[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: new rule ids

To: ossec-dev@xxxxxxxxxxxxxxxx
Subject: [ossec-dev] Re: new rule ids
From: "Daniel Cid" <dcid@xxxxxxxxx>
Date: Thu, 10 Aug 2006 19:33:03 -0300
Content-disposition: inline
Content-transfer-encoding: quoted-printable


Thanks for catching it :)

Daniel

On 8/10/06, Ahmet Öztürk <oahmet@xxxxxxxxx> wrote:

Hi list,

 I didn't fully check the new rule ids  Daniel  has set on CVS,
 However, I attach a  small  patch to correct to rule ids in
syslog_rules.xml.
 (I'll check all files this weekend).

 Regards,

 Ahmet Ozturk.



 Index: ossec-hids/etc/rules/syslog_rules.xml
===================================================================
 RCS file:
/usr/cvsroot/ossec-hids/etc/rules/syslog_rules.xml,v
 retrieving revision 1.51
 diff -u -r1.51 syslog_rules.xml
 --- ossec-hids/etc/rules/syslog_rules.xml       9 Aug 2006
02:49:53 -0000       1.51
 +++ ossec-hids/etc/rules/syslog_rules.xml       10 Aug
2006 19:23:39 -0000
 @@ -274,12 +274,12 @@

    <rule id="5302" level="9">
      <user>root</user>
 -    <if_sid>1101</if_sid>
 +    <if_sid>5301</if_sid>
      <description>User missed the password to change UID to
root</description>
    </rule>

    <rule id="5303" level="3">
 -    <if_sid>1100</if_sid>
 +    <if_sid>5300</if_sid>
      <regex>session opened for user root|</regex>
      <regex>^su[\d+]: + \S+ \S+-root$</regex>
      <description>User sucessfully changed UID to root</description>

References:
- [ossec-dev] new rule ids
  - From: Ahmet Öztürk

Prev by Date: [ossec-dev] new rule ids
Next by Date: [ossec-dev] Ossec dev test
Previous by thread: [ossec-dev] new rule ids
Next by thread: [ossec-dev] Ossec dev test
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.