X-Git-Url: http://ftp.carnet.hr/pub/carnet-debian/scm?a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fsquid_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fsquid_rules.xml;h=0000000000000000000000000000000000000000;hb=946517cefb8751a43a89bda4220221f065f4e5d1;hp=d74ef2ebf11de9a3177a3b393530b79c9c46c19d;hpb=3f728675941dc69d4e544d3a880a56240a6e394a;p=ossec-hids.git

diff --git a/debian/ossec-hids/var/ossec/rules/squid_rules.xml b/debian/ossec-hids/var/ossec/rules/squid_rules.xml
deleted file mode 100644
index d74ef2e..0000000
--- a/debian/ossec-hids/var/ossec/rules/squid_rules.xml
+++ /dev/null
@@ -1,212 +0,0 @@
-<!-- @(#) $Id: ./etc/rules/squid_rules.xml, 2011/09/08 dcid Exp $
-
-  -  Official Squid rules for OSSEC.
-  -
-  -  Copyright (C) 2009 Trend Micro Inc.
-  -  All rights reserved.
-  -
-  -  This program is a free software; you can redistribute it
-  -  and/or modify it under the terms of the GNU General Public
-  -  License (version 2) as published by the FSF - Free Software
-  -  Foundation.
-  -
-  -  License details: http://www.ossec.net/en/licensing.html
-  -
-  -  Contributed by: Ahmet Ozturk
-  -->
-  
-
-<!-- More information about squid codes below:
-   - http://www.uniar.ukrnet.net/tools/Squid-FAQ/FAQ-6.html
-  -->
-
-  
-<!-- Squid frequency -->
-<var name="SQUID_FREQ">8</var>
-
-  
-<group name="squid,">
-  <rule id="35000" level="0">
-    <category>squid</category>
-    <description>Squid messages grouped.</description>
-  </rule>    
-
-  <!-- Pre-rule with all the 400 error codes.
-     - This will make searching faster for most
-     - of the traffic.
-    --> 
-     
-  <rule id="35002" level="4">
-    <if_sid>35000</if_sid>
-    <id>^4|^5|^6</id>
-    <description>Squid generic error codes.</description>
-  </rule>
-    
-  <rule id="35003" level="5">
-    <if_sid>35002</if_sid>
-    <id>^400</id>
-    <description>Bad request/Invalid syntax.</description>
-  </rule>
-
-  <rule id="35004" level="5">
-    <if_sid>35002</if_sid>
-    <id>^401</id>
-    <description>Unauthorized: Failed attempt to access </description>
-    <description>authorization-required file or directory.</description>
-  </rule>
-
-  <rule id="35005" level="5">
-    <if_sid>35002</if_sid>
-    <id>^403</id>
-    <description>Forbidden: Attempt to access forbidden file </description>
-    <description>or directory.</description>
-  </rule>
-
-  <rule id="35006" level="5">
-    <if_sid>35002</if_sid>
-    <id>^404</id>
-    <description>Not Found: Attempt to access non-existent </description>
-    <description>file or directory.</description>
-  </rule>
-
-  <rule id="35007" level="5">
-    <if_sid>35002</if_sid>
-    <id>^407</id>
-    <description>Proxy Authentication Required: User is not </description>
-    <description>authorized to use proxy.</description>
-  </rule>
-
-  <rule id="35008" level="5">
-    <if_sid>35002</if_sid>
-    <id>^4</id>
-    <description>Squid 400 error code (request failed).</description>
-  </rule>
-
-  <rule id="35009" level="5">
-    <if_sid>35002</if_sid>
-    <id>^5|^6</id>
-    <description>Squid 500/600 error code (server error).</description>
-  </rule>
-  
-  <rule id="35010" level="4">
-    <if_sid>35009</if_sid>
-    <id>^503</id>
-    <description>Squid 503 error code (server unavailable).</description>
-  </rule>
-  
-  <!-- Special rules for 403/404 errors -->
-  <rule id="35021" level="6">
-    <if_sid>35006</if_sid>
-    <url>blst.php|xxx3.php|ngr7.php|ngr2.php|/nul.php$|/mul.php$|/444.php</url>
-    <description>Attempt to access a Beagle worm (or variant) </description>
-    <description>file.</description>
-    <info type="link">http://www.symantec.com/avcenter/venc/data/w32.beagle.dp.html</info>
-    <info type="text">W32.Beagle.DP is a Worm that drops Trojan.Lodear and opens a back door on the compromised computer.</info>
-    <group>automatic_attack,</group>
-  </rule>
-  
-  <!-- Other worms -->
-  <rule id="35022" level="6">
-    <if_sid>35006</if_sid>
-    <url>/jk/exp.wmf$|/PopupSh.ocx$</url>
-    <description>Attempt to access a worm/trojan related site.</description>
-    <group>automatic_attack,</group>
-  </rule>
-  
-  <!-- Ignoring google earth, ms web site access and some other
-    -  common extensions to cause false positives (specially anti virus).
-    -  It includes most of the time bugs on IE that always
-    -  access these pages (causing 403/404 errors).
-    -->
-  <rule id="35023" level="0">
-    <if_sid>35004, 35005, 35006, 35009</if_sid>
-    <url>.jpg|.gif|favicon.ico$|.png$|.swf|.txt$|.zip|.css|.xml|.js|.bmp$|</url>
-    <url>windowsupdate/redir/wuredir.cab|</url>
-    <url>^http://codecs.microsoft.com/isapi/ocget.dll|</url>
-    <url>^http://activex.microsoft.com/objects/ocget.dll|</url>
-    <url>^http://webmessenger.msn.com/session/null|</url>
-    <url>^http://sqm.msn.com/sqm/wmp/sqmserver.dll|</url>
-    <url>^http://config.messenger.msn.com/Config/MsgrConfig.asmx|</url>
-    <url>kaspersky-labs.com/|</url>
-    <url>^http://liveupdate.symantecliveupdate.com/|</url>
-    <url>_vti_bin/owssvr.dll|MSOffice/cltreq.asp|</url>
-    <url>google.com/mt?|</url>
-    <url>google.com/kh?|</url>
-    <url>^http://kh.google.com/flatfile</url>
-
-    <!-- Add more extensions to be ignored in here.
-    <url>|.html$|.htm</url>
-      -->
-
-    <description>Ignored files on a 40x error.</description>
-  </rule>                        
-  
-  <!-- Context relevant rules (correlated) -->
-  <rule id="35051" level="10" frequency="$SQUID_FREQ" timeframe="120">
-    <if_matched_sid>35005</if_matched_sid>
-    <same_source_ip />
-    <different_url />
-    <description>Multiple attempts to access forbidden file </description>
-    <description>or directory from same source ip.</description>
-  </rule>
-
-  <rule id="35052" level="10" frequency="$SQUID_FREQ" timeframe="120">
-    <if_matched_sid>35007</if_matched_sid>
-    <same_source_ip />
-    <description>Multiple unauthorized attempts to use proxy.</description>
-  </rule>
-
-  <rule id="35053" level="10" frequency="$SQUID_FREQ" timeframe="120">
-    <if_matched_sid>35003</if_matched_sid>
-    <same_source_ip />
-    <different_url />
-    <description>Multiple Bad requests/Invalid syntax.</description>
-  </rule>
-
-  <rule id="35054" level="12" frequency="$SQUID_FREQ" timeframe="240">
-    <if_matched_sid>35021</if_matched_sid>
-    <same_source_ip />
-    <description>Infected machine with W32.Beagle.DP.</description>
-    <info type="link">http://www.symantec.com/avcenter/venc/data/w32.beagle.dp.html</info>
-    <info type="text">W32.Beagle.DP is a Worm that drops Trojan.Lodear and opens a back door on the compromised computer.</info>
-  </rule>
-  
-  <rule id="35055" level="10" frequency="$SQUID_FREQ" timeframe="90">
-    <if_matched_sid>35006</if_matched_sid>
-    <same_source_ip />
-    <different_url />
-    <description>Multiple attempts to access a non-existent file.</description>
-  </rule>
-
-  <rule id="35056" level="12" frequency="$SQUID_FREQ" timeframe="240">
-    <if_matched_sid>35022</if_matched_sid>
-    <same_source_ip />
-    <description>Multiple attempts to access a worm/trojan/virus </description>
-    <description>related web site. System probably infected.</description>
-  </rule>
-  
-  <rule id="35057" level="10" frequency="$SQUID_FREQ" timeframe="240">
-    <if_matched_sid>35008</if_matched_sid>
-    <same_source_ip />
-    <different_url />
-    <description>Multiple 400 error codes (requests failed).</description>
-  </rule>
-
-  <rule id="35058" level="10" frequency="$SQUID_FREQ" timeframe="240">
-    <if_matched_sid>35009</if_matched_sid>
-    <same_source_ip />
-    <different_url />
-    <description>Multiple 500/600 error codes (server error).</description>
-  </rule>
-
-  <rule id="35095" level="0" frequency="2" timeframe="360">
-    <if_matched_sid>35055</if_matched_sid>
-    <same_source_ip />
-    <description>Ignoring multiple attempts from same source ip</description>
-    <description> (alert only once).</description>
-  </rule>
-
-</group> <!-- ACCESSLOG,SQUID -->
-
-<!-- EOF -->
-