X-Git-Url: http://ftp.carnet.hr/pub/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fmsauth_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fmsauth_rules.xml;h=0000000000000000000000000000000000000000;hb=946517cefb8751a43a89bda4220221f065f4e5d1;hp=51ed17b303904f31eac36492fbb1729f8111cb94;hpb=3f728675941dc69d4e544d3a880a56240a6e394a;p=ossec-hids.git
diff --git a/debian/ossec-hids/var/ossec/rules/msauth_rules.xml b/debian/ossec-hids/var/ossec/rules/msauth_rules.xml
deleted file mode 100644
index 51ed17b..0000000
--- a/debian/ossec-hids/var/ossec/rules/msauth_rules.xml
+++ /dev/null
@@ -1,972 +0,0 @@
-
-
-
-6
-
-
-
- windows
- Group of windows rules.
-
-
-
- 18100
- ^INFORMATION
- Windows informational event.
-
-
-
- 18100
- ^WARNING
- Windows warning event.
-
-
-
- 18100
- ^ERROR
- Windows error event.
- system_error,
-
-
-
- 18100
- ^AUDIT_SUCCESS|^success
- Windows audit success event.
-
-
-
- 18100
- ^AUDIT_FAILURE|^failure
- Windows audit failure event.
-
-
-
- 18105
- ^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$
- Windows Logon Failure.
- win_authentication_failed,
-
-
-
- 18104
- ^528$|^540$|^673$|^4624$|^4769$
- Windows Logon Success.
- authentication_success,
-
-
-
- 18105
- ^577$|^4673$
- Failed attempt to perform a privileged
- operation.
-
-
-
- 18104
- ^682$|^683$|^4778$|^4779$
- Session reconnected/disconnected to winstation.
-
-
-
- 18104
- ^624$|^626$|^4720$|^4722$
- User account enabled or created.
- adduser,account_changed,
-
-
-
- 18104
- ^628$|^642$|^685$|^4738$|^4781$
- User account changed.
- account_changed,
-
-
-
- 18104
- ^630$|^629$|^4725$|^4726$
- User account disabled or deleted.
- adduser,account_changed,
-
-
-
- 18104
- ^612$|^643$|^4719$|^4907$|^4912$|^4719$
- Windows Audit Policy changed.
- policy_changed,
-
-
-
- 18104
- ^632$|^4728$|^633$|^4729$|^636$|^4732$|^637$|^4733$|^639$|^4735$|
- ^641$|^4737$|^637$|^4733$|^659$|^4755$|^660$|^4766$|^668$|^4764$|
- ^649$|^4745$|^650$|^4746$|^651$|^4747$|^654$|^4750$|^655$|^4751$|
- ^656$|^4752$|^659$|^4755$|^660$|^4756$|^661$|^4757$|^664$|^4760$|
- ^665$|^4761$|^666$|^4762$
- Group Account Changed
- group_changed,win_group_changed,
-
-
-
- 18104
- ^640$
- General account database changed.
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=640
- adduser,account_changed,
-
-
-
- 18104
- ^644$|^4740$
- User account locked out (multiple login errors).
- authentication_failures,
-
-
-
- 18104
- ^513$|^4609$
- Windows is shutting down.
- system_shutdown,
-
-
-
- 18104
- ^517$|^1102$
- Windows audit log was cleared.
- logs_cleared,
-
-
-
- 18107
- alert_by_email
-
- First time this user logged in this system.
- authentication_success,
-
-
-
- 18105
- ^680$
- Windows login attempt (ignored). Duplicated.
-
-
-
- 18102, 18103
- ^20187$|^20014$|^20078$|^20050$|^20049$|^20189$
- Remote access login failure.
- authentication_failed,
-
-
-
- 18101
- ^20158$
- Remote access login success.
- authentication_success,
-
-
-
- 18104
- ^646$|^645$|^647$|^4741$|^4742$|^4743$
- Computer account added/changed/deleted.
- account_changed,
-
-
-
-
- ^65xxx
- Group account added/changed/deleted.
- This rule has been deprecated
- account_changed,
-
-
-
- 18103
- ^13570$
- Windows file system full.
- low_diskspace,
-
-
-
-
-
- 18106
- ^529$|^4625$
- Logon Failure - Unknown user or bad password.
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
- win_authentication_failed,
-
-
-
- 18106
- ^530$
- Logon Failure - Account logon time restriction
- violation.
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=530
- win_authentication_failed,login_denied,
-
-
-
- 18106
- ^531$
- Logon Failure - Account currently disabled.
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=531
- win_authentication_failed,login_denied,
-
-
-
- 18106
- ^532$
- Logon Failure - Specified account expired.
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=532
- win_authentication_failed,login_denied,
-
-
-
- 18106
- ^533$
- Logon Failure - User not allowed to login at
- this computer.
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=533
- win_authentication_failed,login_denied,
-
-
-
- 18106
- ^534$
- Logon Failure - User not granted logon type.
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=534
- win_authentication_failed,
-
-
-
- 18106
- ^535$
- Logon Failure - Account's password expired.
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=535
- win_authentication_failed,
-
-
-
- 18106
- ^536$|^537$
- Logon Failure - Internal error.
- win_authentication_failed,
-
-
-
- 18106
- ^539$
- Logon Failure - Account locked out.
- win_authentication_failed,
-
-
-
- 18105
- ^673$|^675$|^681$|^4769$
- Windows DC Logon Failure.
- win_authentication_failed,
-
-
-
- 18104
- ^520$|^4616$
- System time changed.
- time_changed,
-
-
-
- 18102
- ^1076$
- unexpected shutdown
- system_error, system_shutdown,
- Unexpected Windows shutdown.
-
-
-
- 18104
- ^671$|^4767$
- User account unlocked.
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767
- account_changed,
-
-
-
- 18114
- ^631$|^635$|^658$
- Security enabled group created.
- adduser,account_changed,
-
-
-
- 18114
- ^634$|^638$|^662$
- Security enabled group deleted.
- adduser,account_changed,
-
-
-
-
- 18101
- ^7040$
- policy_changed,
- Service startup type was changed.
- This does not appear to be logged on Windows 2000.
-
-
-
- 18101
- ^11724$
- alert_by_email
- Application Uninstalled.
-
-
-
- 18101
- ^11707$
- alert_by_email
- Application Installed.
-
-
-
- 18104
- ^4608$
- Windows is starting up.
-
-
-
- 18104
- ^538$|^551$|^4634$|^4647$
- Windows User Logoff.
-
-
-
-
-
- 18104
- ^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|^4749$|
- ^663$|^4759$
- Group Account Created
- group_created,win_group_created,
-
-
-
- 18104
- ^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|^657$|^4753$|
- ^667$|^4763$
- Group Account Deleted
- group_deleted,win_group_deleted,
-
-
-
- 18200
- ^631$|^4727$
- Security Enabled Global Group Created
- group_created,win_group_created,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=631
-
-
-
- 18114
- ^632$|^4728$
- Security Enabled Global Group Member Added
- group_changed,win_group_changed,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632
-
-
-
- 18114
- ^633$|^4729$
- Security Enabled Global Group Member Removed
- group_changed,win_group_changed,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633
-
-
-
- 18201
- ^634$|^4730$
- Security Enabled Global Group Deleted
- group_deleted,win_group_deleted,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=634
-
-
-
- 18200
- ^635$|^4731$
- Security Enabled Local Group Created
- group_created,win_group_created,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=635
-
-
-
- 18114
- ^636$|^4732$
- Security Enabled Local Group Member Added
- group_changed,win_group_changed,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=636
-
-
-
- 18114
- ^637$|^4733$
- Security Enabled Local Group Member Removed
- group_changed,win_group_changed,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=637
-
-
-
- 18201
- ^638$|^4734$
- Security Enabled Local Group Deleted
- group_deleted,win_group_deleted,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=638
-
-
-
- 18114
- ^639$|^4735$
- Security Enabled Local Group Changed
- group_changed,win_group_changed,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=639
-
-
-
- 18114
- ^641$|^4737$
- Security Enabled Global Group Changed
- group_changed,win_group_changed,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=641
-
-
-
- 18200
- ^658$|^4754$
- Security Enabled Universal Group Created
- group_created,win_group_created,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=658
-
-
-
- 18114
- ^659$|^4755$
- Security Enabled Universal Group Changed
- group_changed,win_group_changed,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=659
-
-
-
- 18114
- ^660$|^4756$
- Security Enabled Universal Group Member Added
- group_changed,win_group_changed,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=660
-
-
-
- 18114
- ^661$|^4757$
- Security Enabled Universal Group Member Removed
- group_changed,win_group_changed,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=661
-
-
-
- 18201
- ^662$|^4758$
- Security Enabled Universal Group Deleted
- group_deleted,win_group_deleted,
- http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=662
-
-
-
- 18207,18208
- ID:\s+\p*S-1-5-32-544
- Administrators Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-1-0}| ID:\s+S-1-1-0
- Everyone Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-9}| ID:\s+S-1-5-9
- Enterprise Domain Controllers Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-11}| ID:\s+S-1-5-11
- Authenticated Users Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-13}| ID:\s+S-1-5-13
- Terminal Server Users Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18203,18204
- ID:\s+%{S-1-5-21\S+-512}| ID:\s+S-1-5-21\S+-512
- Domain Admins Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18203,18204
- ID:\s+%{S-1-5-21\S+-513}| ID:\s+S-1-5-21\S+-513
- Domain Users Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18223,18203
- Target Account Name: None
- Local User Group NONE
- Bogus group user added to upon creation
-
-
-
- 18203,18204
- ID:\s+%{S-1-5-21\S+-514}| ID:\s+S-1-5-21\S+-514
- Domain Guests Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18203,18204
- ID:\s+%{S-1-5-21\S+-515}| ID:\s+S-1-5-21\S+-515
- Domain Computers Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18203,18204
- ID:\s+%{S-1-5-21\S+-516}| ID:\s+S-1-5-21\S+-516
- Domain Controllers Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-21\S+-517}| ID:\s+S-1-5-21\S+-517
- Cert Publishers Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18203,18204
- ID:\s+%{S-1-5-21\.+-518}| ID:\s+S-1-5-21\.+-518
- Schema Admins Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18203,18204
- ID:\s+%{S-1-5-21\S+-519}| ID:\s+S-1-5-21\S+-519
- Enterprise Admins Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18203,18204
- ID:\s+%{S-1-5-21\S+-520}| ID:\s+S-1-5-21\S+-520
- Group Policy Creator Owners Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-21\S+-553}| ID:\s+S-1-5-21\S+-553
- RAS and IAS Servers Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-545}| ID:\s+S-1-5-32-545
- Users Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-546}| ID:\s+S-1-5-32-546
- Guests Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-547}| ID:\s+S-1-5-32-547
- Power Users Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-548}| ID:\s+S-1-5-32-548
- Account Operators Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-549}| ID:\s+S-1-5-32-549
- Server Operators Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-550}| ID:\s+S-1-5-32-550
- Print Operators Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-551}| ID:\s+S-1-5-32-551
- Backup Operators Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-552}| ID:\s+S-1-5-32-552
- Replicators Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-554}| ID:\s+S-1-5-32-554
- Pre-Windows 2000 Compatible Access Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-555}| ID:\s+S-1-5-32-555
- Remote Desktop Users Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-556}| ID:\s+S-1-5-32-556
- Network Configuration Operators Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-557}| ID:\s+S-1-5-32-557
- Incoming Forest Trust Builders Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-558}| ID:\s+S-1-5-32-558
- Performance Monitor Users Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-559}| ID:\s+S-1-5-32-559
- Performance Log Users Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-560}| ID:\s+S-1-5-32-560
- Windows Authorization Access Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-561}| ID:\s+S-1-5-32-561
- Terminal Server License Servers Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-562}| ID:\s+S-1-5-32-562
- Distributed COM Users Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-\s*21\.+\s*-498}| ID:\s+S-1-5-\s*21\.+\s*-498
- Enterprise Read-only Domain Controllers Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-\s*21\.+\s*-529}| ID:\s+S-1-5-\s*21\.+\s*-529
- Read-only Domain Controllers Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-569}| ID:\s+S-1-5-32-569
- Cryptographic Operators Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-\s*21\.+\s*-571}| ID:\s+S-1-5-\s*21\.+\s*-571
- Allowed RODC Password Replication Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-\s*21\.+\s*-572}| ID:\s+S-1-5-\s*21\.+\s*-572
- Denied RODC Password Replication Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-573}| ID:\s+S-1-5-32-573
- Event Log Readers Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18207,18208
- ID:\s+%{S-1-5-32-574}| ID:\s+S-1-5-32-574
- Certificate Service DCOM Access Group Changed
- group_changed,win_group_changed,
- http://support.microsoft.com/kb/243330
-
-
-
- 18101
- ^200$|^300$|^302$
- TS Gateway login success.
- authentication_success,
- https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
-
-
-
- 18102, 18103
- ^201$|^203$|^204$|^301$|^304$|^305$|^306$|^1001$
- TS Gateway login failure.
- authentication_failed,
- https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
-
-
-
- 18101
- ^202$|^303$
- TS Gateway user disconnected.
- https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
-
-
-
-
- 18107,18149
- ^528$|^538$|^540$|^4624$
- ^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON
- Windows Logon Success (ignored).
-
-
-
-
-
- 18139
- Failure Code: 0x1F
- Windows DC integrity check on decrypted
- field failed.
-
- win_authentication_failed,attacks,
-
-
-
- 18139
- Failure Code: 0x22
- Windows DC - Possible replay attack.
-
- win_authentication_failed,attacks,
-
-
-
- 18139
- Failure Code: 0x25
- Windows DC - Clock skew too great.
-
- win_authentication_failed,attacks,
-
-
-
-
-
- 18105
- ^18456$
- win_authentication_failed,
- MS SQL Server Logon Failure.
-
-
-
- 18104
- ^18454$|^18453$
- MS SQL Server Logon Success.
- authentication_success,
-
-
-
-
- 18107
- ^4624$
- Logon Type: 8
- MS Exchange Logon Success.
-
-
-
- 18149
- ^4634$
- Logon Type: 8
- User Logoff Exchange.
-
-
-
-
-
- 18108
-
- Multiple failed attempts to perform a
- privileged operation by the same user.
-
-
-
- win_authentication_failed
- Multiple Windows Logon Failures.
- authentication_failures,
-
-
-
- 18105
- Multiple Windows audit failure events.
-
-
-
- 18103
- Multiple Windows error events.
-
-
-
- 18102
- Multiple Windows warning events.
-
-
-
- 18125
- Multiple remote access login failures.
- authentication_failures,
-
-
-
- 18258
- Multiple TS Gateway login failures.
- authentication_failures,
-
-
-
-
- 18103
- chromoting
- : chromoting: \.* Access denied for client:
- Chrome Remote Desktop attempt - access denied
-
-
-
- 18101
- chromoting
- : chromoting: \.* Client connected:
- Chrome Remote Desktop attempt - connected
-
-
-
- 18101
- chromoting
- : chromoting: \.* Client disconnected:
- Chrome Remote Desktop attempt - disconnected
-
-
-
-
-