From OSSEC Wiki

Jump to: navigation, search

OSSEC Rule ID Groupings and Best Practices

Ossec official rules should be under some of these assignments.

Local rules should go from 100000 to 120000.

Every rule will also have a revision attribute (if modified).

  • default revision is 0 (when first added).
Rule ID Range General Category
00000 - 00999 Internally reserved for ossec
01000 - 01999 General syslog
02100 - 02299 NFS
02300 - 02499 Xinetd
02500 - 02699 Access control
02700 - 02729 Mail/procmail
02800 - 02829 Smartd
02830 - 02859 Crond
02860 - 02899 Mount/Automount
02900 - 02929 Dpkg logs
02930 - 02959 Yum logs
   
03100 - 03299 Sendmail
03300 - 03499 Postfix
03500 - 03599 Spamd
03600 - 03699 Imapd
03700 - 03799 MailScanner
03800 - 03899 Ms Exchange (IIS SMTP)
03900 - 03999 Courier (imapd/pop3d/pop3-ssl)
09900 - 09999 vpopmail
09800 - 09899 vm-pop3d
09700 - 09799 Dovecot
   
04100 - 04299 Generic Firewall
04300 - 04499 Cisco PIX/FWSM/ASA Firewall
04500 - 04699 Netscreen Firewall
04700 - 04799 Cisco IOS
04800 - 04899 SonicWall Firewall
   
05100 - 05299 Kernels (Linux, Unix, etc)
05300 - 05399 Su
05400 - 05499 sudo
05500 - 05599 Pam unix
05600 - 05699 Telnetd
05700 - 05899 sshd
05900 - 05999 Adduser or user deletion.
06100 - 06199 Solaris BSM Auditing
06200 - 06299 Asterisk
06300 - 06399 MS DHCP logs
   
07100 - 07199 Tripwire
07200 - 07299 Arpwatch
07300 - 07399 Symantec Anti Virus
07400 - 07499 Symantec Web Security
07500 - 07599 McAfee VirusScan Enterprise
07600 - 07699 Trend Micro OSCE (Office Scan)
07700 - 07799 Microsoft Security Essentials
   
09100 - 09199 PPTP
09200 - 09299 Squid syslog
09300 - 09399 Horde IMP
09400 - 09499 Roundcube
09500 - 09599 Wordpress WPsyslog2
09600 - 09699 cimserver
   
10100 - 10199 FTS
   
11100 - 11199 FTPd
11200 - 11299 ProFTPD
11300 - 11399 Pure-FTPD
11400 - 11499 vs-FTPD
11500 - 11599 MS-FTP
   
12100 - 12299 Named (bind DNS)
   
13100 - 13299 Samba (smbd)
   
14100 - 14199 Racoon SSL
14200 - 14299 Cisco VPN Concentrator
   
17100 - 17399 Policy
   
18100 - 18499 Windows system
   
19100 - 19499 Vmware ESX
   
20100 - 20299 IDS
20300 - 20499 IDS (Snort specific)
   
30100 - 30999 Apache error log.
31100 - 31199 Web access log
31200 - 31299 Zeus web server
31300 - 31399 Nginx error log.
   
35000 - 35999 Squid
   
40100 - 40499 Attack patterns.
40500 - 40599 Privilege scalation.
40600 - 40999 Scan patterns.
   
50100 - 50299 MySQL.
50500 - 50799 PostgreSQL
   
60000 - 60299 Atomic Secured Linux.
   
100000 - 109999 User defined rules


Return to the Know How Article listing.

Retrieved from "http://ossec.net/wiki/Know_How:RuleIDGrouping"
Views
Personal tools