[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-cvs] ossec-hids: mysql_rules.xml (NEW) [dcid]

To: ossec-cvs@xxxxxxxxx
Subject: [ossec-cvs] ossec-hids: mysql_rules.xml (NEW) [dcid]
From: OSSEC CVS <cvs-commit@xxxxxxxxx>
Date: Sat, 25 Aug 2007 10:24:04 -0300 (ADT)
Authentication-results: mx.google.com; spf=pass (google.com: domain of dcid+caf_=ossec-cvs=googlegroups.com@xxxxxxxxx designates 209.85.132.251 as permitted sender) smtp.mail=dcid+caf_=ossec-cvs=googlegroups.com@xxxxxxxxx
Authentication-results: mx.google.com; spf=neutral smtp.mail=dcid@xxxxxxxxxxxxxxxx
Content-transfer-encoding: 8bit


Module name:	ossec-hids
Changes by:	dcid	07/08/25 10:24:02

Added files:
	mysql_rules.xml

Log message:
Description: Adding support for mysql logs (.err and .log). Adding support for PostgreSQL as a database output. A few more fixes for the hostinfo stuff... (yes, long morning -- you got to love
saturdays)
Reviewed by: dcid
Bug:

--- NEW FILE: mysql_rules.xml ---
<!-- @(#) $Id: mysql_rules.xml,v 1.1 2007/08/25 13:24:02 dcid Exp $
  -  Official MySQL rules for OSSEC.
  -
  -  Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
  -  All rights reserved.
  -
  -  This program is a free software; you can redistribute it
  -  and/or modify it under the terms of the GNU General Public
  -  License (version 3) as published by the FSF - Free Software
  -  Foundation.
  -
  -  License details: http://www.ossec.net/en/licensing.html
  -->
  

<!-- MYSQL Log messages -->
<group name="mysql_log,">
  <rule id="50100" level="0">
    <decoded_as>mysql_log</decoded_as>
    <description>MySQL messages grouped.</description>
  </rule>

  <rule id="50105" level="3">
    <if_sid>50100</if_sid>
    <regex>^MySQL log: \d+ \S+ \d+ Connect</regex>
    <description>Database authentication success.</description>
    <group>authentication_success,</group>
  </rule>

  <rule id="50106" level="9">
    <if_sid>50105</if_sid>
    <match>Access denied for user</match>
    <description>Database authentication failure.</description>
    <group>authentication_failed,</group>
  </rule>
  
  <rule id="50107" level="0">
    <if_sid>50100</if_sid>
    <regex>^MySQL log: \d+ \S+ \d+ Query</regex>
    <description>Database query.</description>
  </rule>
  
  <rule id="50108" level="3">
    <if_sid>50100</if_sid>
    <regex>^MySQL log: \d+ \S+ \d+ Quit</regex>
    <description>User disconnected from database.</description>
  </rule>

  <rule id="50120" level="12">
    <if_sid>50100</if_sid>
    <match>mysqld ended|Shutdown complete</match>
    <description>Database shutdown messge.</description>
    <group>service_availability,</group>
  </rule>

  <rule id="50121" level="3">
    <if_sid>50100</if_sid>
    <match>mysqld started|mysqld restarted</match>
    <description>Database startup message.</description>
    <group>service_availability,</group>
  </rule>
  
  <rule id="50125" level="5">
    <if_sid>50100</if_sid>
    <regex>^MySQL log: \d+ \S+ \d+ [ERROR]</regex>
    <description>Database error.</description>
  </rule> 
  
  <rule id="50126" level="12">
    <if_sid>50125</if_sid>
    <match>Fatal error:</match>
    <description>Database fatal error.</description>
    <group>service_availability,</group>
  </rule>
  
  <rule id="50180" level="10" frequency="6" timeframe="120" ignore="60">
    <if_matched_sid>50125</if_matched_sid>
    <description>Multiple database errors.</description>
    <group>service_availability,</group>
  </rule>

</group> <!-- MYSQL -->

<!-- EOF -->

Prev by Date: [ossec-cvs] ossec-hids: InstallServer.sh (HEAD) [dcid]
Next by Date: [ossec-cvs] ossec-hids: read_mysql_log.c (NEW) [dcid]
Previous by thread: [ossec-cvs] ossec-hids: InstallServer.sh (HEAD) [dcid]
Next by thread: [ossec-cvs] ossec-hids: read_mysql_log.c (NEW) [dcid]
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.