[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] ossec-hids: msauth_rules.xml (HEAD) [dcid]

To: dancid@xxxxxxxxxxxxxxx
Subject: [ossec-dev] ossec-hids: msauth_rules.xml (HEAD) [dcid]
From: OSSEC CVS <cvs-commit@xxxxxxxxx>
Date: Wed, 30 Aug 2006 17:03:04 -0300 (ADT)
Content-transfer-encoding: 8bit

Module name:	ossec-hids
Changes by:	dcid	06/08/30 17:03:02

Modified files:
	msauth_rules.xml

Log message:
Description: More windows rules.
Reviewed by: dcid
Bug:

Index: msauth_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/msauth_rules.xml,v
diff -u -r1.5 -r1.6
--- msauth_rules.xml	24 Aug 2006 18:48:06 -0000	1.5
+++ msauth_rules.xml	30 Aug 2006 20:03:02 -0000	1.6
@@ -43,14 +43,15 @@
 
   <rule id="18106" level="5">
     <if_sid>18105</if_sid>
-    <id>^529|^530|^531|^532|^533|^534|^535|^536|^537|^539|^680|^681</id>
+    <id>^529|^530|^531|^532|^533|^534|^535|^536|^537|^539|</id>
+    <id>^673|^675|^680|^681</id>
     <group>authentication_failed</group>
     <description>Windows Logon Failure.</description>
   </rule>
 
   <rule id="18107" level="3">
     <if_sid>18104</if_sid>
-    <id>^528|^538|^540|^680</id>
+    <id>^528|^538|^540|^672|^673|^680</id>
     <group>authentication_success</group>
     <description>Windows Logon Success.</description>
   </rule>
@@ -91,8 +92,38 @@
   
   <rule id="18113" level="8">
     <if_sid>18104</if_sid>
-    <id>^612</id>
+    <id>^612|^643</id>
     <description>Windows Audit Policy changed.</description>
+  </rule>
+
+  <rule id="18114" level="8">
+    <if_sid>18104</if_sid>
+    <id>^631|^632|^633|^634|^635|^636|^637|^638|^639|^641</id>
+    <description>Group account changed.</description>
+  </rule>
+  
+  <rule id="18115" level="8">
+    <if_sid>18104</if_sid>
+    <id>^640</id>
+    <description>General account database changed.</description>
+  </rule>
+  
+  <rule id="18116" level="9">
+    <if_sid>18104</if_sid>
+    <id>^644</id>
+    <description>User account locked out (multiple login errors).</description>
+  </rule>
+
+  <rule id="18117" level="7">
+    <if_sid>18104</if_sid>
+    <id>^513</id>
+    <description>Windows is shutting down.</description>
+  </rule>
+  
+  <rule id="18118" level="9">
+    <if_sid>18104</if_sid>
+    <id>^517</id>
+    <description>Windows audit log was cleared.</description>
   </rule>
   
   <rule id="18151" level="10" frequency="$MS_FREQ" timeframe="240">

Prev by Date: [ossec-dev] ossec-hids: darwin-addusers.pl (HEAD) [dcid]
Previous by thread: [ossec-dev] ossec-hids: darwin-addusers.pl (HEAD) [dcid]
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.