-<!-- @(#) $Id: ossec_rules.xml,v 1.23 2009/11/04 18:45:37 dcid Exp $
+<!-- @(#) $Id: ./etc/rules/ossec_rules.xml, 2012/03/30 dcid Exp $
+
- Official ossec rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
+ - License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
<group>rootcheck,</group>
</rule>
+ <rule id="519" level="7">
+ <if_sid>516</if_sid>
+ <match>^System Audit: Web vulnerability</match>
+ <description>System Audit: Vulnerable web application found.</description>
+ <group>rootcheck,</group>
+ </rule>
+
<!-- Process monitoring rules -->
<rule id="530" level="0">
<if_sid>500</if_sid>
<rule id="531" level="7" ignore="7200">
<if_sid>530</if_sid>
- <match>ossec: output: 'df -h': /dev/</match>
+ <match>ossec: output: 'df -P': /dev/</match>
<regex>100%</regex>
<description>Partition usage reached 100% (disk space monitor).</description>
<group>low_diskspace,</group>
<match>cdrom|/media|usb|/mount|floppy|dvd</match>
<description>Ignoring external medias.</description>
</rule>
-
+
+ <rule id="533" level="7">
+ <if_sid>530</if_sid>
+ <match>ossec: output: 'netstat -tan</match>
+ <check_diff />
+ <description>Listened ports status (netstat) changed (new port opened or closed).</description>
+ </rule>
+
+ <rule id="534" level="1">
+ <if_sid>530</if_sid>
+ <match>ossec: output: 'w'</match>
+ <check_diff />
+ <options>no_log</options>
+ <description>List of logged in users. It will not be alerted by default.</description>
+ </rule>
+
+ <rule id="535" level="1">
+ <if_sid>530</if_sid>
+ <match>ossec: output: 'last -n </match>
+ <check_diff />
+ <options>no_log</options>
+ <description>List of the last logged in users.</description>
+ </rule>
+
<rule id="550" level="7">
<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>
<group>syscheck,</group>
</rule>
- <rule id="554" level="0">
+ <rule id="554" level="5">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<description>Microsoft Event log cleared.</description>
<group>logs_cleared,</group>
</rule>
+
+ <rule id="594" level="5">
+ <category>ossec</category>
+ <if_sid>550</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Integrity Checksum Changed</description>
+ </rule>
+
+ <rule id="595" level="5">
+ <category>ossec</category>
+ <if_sid>551</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Integrity Checksum Changed Again (2nd time)</description>
+ </rule>
+
+ <rule id="596" level="5">
+ <category>ossec</category>
+ <if_sid>552</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Integrity Checksum Changed Again (3rd time)</description>
+ </rule>
+
+ <rule id="597" level="5">
+ <category>ossec</category>
+ <if_sid>553</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Entry Deleted. Unable to Retrieve Checksum</description>
+ </rule>
+
+ <rule id="598" level="5">
+ <category>ossec</category>
+ <if_sid>554</if_sid>
+ <hostname>syscheck-registry</hostname>
+ <group>syscheck,</group>
+ <description>Registry Entry Added to the System</description>
+ </rule>
+
+<!-- active response rules
+Example:
+Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
+-->
+
+ <rule id="600" level="0">
+ <decoded_as>ar_log</decoded_as>
+ <description>Active Response Messages Grouped</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="601" level="3">
+ <if_sid>600</if_sid>
+ <action>firewall-drop.sh</action>
+ <status>add</status>
+ <description>Host Blocked by firewall-drop.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="602" level="3">
+ <if_sid>600</if_sid>
+ <action>firewall-drop.sh</action>
+ <status>delete</status>
+ <description>Host Unblocked by firewall-drop.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="603" level="3">
+ <if_sid>600</if_sid>
+ <action>host-deny.sh</action>
+ <status>add</status>
+ <description>Host Blocked by host-deny.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="604" level="3">
+ <if_sid>600</if_sid>
+ <action>host-deny.sh</action>
+ <status>delete</status>
+ <description>Host Unblocked by host-deny.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="605" level="3">
+ <if_sid>600</if_sid>
+ <action>route-null.sh</action>
+ <status>add</status>
+ <description>Host Blocked by route-null.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="606" level="3">
+ <if_sid>600</if_sid>
+ <action>route-null.sh</action>
+ <status>delete</status>
+ <description>Host Unblocked by route-null.sh Active Response</description>
+ <group>active_response,</group>
+ </rule>
+
+ <rule id="700" level="0">
+ <category>ossec</category>
+ <decoded_as>ossec-logcollector</decoded_as>
+ <description>Logcollector Messages Grouped</description>
+ </rule>
+
+ <rule id="701" level="0">
+ <if_sid>700</if_sid>
+ <match>INFO: </match>
+ <description>Ignore informational messages (usually at startup)</description>
+ </rule>
+
</group> <!-- OSSEC -->