From OSSEC Wiki
[edit]
OSSEC Rule ID Groupings and Best Practices
Ossec official rules should be under some of these assignments.
Local rules should go from 100000 to 120000.
Every rule will also have a revision attribute (if modified).
- default revision is 0 (when first added).
| Rule ID Range | General Category |
|---|---|
| 00000 - 00999 | Internally reserved for ossec |
| 01000 - 01999 | General syslog |
| 02100 - 02299 | NFS |
| 02300 - 02499 | Xinetd |
| 02500 - 02699 | Access control |
| 02700 - 02729 | Mail/procmail |
| 02800 - 02829 | Smartd |
| 02830 - 02859 | Crond |
| 02860 - 02899 | Mount/Automount |
| 02900 - 02929 | Dpkg logs |
| 03100 - 03299 | Sendmail |
| 03300 - 03499 | Postfix |
| 03500 - 03599 | Spamd |
| 03600 - 03699 | Imapd |
| 03700 - 03799 | MailScanner |
| 03800 - 03899 | Ms Exchange (IIS SMTP) |
| 03900 - 03999 | Courier (imapd/pop3d/pop3-ssl) |
| 04100 - 04299 | Generic Firewall |
| 04300 - 04499 | Cisco PIX/FWSM/ASA Firewall |
| 04500 - 04699 | Netscreen Firewall |
| 04700 - 04799 | Cisco IOS |
| 04800 - 04899 | SonicWall Firewall |
| 05100 - 05299 | Kernels (Linux, Unix, etc) |
| 05300 - 05399 | Su |
| 05400 - 05499 | sudo |
| 05500 - 05599 | Pam unix |
| 05600 - 05699 | Telnetd |
| 05700 - 05899 | sshd |
| 05900 - 05999 | Adduser or user deletion. |
| 06100 - 06199 | Solaris BSM Auditing |
| 06200 - 06299 | Asterisk |
| 07100 - 07199 | Tripwire |
| 07200 - 07299 | Arpwatch |
| 07300 - 07399 | Symantec Anti Virus |
| 07400 - 07499 | Symantec Web Security |
| 09100 - 09199 | PPTP |
| 09200 - 09299 | Squid syslog |
| 09300 - 09399 | Horde IMP |
| 09900 - 09999 | vpopmail |
| 10100 - 10199 | FTS |
| 11100 - 11199 | FTPd |
| 11200 - 11299 | ProFTPD |
| 11300 - 11399 | Pure-FTPD |
| 11400 - 11499 | vs-FTPD |
| 11500 - 11599 | MS-FTP |
| 12100 - 12299 | Named (bind DNS) |
| 13100 - 13299 | Samba (smbd) |
| 14100 - 14199 | Racoon SSL |
| 14200 - 14299 | Cisco VPN Concentrator |
| 17100 - 17399 | Policy |
| 18100 - 18499 | Windows system |
| 20100 - 20299 | IDS |
| 20300 - 20499 | IDS (Snort specific) |
| 30100 - 30999 | Apache error log. |
| 31100 - 31199 | Web access log |
| 31200 - 31299 | Zeus web server |
| 35000 - 35999 | Squid |
| 40100 - 40499 | Attack patterns. |
| 40500 - 40599 | Privilege scalation. |
| 40600 - 40999 | Scan patterns. |
| 50100 - 50299 | MySQL. |
| 50500 - 50799 | PostgreSQL |
| 100000 - 109999 | User defined rules |
Return to the Know How Article listing.