2 - Official ossec rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 2) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
18 <rule id="500" level="0">
19 <category>ossec</category>
20 <decoded_as>ossec</decoded_as>
21 <description>Grouping of ossec rules.</description>
24 <rule id="501" level="3">
27 <options>alert_by_email</options>
28 <match>Agent started</match>
29 <description>New ossec agent connected.</description>
32 <rule id="502" level="3">
34 <options>alert_by_email</options>
35 <match>Ossec started</match>
36 <description>Ossec server started.</description>
39 <rule id="503" level="3">
41 <options>alert_by_email</options>
42 <match>Agent started</match>
43 <description>Ossec agent started.</description>
46 <rule id="504" level="3">
48 <options>alert_by_email</options>
49 <match>Agent disconnected</match>
50 <description>Ossec agent disconnected.</description>
53 <rule id="509" level="0">
54 <category>ossec</category>
55 <decoded_as>rootcheck</decoded_as>
56 <description>Rootcheck event.</description>
57 <group>rootcheck,</group>
60 <rule id="510" level="7">
62 <description>Host-based anomaly detection event (rootcheck).</description>
63 <group>rootcheck,</group>
67 <rule id="511" level="0">
69 <match>^NTFS Alternate data stream found</match>
70 <regex>Thumbs.db:encryptable'.|:Zone.Identifier'.|</regex>
71 <regex>Exchsrvr/Mailroot/vsi</regex>
72 <description>Ignored common NTFS ADS entries.</description>
73 <group>rootcheck,</group>
76 <rule id="512" level="3">
78 <match>^Windows Audit</match>
79 <description>Windows Audit event.</description>
80 <group>rootcheck,</group>
83 <rule id="513" level="9">
85 <match>^Windows Malware</match>
86 <description>Windows malware detected.</description>
87 <group>rootcheck,</group>
90 <rule id="514" level="2">
92 <match>^Application Found</match>
93 <description>Windows application monitor event.</description>
94 <group>rootcheck,</group>
97 <rule id="515" level="0">
99 <match>^Starting rootcheck scan|^Ending rootcheck scan.|</match>
100 <match>^Starting syscheck scan|^Ending syscheck scan.</match>
101 <description>Ignoring rootcheck/syscheck scan messages.</description>
102 <group>rootcheck,syscheck</group>
105 <rule id="516" level="3">
107 <match>^System Audit</match>
108 <description>System Audit event.</description>
109 <group>rootcheck,</group>
112 <rule id="518" level="9">
114 <match>Adware|Spyware</match>
115 <description>Windows Adware/Spyware application found.</description>
116 <group>rootcheck,</group>
119 <!-- Process monitoring rules -->
120 <rule id="530" level="0">
122 <match>^ossec: output: </match>
123 <description>OSSEC process monitoring rules.</description>
124 <group>process_monitor,</group>
127 <rule id="531" level="7" ignore="7200">
129 <match>ossec: output: 'df -h': /dev/</match>
131 <description>Partition usage reached 100% (disk space monitor).</description>
132 <group>low_diskspace,</group>
135 <rule id="532" level="0">
137 <match>cdrom|/media|usb|/mount|floppy|dvd</match>
138 <description>Ignoring external medias.</description>
141 <rule id="550" level="7">
142 <category>ossec</category>
143 <decoded_as>syscheck_integrity_changed</decoded_as>
144 <description>Integrity checksum changed.</description>
145 <group>syscheck,</group>
148 <rule id="551" level="7">
149 <category>ossec</category>
150 <decoded_as>syscheck_integrity_changed_2nd</decoded_as>
151 <description>Integrity checksum changed again (2nd time).</description>
152 <group>syscheck,</group>
155 <rule id="552" level="7">
156 <category>ossec</category>
157 <decoded_as>syscheck_integrity_changed_3rd</decoded_as>
158 <description>Integrity checksum changed again (3rd time).</description>
159 <group>syscheck,</group>
162 <rule id="553" level="7">
163 <category>ossec</category>
164 <decoded_as>syscheck_deleted</decoded_as>
165 <description>File deleted. Unable to retrieve checksum.</description>
166 <group>syscheck,</group>
169 <rule id="554" level="0">
170 <category>ossec</category>
171 <decoded_as>syscheck_new_entry</decoded_as>
172 <description>File added to the system.</description>
173 <group>syscheck,</group>
176 <rule id="555" level="7">
178 <match>^ossec: agentless: </match>
179 <description>Integrity checksum for agentless device changed.</description>
180 <group>syscheck,agentless</group>
183 <!-- Hostinfo rules -->
184 <rule id="580" level="8">
185 <category>ossec</category>
186 <decoded_as>hostinfo_modified</decoded_as>
187 <description>Host information changed.</description>
188 <group>hostinfo,</group>
191 <rule id="581" level="8">
192 <category>ossec</category>
193 <decoded_as>hostinfo_new</decoded_as>
194 <description>Host information added.</description>
195 <group>hostinfo,</group>
199 <!-- File rotation/reducded rules -->
200 <rule id="591" level="3">
202 <match>^ossec: File rotated </match>
203 <description>Log file rotated.</description>
206 <rule id="592" level="8">
208 <match>^ossec: File size reduced</match>
209 <description>Log file size reduced.</description>
210 <group>attacks,</group>
213 <rule id="593" level="9">
215 <match>^ossec: Event log cleared</match>
216 <description>Microsoft Event log cleared.</description>
217 <group>logs_cleared,</group>
219 </group> <!-- OSSEC -->