From OSSEC Wiki

Jump to: navigation, search

Contents

[edit]

Is there a place where I can get additional rules?

OSSEC comes with hundreds of rules by default, but there are also some that are not officially
included and can be useful to some people.


[edit]

Rule to catch Nikto scanning

  • by Peter M. Abraham 
RE:  http://www.cirt.net/code/nikto.shtml

In /var/ossec/rules/local-rules.xml

<group name="apache-custom,">
  <rule id="100300" level="12">
   <if_sid>31100</if_sid>
   <match>(Nikto/</match>
   <description>Nikto vulnerability scan</description>
 </rule>
</group>


FYI, sample Apache access log entries:

aaa.bbb.ccc.ddd - - [06/Sep/2007:08:16:11 -0400] "HEAD / HTTP/1.1" 500
0 "-" "Mozilla/4.75 (Nikto/1.36 )"
aaa.bbb.ccc.ddd - - [06/Sep/2007:08:16:11 -0400] "GET /Nikto-1.36-
PyLw1Xqw6y.htm HTTP/" 400 299 "-" "-"
aaa.bbb.ccc.ddd - - [06/Sep/2007:08:16:11 -0400] "GET /Nikto-1.36-
PyLw1Xqw6y.htm HTTP/1.1" 500 548 "-" "Mozilla/4.75 (Nikto/1.36 )"
aaa.bbb.ccc.ddd - - [06/Sep/2007:08:16:11 -0400] "GET / HTTP/1.1" 500
548 "-" "Mozilla/4.75 (Nikto/1.36 )"


[edit]

Rule to alert on service changes on Windows

*By Michael Starks 


 <rule id="100080" level="3">
   <if_sid>18145</if_sid>
   <id>^7040</id>
   <options>alert_by_email</options>
   <description>Service startup type changed</description>
   <info>This does not appear to be logged on Windows 2000</info>
 </rule>

 <rule id="100081" level="0">
     <if_sid>100080</if_sid>
     <match>Background Intelligent Transfer</match>
     <description>Ignore services that change their startup type naturally</description>
 </rule>

 <rule id="100082" level="0">
     <if_sid>100080</if_sid>
     <hostname>$IIS_SERVERS</hostname>
     <user>SYSTEM</user>
     <match>IIS Admin Service</match>
     <description>Ignore services that change their startup type naturally</description>
 </rule>


[edit]

Misc Windows rules

*By Michael Starks 

 <rule id="100270" level="12">
   <if_sid>18107</if_sid>
   <user>^Administrator$</user>
   <description>Logon to built-in Administrator account</description>
 </rule>

 <rule id="100300" level="5">
   <if_sid>18139</if_sid>
   <id>^675</id>
   <options>no_email_alert</options>
   <regex>User Name: \w+\$</regex>
   <description>Computer accounts failed logins with reduced severity.</description>
 </rule>

 <rule id="100390" level="8">
   <if_sid>18114,18128</if_sid>
   <options>no_email_alert</options>
   <regex>Security Disabled \w+ Group</regex>
   <description>Change made to a security disabled group</description>
 </rule>
Retrieved from "http://www.ossec.net/wiki/index.php/UserRules"
Views
Personal tools