-<!-- @(#) $Id: syslog_rules.xml,v 1.87 2009/12/01 15:40:07 dcid Exp $
+<!-- @(#) $Id$
- Official Generic Syslog rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
+ - License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
<description>File system full.</description>
<group>low_diskspace,</group>
</rule>
+
+ <rule id="1008" level="5">
+ <match>killed by SIGTERM</match>
+ <description>Process exiting (killed).</description>
+ <group>service_availability,</group>
+ </rule>
</group> <!-- SYSLOG,ERRORS -->
+<!-- rshd -->
+<group name="syslog,access_control,">
+ <rule id="2550" level="0" noalert="1">
+ <decoded_as>rshd</decoded_as>
+ <description>rshd messages grouped.</description>
+ </rule>
+
+ <rule id="2551" level="10">
+ <if_sid>2550</if_sid>
+ <regex>^Connection from \S+ on illegal port$</regex>
+ <description>Connection to rshd from unprivileged port. Possible network scan.</description>
+ <group>connection_attempt,</group>
+ </rule>
+</group>
+
+
+
<!-- Mail/Procmail messages -->
<group name="syslog,mail,">
<rule id="2701" level="0">
<if_sid>9100</if_sid>
<regex>^GRE: \S+ from \S+ failed: status = -1 </regex>
<description>PPTPD failed message (communication error)</description>
- <info>poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml</info>
+ <info type="link">http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml</info>
</rule>
<rule id="9102" level="0">