenger.msn.com/Config/MsgrConfig.asmx|</url>
128 <url>kaspersky-labs.com/|</url>
129 <url>^http://liveupdate.symantecliveupdate.com/|</url>
130 <url>_vti_bin/owssvr.dll|MSOffice/cltreq.asp|</url>
131 <url>google.com/mt?|</url>
132 <url>google.com/kh?|</url>
133 <url>^http://kh.google.com/flatfile</url>
135 <!-- Add more extensions to be ignored in here.
136 <url>|.html$|.htm</url>
139 <description>Ignored files on a 40x error.</description>
142 <!-- Context relevant rules (correlated) -->
143 <rule id="35051" level="10" frequency="$SQUID_FREQ" timeframe="120">
144 <if_matched_sid>35005</if_matched_sid>
147 <description>Multiple attempts to access forbidden file </description>
148 <description>or directory from same source ip.</description>
151 <rule id="35052" level="10" frequency="$SQUID_FREQ" timeframe="120">
152 <if_matched_sid>35007</if_matched_sid>
154 <description>Multiple unauthorized attempts to use proxy.</description>
157 <rule id="35053" level="10" frequency="$SQUID_FREQ" timeframe="120">
158 <if_matched_sid>35003</if_matched_sid>
161 <description>Multiple Bad requests/Invalid syntax.</description>
164 <rule id="35054" level="12" frequency="$SQUID_FREQ" timeframe="240">
165 <if_matched_sid>35021</if_matched_sid>
167 <description>Infected machine with W32.Beagle.DP.</description>
168 <info>http://www.symantec.com/avcenter/venc/data/w32.beagle.dp.html</info>
171 <rule id="35055" level="10" frequency="$SQUID_FREQ" timeframe="90">
172 <if_matched_sid>35006</if_matched_sid>
175 <description>Multiple attempts to access a non-existent file.</description>
178 <rule id="35056" level="12" frequency="$SQUID_FREQ" timeframe="240">
179 <if_matched_sid>35022</if_matched_sid>
181 <description>Multiple attempts to access a worm/trojan/virus </description>
182 <description>related web site. System probably infected.</description>
185 <rule id="35057" level="10" frequency="$SQUID_FREQ" timeframe="240">
186 <if_matched_sid>35008</if_matched_sid>
189 <description>Multiple 400 error codes (requests failed).</description>
192 <rule id="35058" level="10" frequency="$SQUID_FREQ" timeframe="240">
193 <if_matched_sid>35009</if_matched_sid>
196 <description>Multiple 500/600 error codes (server error).</description>
199 <rule id="35095" level="0" frequency="2" timeframe="360">
200 <if_matched_sid>35055</if_matched_sid>
202 <description>Ignoring multiple attempts from same source ip</description>
203 <description> (alert only once).</description>
206 </group> <!-- ACCESSLOG,SQUID -->