[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-cvs] ossec-hids: cisco-ios_rules.xml (NEW) symantec-ws_rules.xml (NEW) apache_rules.xml (HEAD) arpwatch_rules.xml (HEAD) attack_rules.xml (HEAD) courier_rules.xml (HEAD) firewall_rules.xml (HEAD) hordeimp_rules.xml (HEAD) ids_rules.xml (HEAD) imapd_rules.xml (HEAD) local_rules.xml (HEAD) mailscanner_rules.xml (HEAD) ms-exchange_rules.xml (HEAD) ms_ftpd_rules.xml (HEAD) msauth_rules.xml (HEAD) named_rules.xml (HEAD) netscreenfw_rules.xml (HEAD) ossec_rules.xml (HEAD) pam_rules.xml (HEAD) pix_rules.xml (HEAD) policy_rules.xml (HEAD) postfix_rules.xml (HEAD) proftpd_rules.xml (HEAD) rules_config.xml (HEAD) smbd_rules.xml (HEAD) squid_rules.xml (HEAD) sshd_rules.xml (HEAD) symantec-av_rules.xml (HEAD) syslog_rules.xml (HEAD) vpn_concentrator_rules.xml (HEAD) web_rules.xml (HEAD) zeus_rules.xml (HEAD) [dcid]
- To: ossec-cvs@xxxxxxxxx
- Subject: [ossec-cvs] ossec-hids: cisco-ios_rules.xml (NEW) symantec-ws_rules.xml (NEW) apache_rules.xml (HEAD) arpwatch_rules.xml (HEAD) attack_rules.xml (HEAD) courier_rules.xml (HEAD) firewall_rules.xml (HEAD) hordeimp_rules.xml (HEAD) ids_rules.xml (HEAD) imapd_rules.xml (HEAD) local_rules.xml (HEAD) mailscanner_rules.xml (HEAD) ms-exchange_rules.xml (HEAD) ms_ftpd_rules.xml (HEAD) msauth_rules.xml (HEAD) named_rules.xml (HEAD) netscreenfw_rules.xml (HEAD) ossec_rules.xml (HEAD) pam_rules.xml (HEAD) pix_rules.xml (HEAD) policy_rules.xml (HEAD) postfix_rules.xml (HEAD) proftpd_rules.xml (HEAD) rules_config.xml (HEAD) smbd_rules.xml (HEAD) squid_rules.xml (HEAD) sshd_rules.xml (HEAD) symantec-av_rules.xml (HEAD) syslog_rules.xml (HEAD) vpn_concentrator_rules.xml (HEAD) web_rules.xml (HEAD) zeus_rules.xml (HEAD) [dcid]
- From: OSSEC CVS <cvs-commit@xxxxxxxxx>
- Date: Thu, 19 Jul 2007 20:50:00 -0300 (ADT)
- Content-transfer-encoding: 8bit
Module name: ossec-hids
Changes by: dcid 07/07/19 20:49:56
Modified files:
apache_rules.xml arpwatch_rules.xml attack_rules.xml
courier_rules.xml firewall_rules.xml hordeimp_rules.xml ids_rules.xml
imapd_rules.xml local_rules.xml mailscanner_rules.xml
ms-exchange_rules.xml ms_ftpd_rules.xml msauth_rules.xml
named_rules.xml netscreenfw_rules.xml ossec_rules.xml pam_rules.xml
pix_rules.xml policy_rules.xml postfix_rules.xml proftpd_rules.xml
rules_config.xml smbd_rules.xml squid_rules.xml sshd_rules.xml
symantec-av_rules.xml syslog_rules.xml vpn_concentrator_rules.xml
web_rules.xml zeus_rules.xml
Added files:
cisco-ios_rules.xml symantec-ws_rules.xml
Log message:
Description: Adding cisco ios/symantec ws rules. Changing license to gplv3.
Reviewed by: dcid
Bug:
--- NEW FILE: cisco-ios_rules.xml ---
<!-- @(#) $Id: cisco-ios_rules.xml,v 1.1 2007/07/19 23:49:55 dcid Exp $
- Official Cisco IOS rules for OSSEC.
-
- Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
- All rights reserved.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License (version 3) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
-->
<group name="syslog,cisco_ios,">
<rule id="4700" level="0">
<decoded_as>cisco-ios</decoded_as>
<description>Grouping of Cisco IOS rules.</description>
</rule>
<rule id="4710" level="9">
<if_sid>4700</if_sid>
<id>-0-</id>
<description>Cisco IOS emergency message.</description>
</rule>
<rule id="4711" level="5">
<if_sid>4700</if_sid>
<id>-1-</id>
<description>Cisco IOS alert message.</description>
</rule>
<rule id="4712" level="5">
<if_sid>4700</if_sid>
<id>-2-</id>
<description>Cisco IOS critical message.</description>
</rule>
<rule id="4713" level="4">
<if_sid>4700</if_sid>
<id>-3-</id>
<description>Cisco IOS error message.</description>
</rule>
<rule id="4714" level="4">
<if_sid>4700</if_sid>
<id>-4-</id>
<description>Cisco IOS warning message.</description>
</rule>
<rule id="4715" level="0">
<if_sid>4700</if_sid>
<id>-5-</id>
<description>Cisco IOS notification message.</description>
</rule>
<rule id="4716" level="0">
<if_sid>4700</if_sid>
<id>-6-</id>
<description>Cisco IOS informational message.</description>
</rule>
<rule id="4717" level="0">
<if_sid>4700</if_sid>
<id>-7-</id>
<description>Cisco IOS debug message.</description>
</rule>
<rule id="4721" level="3">
<if_sid>4715</if_sid>
<id>^%SYS-5-CONFIG</id>
<description>Cisco IOS router configuration changed.</description>
<group>config_changed,</group>
</rule>
<rule id="4722" level="3">
<if_sid>4715</if_sid>
<id>^%SEC_LOGIN-5-LOGIN_SUCCESS</id>
<description>Sucessfull login to the router.</description>
<group>authentication_success,</group>
</rule>
<rule id="4724" level="9">
<if_sid>4714</if_sid>
<id>^%SEC_LOGIN-4-LOGIN_FAILED</id>
<description>Failed login to the router.</description>
<group>authentication_failed,</group>
</rule>
</group> <!-- SYSLOG,CISCO IOS -->
<!-- EOF -->
--- NEW FILE: symantec-ws_rules.xml ---
<!-- @(#) $Id: symantec-ws_rules.xml,v 1.1 2007/07/19 23:49:56 dcid Exp $
- Official Symantec Web Security rules for OSSEC.
-
- Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
- All rights reserved.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License (version 3) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
-->
<!-- For more info:
- http://www.ossec.net/wiki/index.php/Symantec_WebSecurity
- Data submited by: Michael Starks
-->
<!-- Still BETA -->
<group name="symantec,">
<rule id="7400" level="0">
<decoded_as>symantec-websecurity</decoded_as>
<description>Grouping of Symantec Web Security rules.</description>
</rule>
<rule id="7410" level="5">
<if_sid>7400</if_sid>
<id>^3=2,2=1</id>
<description>Login failed accessing the web proxy.</description>
<group>authentication_failed,</group>
</rule>
<rule id="7415" level="3">
<if_sid>7400</if_sid>
<id>^3=1,2=1</id>
<description>Login success accessing the web proxy.</description>
<group>authentication_success,</group>
</rule>
<rule id="7420" level="3">
<if_sid>7415</if_sid>
<user>virtadmin</user>
<description>Admin Login success to the web proxy.</description>
<group>authentication_success,</group>
</rule>
<!-- Example alerting using the url (event id 2=27 is for web access
<rule id="7425" level="3">
<if_sid>7400</if_sid>
<id>^2=27</id>
<description>Web access message.</description>
<url>abc.exe</url>
</rule>
-->
</group> <!-- symantec -->
<!-- EOF -->
Index: apache_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/apache_rules.xml,v
diff -u -r1.32 -r1.33
--- apache_rules.xml 14 Apr 2007 20:09:19 -0000 1.32
+++ apache_rules.xml 19 Jul 2007 23:49:55 -0000 1.33
@@ -1,11 +1,20 @@
<!-- @(#) $Id$
- - Official rules for apache
- - Author: Daniel B. Cid
- - Author: Ahmet Ozturk
- - License: http://www.ossec.net/en/licensing.html
+ - Official Apache rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
+ -
+ - Contributed by: Ahmet Ozturk
-->
+
-
<group name="apache,">
<rule id="30100" level="0">
<decoded_as>apache-errorlog</decoded_as>
Index: arpwatch_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/arpwatch_rules.xml,v
diff -u -r1.6 -r1.7
--- arpwatch_rules.xml 1 May 2007 23:57:26 -0000 1.6
+++ arpwatch_rules.xml 19 Jul 2007 23:49:55 -0000 1.7
@@ -1,8 +1,17 @@
<!-- @(#) $Id$
- - Official arpwatch rules for the OSSEC HIDS
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Official Arpwatch rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
+
<group name="syslog,arpwatch,">
<rule id="7200" level="0" noalert="1">
Index: attack_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/attack_rules.xml,v
diff -u -r1.13 -r1.14
--- attack_rules.xml 3 May 2007 01:52:42 -0000 1.13
+++ attack_rules.xml 19 Jul 2007 23:49:55 -0000 1.14
@@ -1,10 +1,18 @@
-<!-- @(#) $Id$
+<!-- @(#) $Id$
- Official "attack" correlation rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
<!-- System users. They should never log in to the system -->
<var name="SYS_USERS">^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$</var>
Index: courier_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/courier_rules.xml,v
diff -u -r1.1 -r1.2
--- courier_rules.xml 11 Jun 2007 22:24:01 -0000 1.1
+++ courier_rules.xml 19 Jul 2007 23:49:55 -0000 1.2
@@ -1,9 +1,17 @@
<!-- @(#) $Id$
- Official Courier rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
<!-- Using logs from: http://www.ossec.net/wiki/index.php/Courier -->
<group name="syslog,courier,">
Index: firewall_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/firewall_rules.xml,v
diff -u -r1.7 -r1.8
--- firewall_rules.xml 3 Jan 2007 02:35:48 -0000 1.7
+++ firewall_rules.xml 19 Jul 2007 23:49:55 -0000 1.8
@@ -1,9 +1,17 @@
<!-- @(#) $Id$
- Official Firewall rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
<group name="firewall,">
<rule id="4100" level="0">
Index: hordeimp_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/hordeimp_rules.xml,v
diff -u -r1.4 -r1.5
--- hordeimp_rules.xml 3 Jan 2007 02:35:48 -0000 1.4
+++ hordeimp_rules.xml 19 Jul 2007 23:49:55 -0000 1.5
@@ -1,10 +1,18 @@
<!-- @(#) $Id$
- Official Horde IMP rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
<group name="syslog,hordeimp,">
<rule id="9300" level="0">
<decoded_as>horde_imp</decoded_as>
Index: ids_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/ids_rules.xml,v
diff -u -r1.23 -r1.24
--- ids_rules.xml 28 Mar 2007 02:53:57 -0000 1.23
+++ ids_rules.xml 19 Jul 2007 23:49:55 -0000 1.24
@@ -1,8 +1,17 @@
<!-- @(#) $Id$
- Official IDS rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
+
<var name="IDS_FREQ">8</var>
Index: imapd_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/imapd_rules.xml,v
diff -u -r1.4 -r1.5
--- imapd_rules.xml 3 Jan 2007 02:35:48 -0000 1.4
+++ imapd_rules.xml 19 Jul 2007 23:49:55 -0000 1.5
@@ -1,8 +1,17 @@
<!-- @(#) $Id$
- Official imapd rules for OSSEC.
- - Author: Daniel Cid
- - License: http://www.ossec.net/en/licensing.html
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
+
<var name="IMAPD_FREQ">6</var>
Index: local_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/local_rules.xml,v
diff -u -r1.3 -r1.4
--- local_rules.xml 3 Jan 2007 02:35:48 -0000 1.3
+++ local_rules.xml 19 Jul 2007 23:49:55 -0000 1.4
@@ -1,7 +1,15 @@
<!-- @(#) $Id$
- - Example of local rules for ossec.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Example of local rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
Index: mailscanner_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/mailscanner_rules.xml,v
diff -u -r1.3 -r1.4
--- mailscanner_rules.xml 3 Jan 2007 02:35:48 -0000 1.3
+++ mailscanner_rules.xml 19 Jul 2007 23:49:55 -0000 1.4
@@ -1,7 +1,15 @@
<!-- @(#) $Id$
- - Official MailScanner rules for the OSSEC HIDS
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Example of MailScanner rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
Index: ms-exchange_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/ms-exchange_rules.xml,v
diff -u -r1.4 -r1.5
--- ms-exchange_rules.xml 3 Jan 2007 02:35:48 -0000 1.4
+++ ms-exchange_rules.xml 19 Jul 2007 23:49:55 -0000 1.5
@@ -1,10 +1,19 @@
<!-- @(#) $Id$
- - Official MS Exchange rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Example of MS Exchange rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-<!-- Still BETA -->
+
+<!-- Still BETA - anyone using it? -->
<group name="ms,exchange,">
Index: ms_ftpd_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/ms_ftpd_rules.xml,v
diff -u -r1.2 -r1.3
--- ms_ftpd_rules.xml 3 Jan 2007 02:35:48 -0000 1.2
+++ ms_ftpd_rules.xml 19 Jul 2007 23:49:56 -0000 1.3
@@ -1,9 +1,17 @@
<!-- @(#) $Id$
- - Official Microsoft FTP rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Example of Microsoft FTP rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
<group name="syslog,msftp,">
<rule id="11500" level="0">
Index: msauth_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/msauth_rules.xml,v
diff -u -r1.24 -r1.25
--- msauth_rules.xml 2 Jun 2007 23:42:05 -0000 1.24
+++ msauth_rules.xml 19 Jul 2007 23:49:56 -0000 1.25
@@ -1,9 +1,18 @@
<!-- @(#) $Id$
- - Official Microsoft rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Example of Microsoft Windows (2000, XP, 2003) rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
+
<var name="MS_FREQ">6</var>
<group name="windows,">
@@ -81,7 +90,7 @@
<if_sid>18104</if_sid>
<id>^628|^642|^685</id>
<description>User account changed.</description>
- <group>adduser,account_changed,</group>
+ <group>account_changed,</group>
</rule>
<rule id="18112" level="8">
Index: named_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/named_rules.xml,v
diff -u -r1.17 -r1.18
--- named_rules.xml 17 Mar 2007 03:41:37 -0000 1.17
+++ named_rules.xml 19 Jul 2007 23:49:56 -0000 1.18
@@ -1,9 +1,17 @@
<!-- @(#) $Id$
- - Official named rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Example of Named rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
<group name="syslog,named,">
<rule id="12100" level="0" noalert="1">
Index: netscreenfw_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/netscreenfw_rules.xml,v
diff -u -r1.7 -r1.8
--- netscreenfw_rules.xml 3 Jan 2007 02:35:48 -0000 1.7
+++ netscreenfw_rules.xml 19 Jul 2007 23:49:56 -0000 1.8
@@ -1,9 +1,17 @@
<!-- @(#) $Id$
- - Netscreen fw rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Official Netscreen Firewall rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
<group name="netscreenfw,">
<rule id="4500" level="0">
Index: ossec_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/ossec_rules.xml,v
diff -u -r1.8 -r1.9
--- ossec_rules.xml 1 May 2007 00:38:33 -0000 1.8
+++ ossec_rules.xml 19 Jul 2007 23:49:56 -0000 1.9
@@ -1,10 +1,19 @@
<!-- @(#) $Id$
- - Official ossec rules for the OSSEC HIDS
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Official ossec rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
+
<group name="ossec,">
<rule id="500" level="0">
<category>ossec</category>
@@ -53,6 +62,34 @@
<match>^NTFS Alternate data stream found</match>
<regex>Thumbs.db:encryptable'.|:Zone.Identifier'.</regex>
<description>Ignored common NTFS ADS entries.</description>
+ <group>rootcheck,</group>
+ </rule>
+
+ <rule id="512" level="3">
+ <if_sid>510</if_sid>
+ <match>^winaudit</match>
+ <description>Windows Audit event.</description>
+ <group>rootcheck,</group>
+ </rule>
+
+ <rule id="513" level="9">
+ <if_sid>510</if_sid>
+ <match>^winmalware</match>
+ <description>Windows malware detected.</description>
+ <group>rootcheck,</group>
+ </rule>
+
+ <rule id="514" level="2">
+ <if_sid>510</if_sid>
+ <match>^winapps</match>
+ <description>Windows application monitor event.</description>
+ <group>rootcheck,</group>
+ </rule>
+
+ <rule id="518" level="9">
+ <if_sid>514</if_sid>
+ <match>Adware|Spyware</match>
+ <description>Windows Adware/Spyware application found.</description>
<group>rootcheck,</group>
</rule>
Index: pam_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/pam_rules.xml,v
diff -u -r1.5 -r1.6
--- pam_rules.xml 3 Jan 2007 02:35:48 -0000 1.5
+++ pam_rules.xml 19 Jul 2007 23:49:56 -0000 1.6
@@ -1,8 +1,17 @@
<!-- @(#) $Id$
- - Official pam rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Official Unix Pam rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
+
<group name="pam,syslog,">
<rule id="5500" level="0" noalert="1">
Index: pix_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/pix_rules.xml,v
diff -u -r1.16 -r1.17
--- pix_rules.xml 15 Apr 2007 01:10:51 -0000 1.16
+++ pix_rules.xml 19 Jul 2007 23:49:56 -0000 1.17
@@ -1,9 +1,17 @@
<!-- @(#) $Id$
- - Official pix rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Official PIX rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
<!-- For more info:
- http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/syslog/logsev.htm
Index: policy_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/policy_rules.xml,v
diff -u -r1.4 -r1.5
--- policy_rules.xml 3 Jan 2007 02:35:48 -0000 1.4
+++ policy_rules.xml 19 Jul 2007 23:49:56 -0000 1.5
@@ -1,9 +1,17 @@
<!-- @(#) $Id$
- Official Policy rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
<group name="policy_violation,">
<rule id="17101" level="9">
Index: postfix_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/postfix_rules.xml,v
diff -u -r1.14 -r1.15
--- postfix_rules.xml 22 Jun 2007 22:06:52 -0000 1.14
+++ postfix_rules.xml 19 Jul 2007 23:49:56 -0000 1.15
@@ -114,7 +114,7 @@
<rule id="3355" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
<if_matched_sid>3305</if_matched_sid>
<same_source_ip />
- <description>Multiple attepmts to send e-mail to </description>
+ <description>Multiple attempts to send e-mail to </description>
<description>invalid recipient or from unknown sender domain.</description>
<group>multiple_spam,</group>
</rule>
Index: proftpd_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/proftpd_rules.xml,v
diff -u -r1.14 -r1.15
--- proftpd_rules.xml 9 Feb 2007 02:51:43 -0000 1.14
+++ proftpd_rules.xml 19 Jul 2007 23:49:56 -0000 1.15
@@ -1,9 +1,18 @@
<!-- @(#) $Id$
- - Official proftpd rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Official Proftpd rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
+
<group name="syslog,proftpd,">
<rule id="11200" level="0" noalert="1">
Index: rules_config.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/rules_config.xml,v
diff -u -r1.11 -r1.12
--- rules_config.xml 9 Apr 2007 22:54:42 -0000 1.11
+++ rules_config.xml 19 Jul 2007 23:49:56 -0000 1.12
@@ -1,12 +1,19 @@
<!-- @(#) $Id$
- - Configuration options.
- - This file must always be included, otherwise most
- - of the rules will not work properly.
+ - Rules config.
+ - Configuration options. This file must always be included, otherwise
+ - most of the rules will not work properly.
-
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
<group name="syslog">
<rule id="01" level="0" noalert="1">
Index: smbd_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/smbd_rules.xml,v
diff -u -r1.7 -r1.8
--- smbd_rules.xml 3 Jan 2007 02:35:48 -0000 1.7
+++ smbd_rules.xml 19 Jul 2007 23:49:56 -0000 1.8
@@ -1,10 +1,19 @@
<!-- @(#) $Id$
- - SMB rules for OSSEC HIDS.
- - Author: Daniel B. Cid
- - Logs from: Kayvan A. Sylvan <kayvan at sylvan.com>
- - License: http://www.ossec.net/en/licensing.html
+ - Official SMB rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
+ -
+ - Test logs sent by: Kayvan A. Sylvan <kayvan at sylvan.com>
-->
-
+
<!-- Still BETA -->
<group name="syslog,smbd,">
Index: squid_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/squid_rules.xml,v
diff -u -r1.34 -r1.35
--- squid_rules.xml 23 Jan 2007 20:44:16 -0000 1.34
+++ squid_rules.xml 19 Jul 2007 23:49:56 -0000 1.35
@@ -1,11 +1,19 @@
<!-- @(#) $Id$
- - Official rules for squid
+ - Official Squid rules for OSSEC.
-
- - Author: Ahmet Ozturk
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
+ -
+ - Contributed by: Ahmet Ozturk
-->
-
+
<!-- More information about squid codes below:
- http://www.uniar.ukrnet.net/tools/Squid-FAQ/FAQ-6.html
Index: sshd_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/sshd_rules.xml,v
diff -u -r1.12 -r1.13
--- sshd_rules.xml 24 Mar 2007 01:20:09 -0000 1.12
+++ sshd_rules.xml 19 Jul 2007 23:49:56 -0000 1.13
@@ -1,9 +1,17 @@
<!-- @(#) $Id$
- Official SSHD rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
<!-- SSHD messages -->
<group name="syslog,sshd,">
Index: symantec-av_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/symantec-av_rules.xml,v
diff -u -r1.3 -r1.4
--- symantec-av_rules.xml 15 Feb 2007 02:41:00 -0000 1.3
+++ symantec-av_rules.xml 19 Jul 2007 23:49:56 -0000 1.4
@@ -1,9 +1,17 @@
<!-- @(#) $Id$
- - Official Symantec rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Official Symantec AV rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
<!-- For more info:
- http://www.ossec.net/wiki/index.php/Symantec_Antivirus
Index: syslog_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/syslog_rules.xml,v
diff -u -r1.68 -r1.69
--- syslog_rules.xml 9 Apr 2007 22:54:42 -0000 1.68
+++ syslog_rules.xml 19 Jul 2007 23:49:56 -0000 1.69
@@ -1,11 +1,18 @@
<!-- @(#) $Id$
- Official Generic Syslog rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
-
+
<!-- Default variables for the SYSLOG rules. -->
<!-- Bad words matching. Any log containing these messages
Index: vpn_concentrator_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/vpn_concentrator_rules.xml,v
diff -u -r1.1 -r1.2
--- vpn_concentrator_rules.xml 25 Jan 2007 03:25:46 -0000 1.1
+++ vpn_concentrator_rules.xml 19 Jul 2007 23:49:56 -0000 1.2
@@ -1,9 +1,18 @@
<!-- @(#) $Id$
+ -
- Official Cisco VPN Concentrator rules for OSSEC.
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
<!-- For more info:
- http://www.ossec.net/wiki/index.php/Cisco_VPN_Concentrator
Index: web_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/web_rules.xml,v
diff -u -r1.21 -r1.22
--- web_rules.xml 23 Jan 2007 03:30:14 -0000 1.21
+++ web_rules.xml 19 Jul 2007 23:49:56 -0000 1.22
@@ -1,10 +1,18 @@
<!-- @(#) $Id$
- - Official rules for web-logs.
-
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
+ - Official Web access rules for OSSEC.
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
-->
-
+
<group name="web,accesslog,">
<rule id="31100" level="0">
@@ -34,7 +42,7 @@
<rule id="31103" level="6">
<if_sid>31100</if_sid>
<url>='|select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url>
- <url>union+|where+|null,null</url>
+ <url>union+|where+|null,null|xp_cmdshell</url>
<description>SQL injection attempt.</description>
<group>attack,sql_injection,</group>
</rule>
Index: zeus_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/zeus_rules.xml,v
diff -u -r1.3 -r1.4
--- zeus_rules.xml 24 Apr 2007 00:39:58 -0000 1.3
+++ zeus_rules.xml 19 Jul 2007 23:49:56 -0000 1.4
@@ -1,10 +1,20 @@
<!-- @(#) $Id$
+ -
- Official Zeus rules for OSSEC.
- - Author: Daniel B. Cid
+ -
+ - Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
+ -
- Contributed by: Chris Buckley <chris at cjbuckley.net>
- - License: http://www.ossec.net/en/licensing.html
-->
-
+
<!-- For more info:
- http://www.ossec.net/wiki/index.php/Zeus
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.