[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-cvs] ossec-hids: netscreenfw_rules.xml (HEAD) ossec_rules.xml (HEAD) [dcid]

To: ossec-cvs@xxxxxxxxx
Subject: [ossec-cvs] ossec-hids: netscreenfw_rules.xml (HEAD) ossec_rules.xml (HEAD) [dcid]
From: OSSEC CVS <cvs-commit@xxxxxxxxx>
Date: Tue, 21 Aug 2007 21:40:04 -0300 (ADT)
Authentication-results: mx.google.com; spf=pass (google.com: domain of dcid+caf_=ossec-cvs=googlegroups.com@xxxxxxxxx designates 66.249.82.238 as permitted sender) smtp.mail=dcid+caf_=ossec-cvs=googlegroups.com@xxxxxxxxx
Authentication-results: mx.google.com; spf=neutral smtp.mail=dcid@xxxxxxxxxxxxxxxx
Content-transfer-encoding: 8bit

Module name:	ossec-hids
Changes by:	dcid	07/08/21 21:39:32

Modified files:
	netscreenfw_rules.xml ossec_rules.xml

Log message:
Description: Fixing netscreen decoder, the database daemon and adding a few more entries to the policy checks/ rootkit list...
Reviewed by: dcid
Bug:

Index: netscreenfw_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/netscreenfw_rules.xml,v
diff -u -r1.8 -r1.9
--- netscreenfw_rules.xml	19 Jul 2007 23:49:56 -0000	1.8
+++ netscreenfw_rules.xml	22 Aug 2007 00:39:31 -0000	1.9
@@ -45,13 +45,41 @@
 
   <!-- ns204: NetScreen device_id=ns204 [Root]system-critical-00027: 
      - Configuration Erase sequence accepted -->
-   <rule id="4505" level="11">
+  <rule id="4505" level="11">
     <if_sid>4503</if_sid>
-    <id>00027</id>
+    <id>^00027</id>
     <description>Netscreen Erase sequence started.</description>
     <group>service_availability,</group>
   </rule>
-                  
+
+  <rule id="4506" level="8">
+    <if_sid>4501</if_sid>
+    <id>^00002</id>
+    <description>Sucessfull admin login to the Netscreen firewall</description>
+    <group>authentication_success,</group>
+  </rule>
+  
+  <rule id="4507" level="8">
+    <if_sid>4502</if_sid>
+    <id>^00515</id>
+    <description>Sucessfull admin login to the Netscreen firewall</description>
+    <group>authentication_success,</group>
+  </rule>
+
+  <rule id="4508" level="8">
+    <if_sid>4501</if_sid>
+    <id>^00018</id>
+    <description>Firewall policy changed.</description>
+    <group>config_changed,</group>
+  </rule>
+
+  <rule id="4509" level="8">
+    <if_sid>4504</if_sid>
+    <id>^00767</id>
+    <description>Firewall configuration changed.</description>
+    <group>config_changed,</group>
+  </rule>
+  
   <rule id="4550" level="10" frequency="4" timeframe="180" ignore="60">
     <if_matched_sid>4503</if_matched_sid>
     <same_source_ip />

Index: ossec_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/ossec_rules.xml,v
diff -u -r1.11 -r1.12
--- ossec_rules.xml	21 Jul 2007 23:50:56 -0000	1.11
+++ ossec_rules.xml	22 Aug 2007 00:39:31 -0000	1.12
@@ -135,4 +135,18 @@
     <group>syscheck,</group>
   </rule>
   
+  <rule id="580" level="8">
+    <category>ossec</category>
+    <decoded_as>hostinfo_modified</decoded_as>
+    <description>Host information changed.</description>
+    <group>hostinfo,</group>
+  </rule>
+  
+  <rule id="581" level="8">
+    <category>ossec</category>
+    <decoded_as>hostinfo_new</decoded_as>
+    <description>Host information added.</description>
+    <group>hostinfo,</group>
+  </rule>
+  
 </group> <!-- OSSEC -->

Follow-Ups:
- [ossec-cvs] ossec-hids: ossec_rules.xml (HEAD) [dcid]
  - From: OSSEC CVS

Prev by Date: [ossec-cvs] ossec-hids: decode-xml.c (HEAD) hostinfo.c (HEAD) [dcid]
Next by Date: [ossec-cvs] ossec-hids: Makeall (HEAD) [dcid]
Previous by thread: [ossec-cvs] ossec-hids: hostinfo.c (HEAD) [dcid]
Next by thread: [ossec-cvs] ossec-hids: ossec_rules.xml (HEAD) [dcid]
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.