3 - Microsoft Windows 2003 ipv4, Windows 2008 ipv4/ipv6 DHCP rules for OSSEC.
4 - Author: phishphreek@gmail.com
5 - License: http://www.ossec.net/en/licensing.html (http://gplv3.fsf.org)
9 <!--Server 2003 and 2008 IPv4 Event ID Meaning
10 00 The log was started.
11 01 The log was stopped.
12 02 The log was temporarily paused due to low disk space.
13 10 A new IP address was leased to a client.
14 11 A lease was renewed by a client.
15 12 A lease was released by a client.
16 13 An IP address was found to be in use on the network.
17 14 A lease request could not be satisfied because the scope's address pool was exhausted.
18 15 A lease was denied.
19 16 A lease was deleted.
20 17 A lease was expired.
21 18 A lease was expired and DNS records were deleted. (Server 2008 Only)
22 20 A BOOTP address was leased to a client.
23 21 A dynamic BOOTP address was leased to a client.
24 22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
25 23 A BOOTP IP address was deleted after checking to see it was not in use.
26 24 IP address cleanup operation has began.
27 25 IP address cleanup statistics.
28 30 DNS update request to the named DNS server
30 32 DNS update successful
31 33 Packet dropped due to NAP policy. Server 2008 Only)
32 50+ Codes above 50 are used for Rogue Server Detection information.
36 <!--Server 2003 IPv4 Log Sample
37 ID,Date,Time,Description,IP Address,Host Name,MAC Address
38 24,3/10/2009,0:00:46,Database Cleanup Begin,,,,
39 31,3/10/2009,0:00:46,DNS Update Failed,192.168.10.201,OPS03W034.,2,
40 30,3/10/2009,0:00:46,DNS Update Request,201.10.168.192,OPS03W034.,,
41 25,3/10/2009,0:00:46,0 leases expired and 0 leases deleted,,,,
42 11,3/10/2009,0:01:40,Renew,192.168.10.201,OPS03W034.,001AA0DA3062,
43 32,3/10/2009,0:01:55,DNS Update Successful,192.168.10.204,ex03.domain.local,,
44 15,3/10/2009,8:49:10,NACK,192.168.10.205,,000B97A0B7E8,
45 10,3/10/2009,8:49:10,Assign,192.168.10.205,6ftya92251.domain.local,000B97A0B7E8,
46 12,3/10/2009,15:52:38,Release,192.168.112.32,6ftya91701.,000B97A0B41D,
47 18,3/10/2009,19:59:11,Expired,192.168.10.205,,,
48 17,3/10/2009,23:59:16,DNS record not deleted,192.168.10.205,,,
52 <group name="windows,dhcp,">
53 <rule id="6300" level="0">
54 <decoded_as>ms-dhcp-ipv4</decoded_as>
55 <description>Grouping for the MS-DHCP rules.</description>
58 <rule id="6301" level="2">
61 <description>The log was started.</description>
62 <group>service_start,</group>
65 <rule id="6302" level="3">
68 <description>The log was stopped.</description>
69 <group>service_availability,</group>
72 <rule id="6303" level="10">
75 <description>The log was temporarily paused due to low disk space.</description>
76 <group>system_error,</group>
79 <rule id="6304" level="0">
82 <description>A new IP address was leased to a client.</description>
83 <group>dhcp_lease_action,</group>
86 <rule id="6305" level="0">
89 <description>A lease was renewed by a client.</description>
90 <group>dhcp_lease_action,</group>
93 <rule id="6306" level="0">
96 <description>A lease was released by a client.</description>
97 <group>dhcp_lease_action,</group>
100 <rule id="6307" level="0">
101 <if_sid>6300</if_sid>
103 <description>An IP address was found to be in use on the network.</description>
104 <group>dhcp_lease_action,</group>
107 <rule id="6308" level="12">
108 <if_sid>6300</if_sid>
110 <description>A lease request could not be satisfied because the scope's address pool was exhausted.</description>
111 <group>service_availability,dhcp_lease_action,</group>
114 <rule id="6309" level="7">
115 <if_sid>6300</if_sid>
117 <description>A lease was denied.</description>
118 <group>dhcp_lease_action,</group>
121 <rule id="6310" level="0">
122 <if_sid>6300</if_sid>
124 <description>A lease was deleted.</description>
125 <group>dhcp_lease_action,</group>
128 <rule id="6311" level="0">
129 <if_sid>6300</if_sid>
131 <description>A lease was expired and DNS records for an expired leases have not been deleted.</description>
132 <group>dhcp_lease_action,</group>
135 <rule id="6322" level="0">
136 <if_sid>6300</if_sid>
138 <description>A lease was expired and DNS records were deleted.</description>
139 <group>dhcp_lease_action,dhcp_dns_maintenance</group>
142 <rule id="6312" level="0">
143 <if_sid>6300</if_sid>
145 <description>A BOOTP address was leased to a client.</description>
146 <group>dhcp_lease_action,</group>
149 <rule id="6313" level="0">
150 <if_sid>6300</if_sid>
152 <description>A dynamic BOOTP address was leased to a client.</description>
153 <group>dhcp_lease_action,</group>
157 <rule id="6314" level="10">
158 <if_sid>6300</if_sid>
160 <description>A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.</description>
161 <group>dhcp_lease_action,</group>
164 <rule id="6315" level="0">
165 <if_sid>6300</if_sid>
167 <description>A BOOTP IP address was deleted after checking to see it was not in use.</description>
168 <group>dhcp_lease_action,</group>
171 <rule id="6316" level="3">
172 <if_sid>6300</if_sid>
174 <description>IP address cleanup operation has began.</description>
175 <group>dhcp_maintenance,</group>
178 <rule id="6317" level="2">
179 <if_sid>6300</if_sid>
181 <description>IP address cleanup statistics.</description>
182 <group>dhcp_maintenance,</group>
185 <rule id="6318" level="0">
186 <if_sid>6300</if_sid>
188 <description>DNS update request to the named DNS server.</description>
189 <group>dhcp_dns_maintenance,</group>
192 <rule id="6319" level="7">
193 <if_sid>6300</if_sid>
195 <description>DNS update failed.</description>
196 <group>dhcp_dns_maintenance,</group>
199 <rule id="6320" level="0">
200 <if_sid>6300</if_sid>
202 <description>DNS update successful.</description>
203 <group>dhcp_dns_maintenance,</group>
206 <rule id="6323" level="12">
207 <if_sid>6300</if_sid>
209 <description>Packet dropped due to NAP policy.</description>
210 <group>dhcp_lease_action,</group>
214 <rule id="6321" level="12">
215 <if_sid>6300</if_sid>
217 <description>Codes above 50 are used for Rogue Server Detection information.</description>
218 <group>dhcp_rogue_server,</group>
224 Server 2008 IPv6 Event ID Meaning
233 11008 Information Request.
237 11012 Audit log paused.
240 11015 Address is already in use.
241 11016 Client deleted.
242 11017 DNS record not deleted.
244 11019 Expired and Deleted count.
245 11020 Database cleanup begin.
246 11021 Database cleanup end.
247 11023 Service not authorized in AD.
248 11024 Service authorized in AD.
249 11025 Service has not determined if it authorized in AD.
251 <!--Server 2008 IPv6 Log Sample (short on samples, not currently using)
252 11020,05/05/09,00:00:38,DHCPV6 Database Cleanup Begin,,,,,,
253 11019,05/05/09,00:00:38,DHCPV6 0 leases expired and 0 leases deleted,,,,,,
254 11021,05/05/09,00:00:38,DHCPV6 Database Cleanup End,,,,,,
255 11011,05/05/09,10:50:55,DHCPV6 Stopped,,,,,,
256 11010,05/05/09,10:55:58,DHCPV6 Started,,,,,,
259 <rule id="6350" level="0">
260 <decoded_as>ms-dhcp-ipv6</decoded_as>
261 <description>Grouping for the MS-DHCP rules.</description>
264 <rule id="6351" level="0">
265 <if_sid>6350</if_sid>
267 <description>Solicit.</description>
268 <group>dhcp_ipv6,</group>
271 <rule id="6352" level="0">
272 <if_sid>6350</if_sid>
273 <id>^11001|^11002</id>
274 <description>Advertise.</description>
275 <group>dhcp_ipv6,</group>
278 <rule id="6354" level="0">
279 <if_sid>6350</if_sid>
281 <description>Confirm.</description>
282 <group>dhcp_ipv6,</group>
285 <rule id="6355" level="0">
286 <if_sid>6350</if_sid>
288 <description>Renew.</description>
289 <group>dhcp_ipv6,</group>
292 <rule id="6356" level="0">
293 <if_sid>6350</if_sid>
295 <description>Rebind.</description>
296 <group>dhcp_ipv6,</group>
300 <rule id="6357" level="7">
301 <if_sid>6350</if_sid>
303 <description>DHCP Decline.</description>
304 <group>dhcp_ipv6,</group>
307 <rule id="6358" level="0">
308 <if_sid>6350</if_sid>
310 <description>Release.</description>
311 <group>dhcp_ipv6,</group>
314 <rule id="6359" level="0">
315 <if_sid>6350</if_sid>
317 <description>Information Request.</description>
318 <group>dhcp_ipv6,</group>
321 <rule id="6360" level="12">
322 <if_sid>6350</if_sid>
324 <description>Scope Full.</description>
325 <group>dhcp_ipv6,</group>
328 <rule id="6361" level="3">
329 <if_sid>6350</if_sid>
331 <description>Started.</description>
332 <group>service_start,</group>
335 <rule id="6362" level="7">
336 <if_sid>6350</if_sid>
338 <description>Stopped.</description>
339 <group>service_availability,</group>
342 <rule id="6363" level="10">
343 <if_sid>6350</if_sid>
345 <description>Audit log paused.</description>
346 <group>service_availability,</group>
350 <rule id="6364" level="7">
351 <if_sid>6350</if_sid>
353 <description>DHCP Log File.</description>
354 <group>system_error,</group>
357 <rule id="6365" level="7">
358 <if_sid>6350</if_sid>
360 <description>Bad Address.</description>
361 <group>dhcp_ipv6,</group>
364 <rule id="6366" level="4">
365 <if_sid>6350</if_sid>
367 <description>Address is already in use.</description>
368 <group>dhcp_ipv6,</group>
371 <rule id="6367" level="0">
372 <if_sid>6350</if_sid>
374 <description>Client deleted.</description>
375 <group>dhcp_ipv6,</group>
378 <rule id="6368" level="0">
379 <if_sid>6350</if_sid>
381 <description>DNS record not deleted.</description>
382 <group>dhcp_ipv6,</group>
385 <rule id="6369" level="0">
386 <if_sid>6350</if_sid>
388 <description>Expired.</description>
389 <group>dhcp_ipv6,</group>
392 <rule id="6370" level="0">
393 <if_sid>6350</if_sid>
395 <description>Expired and Deleted count.</description>
396 <group>dhcp_ipv6,</group>
399 <rule id="6371" level="2">
400 <if_sid>6350</if_sid>
402 <description>Database cleanup begin.</description>
403 <group>dhcp_ipv6,</group>
407 <rule id="6372" level="2">
408 <if_sid>6350</if_sid>
410 <description>Database cleanup end.</description>
411 <group>dhcp_ipv6,</group>
414 <rule id="6373" level="12">
415 <if_sid>6350</if_sid>
417 <description>Service not authorized in AD.</description>
418 <group>dhcp_ipv6,</group>
421 <rule id="6374" level="3">
422 <if_sid>6350</if_sid>
424 <description>Service authorized in AD.</description>
425 <group>dhcp_ipv6,</group>
428 <rule id="6376" level="12">
429 <if_sid>6350</if_sid>
431 <description>Service has not determined if it is authorized in AD.</description>
432 <group>dhcp_ipv6,</group>