├── README.md
├── decoders.d
├── 00-crs-iptables_decoder.xml
├── 00-crs-pam_decoder.xml
├── 00-crs-windows-date-format_decoder.xml
├── 50-crs-aix-ipsec_decoder.xml
├── 50-crs-apache_decoder.xml
├── 50-crs-apparmor_decoder.xml
├── 50-crs-arpwatch_decoder.xml
├── 50-crs-asterisk_decoder.xml
├── 50-crs-auditd_decoder.xml
├── 50-crs-barracuda_decoder.xml
├── 50-crs-checkpoint_decoder.xml
├── 50-crs-chkpwd_decoder.xml
├── 50-crs-cimserver_decoder.xml
├── 50-crs-cisco-ios_decoder.xml
├── 50-crs-cisco-vpnconcentrator_decoder.xml
├── 50-crs-clamd_decoder.xml
├── 50-crs-courier_decoder.xml
├── 50-crs-dhcp_decoder.xml
├── 50-crs-dnsmasq_decoder.xml
├── 50-crs-doas_decoder.xml
├── 50-crs-dovecot_decoder.xml
├── 50-crs-dragon_decoder.xml
├── 50-crs-dropbear_decoder.xml
├── 50-crs-exim_decoder.xml
├── 50-crs-ftpd_decoder.xml
├── 50-crs-grandstream_decoder.xml
├── 50-crs-horde_decoder.xml
├── 50-crs-imapd_decoder.xml
├── 50-crs-ipfilter_decoder.xml
├── 50-crs-isakmpd_decoder.xml
├── 50-crs-lighttpd_decoder.xml
├── 50-crs-mailscanner_decoder.xml
├── 50-crs-mptscsi_decoder.xml
├── 50-crs-ms-dhcp_decoder.xml
├── 50-crs-mysql_decoder.xml
├── 50-crs-named_decoder.xml
├── 50-crs-netscreen_decoder.xml
├── 50-crs-nginx_decoder.xml
├── 50-crs-nsd_decoder.xml
├── 50-crs-ntpd_decoder.xml
├── 50-crs-openbsd-pf_decoder.xml
├── 50-crs-openbsd_decoder.xml
├── 50-crs-openldap_decoder.xml
├── 50-crs-opensmtpd_decoder.xml
├── 50-crs-ossec_decoder.xml
├── 50-crs-owncloud_decoder.xml
├── 50-crs-pix_decoder.xml
├── 50-crs-portsentry_decoder.xml
├── 50-crs-postfix_decoder.xml
├── 50-crs-postgresql_decoder.xml
├── 50-crs-proftpd_decoder.xml
├── 50-crs-proxmox_decoder.xml
├── 50-crs-psad_decoder.xml
├── 50-crs-pure-ftpd_decoder.xml
├── 50-crs-raccoon_decoder.xml
├── 50-crs-roundcube_decoder.xml
├── 50-crs-rshd_decoder.xml
├── 50-crs-sendmail_decoder.xml
├── 50-crs-smbd_decoder.xml
├── 50-crs-snort_decoder.xml
├── 50-crs-solaris-bsm_decoder.xml
├── 50-crs-sonicwall_decoder.xml
├── 50-crs-squid_decoder.xml
├── 50-crs-sshd_decoder.xml
├── 50-crs-su_decoder.xml
├── 50-crs-sudo_decoder.xml
├── 50-crs-suhosin_decoder.xml
├── 50-crs-symantec-av_decoder.xml
├── 50-crs-symantec-websecurity_decoder.xml
├── 50-crs-sysmon_decoder.xml
├── 50-crs-telnetd_decoder.xml
├── 50-crs-trend-osce_decoder.xml
├── 50-crs-unbound_decoder.xml
├── 50-crs-vm-pop3d_decoder.xml
├── 50-crs-vmware-esx_decoder.xml
├── 50-crs-vpopmail_decoder.xml
├── 50-crs-vsftpd_decoder.xml
├── 50-crs-web-accesslog_decoder.xml
├── 50-crs-windows-ntsyslog_decoder.xml
├── 50-crs-windows-snare_decoder.xml
├── 50-crs-windows_decoder.xml
├── 50-crs-wordpress_decoder.xml
├── 50-crs-zeus_decoder.xml
├── 60-crs-cowrie_decoder.xml
├── 60-crs-dionaea_decoder.xml
├── 60-crs-iis-ftp_decoder.xml
├── 60-crs-iis-smtp_decoder.xml
├── 60-crs-iis-web_decoder.xml
├── 60-crs-kaspersky_decoder.xml
├── 60-crs-windows-firewall_decoder.xml
└── README.md
├── ossec-testing
├── runtests.py
└── tests
│ ├── .pam.ini.swp
│ ├── apache.ini
│ ├── apparmor.ini
│ ├── asterisk.ini
│ ├── cimserver.ini
│ ├── cisco_ios.ini
│ ├── cpanel.ini
│ ├── dnsmasq.ini
│ ├── doas.ini
│ ├── dovecot.ini
│ ├── dpkg.ini
│ ├── dropbear.ini
│ ├── exim.ini
│ ├── firewalld.ini
│ ├── mailscanner.ini
│ ├── modsecurity.ini
│ ├── named.ini
│ ├── netscreen.ini
│ ├── nginx.ini
│ ├── openbsd-dhcpd.ini
│ ├── openbsd-httpd.ini
│ ├── openbsd.ini
│ ├── opensmtpd.ini
│ ├── pam.ini
│ ├── postfix.ini
│ ├── proftpd.ini
│ ├── rsh.ini
│ ├── samba.ini
│ ├── sshd.ini
│ ├── su.ini
│ ├── sudo.ini
│ ├── syslog.ini
│ ├── sysmon.ini
│ ├── systemd.ini
│ ├── unbound.ini
│ ├── vsftpd.ini
│ ├── web_appsec.ini
│ └── web_rules.ini
├── rules.d
├── 00-crs-rules_config.xml
├── 00-crs-syslog_rules.xml
├── 50-crs-apache_rules.xml
├── 50-crs-apparmor_rules.xml
├── 50-crs-arpwatch_rules.xml
├── 50-crs-asterisk_rules.xml
├── 50-crs-cimserver_rules.xml
├── 50-crs-cisco-ios_rules.xml
├── 50-crs-clam_av_rules.xml
├── 50-crs-courier_rules.xml
├── 50-crs-dnsmasq_rules.xml
├── 50-crs-dovecot_rules.xml
├── 50-crs-dropbear_rules.xml
├── 50-crs-exim_rules.xml
├── 50-crs-firewall_rules.xml
├── 50-crs-firewalld_rules.xml
├── 50-crs-ftpd_rules.xml
├── 50-crs-hordeimp_rules.xml
├── 50-crs-ids_rules.xml
├── 50-crs-imapd_rules.xml
├── 50-crs-kesl_rules.xml
├── 50-crs-lighttpd_rules.xml
├── 50-crs-linux_usbdetect_rules.xml
├── 50-crs-mailscanner_rules.xml
├── 50-crs-mhn_cowrie_rules.xml
├── 50-crs-mhn_dionaea_rules.xml
├── 50-crs-ms-exchange_rules.xml
├── 50-crs-ms_dhcp_rules.xml
├── 50-crs-ms_ftpd_rules.xml
├── 50-crs-msauth_rules.xml
├── 50-crs-mysql_rules.xml
├── 50-crs-named_rules.xml
├── 50-crs-netscreenfw_rules.xml
├── 50-crs-nginx_rules.xml
├── 50-crs-openbsd_rules.xml
├── 50-crs-opensmtpd_rules.xml
├── 50-crs-ossec_rules.xml
├── 50-crs-pam_rules.xml
├── 50-crs-php_rules.xml
├── 50-crs-pix_rules.xml
├── 50-crs-postfix_rules.xml
├── 50-crs-postgresql_rules.xml
├── 50-crs-proftpd_rules.xml
├── 50-crs-pure-ftpd_rules.xml
├── 50-crs-racoon_rules.xml
├── 50-crs-roundcube_rules.xml
├── 50-crs-sendmail_rules.xml
├── 50-crs-smbd_rules.xml
├── 50-crs-solaris_bsm_rules.xml
├── 50-crs-sonicwall_rules.xml
├── 50-crs-spamd_rules.xml
├── 50-crs-squid_rules.xml
├── 50-crs-sshd_rules.xml
├── 50-crs-symantec-av_rules.xml
├── 50-crs-symantec-ws_rules.xml
├── 50-crs-sysmon_rules.xml
├── 50-crs-systemd_rules.xml
├── 50-crs-telnetd_rules.xml
├── 50-crs-trend-osce_rules.xml
├── 50-crs-unbound_rules.xml
├── 50-crs-vmpop3d_rules.xml
├── 50-crs-vmware_rules.xml
├── 50-crs-vpn_concentrator_rules.xml
├── 50-crs-vpopmail_rules.xml
├── 50-crs-vsftpd_rules.xml
├── 50-crs-web_rules.xml
├── 50-crs-wordpress_rules.xml
├── 50-crs-zeus_rules.xml
├── 55-crs-msft-firewall_rules.xml
├── 55-crs-topleveldomain_rules.xml
├── 60-crs-attack_rules.xml
├── 60-crs-mcafee_av_rules.xml
├── 60-crs-ms-se_rules.xml
├── 60-crs-ms1016_usbdetect_rules.xml
├── 60-crs-msft-ipsec_rules.xml
├── 60-crs-msft-powershell_rules.xml
├── 60-crs-web_appsec_rules.xml
├── 70-crs-last_rootlogin_rules.xml
├── 70-crs-nsd_rules.xml
├── 70-crs-openbsd-dhcp_rules.xml
├── 70-crs-owncloud_rules.xml
├── 70-crs-proxmox-ve_rules.xml
├── 70-crs-psad_rules.xml
└── 99-crs-policy_rules.xml
└── shared
├── acsc_office2016_rcl.txt
├── cis_apache2224_rcl.txt
├── cis_debian_linux_rcl.txt
├── cis_debianlinux7-8_L1_rcl.txt
├── cis_debianlinux7-8_L2_rcl.txt
├── cis_mysql5-6_community_rcl.txt
├── cis_mysql5-6_enterprise_rcl.txt
├── cis_rhel5_linux_rcl.txt
├── cis_rhel6_linux_rcl.txt
├── cis_rhel7_linux_rcl.txt
├── cis_rhel_linux_rcl.txt
├── cis_sles11_linux_rcl.txt
├── cis_sles12_linux_rcl.txt
├── cis_solaris11_rcl.txt
├── cis_win10_enterprise_L1_rcl.txt
├── cis_win10_enterprise_L2_rcl.txt
├── cis_win2012r2_domainL1_rcl.txt
├── cis_win2012r2_domainL2_rcl.txt
├── cis_win2012r2_memberL1_rcl.txt
├── cis_win2012r2_memberL2_rcl.txt
├── cis_win2016_domainL1_rcl.txt
├── cis_win2016_domainL2_rcl.txt
├── cis_win2016_memberL1_rcl.txt
├── cis_win2016_memberL2_rcl.txt
├── rootkit_files.txt
├── rootkit_trojans.txt
├── system_audit_pw.txt
├── system_audit_rcl.txt
├── system_audit_ssh.txt
├── win_applications_rcl.txt
├── win_audit_rcl.txt
└── win_malware_rcl.txt
/README.md:
--------------------------------------------------------------------------------
1 | This repository will contain the rules and decoders for OSSEC.
2 | Rules will be contained in `rules.d` and the decoders in `etc/decoders.d`.
3 | A copy of the combined decoder file may be contained in `etc/`
4 |
--------------------------------------------------------------------------------
/decoders.d/00-crs-windows-date-format_decoder.xml:
--------------------------------------------------------------------------------
1 |
7 |
8 | ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
9 |
10 |
11 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-aix-ipsec_decoder.xml:
--------------------------------------------------------------------------------
1 |
7 |
8 | firewall
9 | ^ipsec_logd
10 | R:(\w) \w:\S+ S:(\S+)
11 | D:(\S+) P:(\S+) SP:(\d+) DP:(\d+)
12 | action,srcip,dstip,protocol,srcport,dstport
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-apparmor_decoder.xml:
--------------------------------------------------------------------------------
1 |
12 |
13 |
14 | iptables
15 | apparmor=
16 | apparmor="(\S+)" operation="(\S+)"
17 | status, extra_data
18 |
19 |
20 |
21 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-arpwatch_decoder.xml:
--------------------------------------------------------------------------------
1 |
10 |
11 | ^arpwatch
12 |
13 |
14 |
15 | arpwatch
16 | ^new station |^bogon
17 | ^(\S+) (\S+)
18 | srcip, extra_data
19 | name, srcip, extra_data
20 |
21 |
22 |
23 |
24 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-asterisk_decoder.xml:
--------------------------------------------------------------------------------
1 |
8 |
9 | ^asterisk
10 |
11 |
12 |
13 | asterisk
14 | ^WARNING\[\d+?\]: \S+ in \S+: Don't know
15 | ^\S+ how to respond via '([A-Za-z0-9@_-]+/\d\.\d/[A-Za-z0-9@_-]+)'
16 | user
17 |
18 |
19 |
20 | asterisk
21 | ^NOTICE\[\d+?\]: \S+ in \S+: Registration from
22 | ^'.+' failed for '(\S+):(\d+?)'|^'.+' failed for '(\S+)'
23 | srcip,srcport
24 |
25 |
26 |
27 | asterisk
28 | Registration from
29 | failed for '(\S+):(\d+?)'|failed for '(\S+)'
30 | srcip,srcport
31 |
32 |
33 |
34 | asterisk
35 | ^NOTICE\[\d+?\]\[[A-Za-z0-9@_-]+?\]: \S+ in \S+: Call from
36 | ^'\S*' \((\S+):(\d+?)\) to extension '(\S+)' rejected because extension not found in context '(\S+)'\.$
37 | srcip, srcport, extra_data, extra_data
38 |
39 |
40 |
41 | asterisk
42 | ^NOTICE\[\d+\]: \S+ in \S+: Host
43 | ^(\S+) failed MD5 authentication for (\S+)
44 | srcip, user
45 |
46 |
47 |
48 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-chkpwd_decoder.xml:
--------------------------------------------------------------------------------
1 |
4 |
5 | ^unix_chkpwd
6 |
7 |
8 |
9 |
10 | unix_chkpwd
11 | user \(([A-Za-z0-9@_-]+)\)$
12 | srcuser
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-cimserver_decoder.xml:
--------------------------------------------------------------------------------
1 |
7 |
8 | ^cimserver$
9 |
10 |
11 |
12 | cimserver
13 | ^[A-Za-z0-9@_-]+: Authentication failed for user
14 | ^(\S+)\.$
15 | user
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-cisco-ios_decoder.xml:
--------------------------------------------------------------------------------
1 |
16 |
17 | ^%\w+-\d-\w+:
18 |
19 |
20 |
21 |
22 | ^%\w+-\d-\w+:
23 |
24 |
25 |
26 |
27 |
28 |
35 |
36 | cisco-ios
37 | firewall
38 | ^%SEC-6-IPACCESSLOGP:
39 | ^list \S+ (\w+) (\w+)
40 | (\S+)\((\d+)\) -> (\S+)\((\d+)\),
41 | action, protocol, srcip, srcport, dstip, dstport
42 |
43 |
44 |
45 |
51 |
52 |
53 |
54 |
55 | cisco-ios
56 | ids
57 | ^%IPS-4-SIGNATURE:
58 | ^Sig:(\d+) .+\[(\S+):(\d+) ->
59 | (\S+):(\d+)\]
60 | id, srcip, srcport, dstip, dstport
61 | name, id, srcip, dstip
62 | First time Cisco IOS IDS/IPS module rule fired.
63 |
64 |
65 |
66 |
69 |
70 | cisco-ios
71 | ^(%\w+-\d-\w+):
72 | id
73 |
74 |
75 |
76 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-cisco-vpnconcentrator_decoder.xml:
--------------------------------------------------------------------------------
1 |
8 |
9 | ^\d+? \d{2}/\d{2}/\d{4} \S+ SEV=\d
10 | ^(\S+) RPT=\d+? (\S+)
11 | id, srcip
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-clamd_decoder.xml:
--------------------------------------------------------------------------------
1 |
4 |
5 | ^clamd
6 |
7 |
8 |
9 | ^freshclam
10 |
11 |
12 |
13 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-courier_decoder.xml:
--------------------------------------------------------------------------------
1 |
9 |
10 | ^pop3d|^courierpop3login|^imaplogin|^courier-pop3|^courier-imap
11 |
12 |
13 |
14 | courier
15 | ^LOGIN,
16 | ^user=(\S+), ip=\[(\S+)\]$
17 | user, srcip
18 |
19 |
20 |
21 | courier
22 | , ip=\[(\S+)\]$
23 | srcip
24 |
25 |
26 |
27 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-dhcp_decoder.xml:
--------------------------------------------------------------------------------
1 |
2 | ^dhcpd$
3 |
4 |
5 |
6 | dhcpd
7 | ^(\S+) \S+ (\S+) \S+ (\S+) via (\S+)$
8 | action, srcip, extra_data, extra_data
9 |
10 |
11 |
12 | dhcpd
13 | acking
14 | already acking lease (\S+)
15 | srcip
16 |
17 |
18 |
19 | dhcpd
20 | ^IP address
21 | ^IP address (\S+)
22 | srcip
23 |
24 |
25 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-dnsmasq_decoder.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | ^dnsmasq
6 |
7 |
8 |
9 | dnsmasq
10 | ^\[\d+\]: \d+ (\S+)/\d+ (\S+) (\S+) to (\S+)|
11 | ^\[\d+\]: \d+ (\S+)/\d+ (\S+) (\S+) from (\S+)|
12 | ^\[\d+\]: \d+ (\S+)/\d+ (\S+) (\S+) is (\S+)
13 | srcip, action, url, extra_data
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-doas_decoder.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | ^doas
4 |
5 |
6 |
7 | doas
8 | ^(\S+) ran| for (\S+):
9 | srcuser
10 |
11 |
12 |
13 | doas
14 | as (\S+):
15 | dstuser
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-dragon_decoder.xml:
--------------------------------------------------------------------------------
1 |
7 |
8 | ids
9 | ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\|
10 | ^\S+\|(\S+)\|
11 | (\S+)\|(\S+)\|
12 | id, srcip, dstip
13 | name, id, srcip, dstip
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-dropbear_decoder.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | ^dropbear
4 |
5 |
6 |
9 |
10 |
11 | dropbear
12 | password
13 | for '(\S+)' from (\S+):\d+$
14 | dstuser, srcip
15 |
16 |
17 |
20 |
21 |
22 | dropbear
23 | nonexistent
24 | from (\S+):\d+$
25 | srcip
26 |
27 |
28 |
31 |
32 |
33 | dropbear
34 | (\S+) for '(\S+)' with key \S+ (\S+) from (\S+):\d+$
35 | status,dstuser,extra_data,srcip
36 |
37 |
38 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-exim_decoder.xml:
--------------------------------------------------------------------------------
1 |
9 |
10 |
11 | windows-date-format
12 | authenticator failed
13 | \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=([A-Za-z0-9@_-]+?)\)
14 | srcip,user
15 |
16 |
17 |
18 | windows-date-format
19 | ^SMTP connection from
20 | \[(\S+)\]:\d+ \(TCP/IP connection count
21 | srcip
22 |
23 |
24 |
25 | windows-date-format
26 | ^SMTP connection from
27 | \[(\S+)\]:\d+ lost
28 | srcip
29 |
30 |
31 |
32 | windows-date-format
33 | ^SMTP call from
34 | \[(\S+)\]:\d+ dropped: too many syntax or protocol errors
35 | srcip
36 |
37 |
38 |
39 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-ftpd_decoder.xml:
--------------------------------------------------------------------------------
1 |
8 |
9 | ^ftpd|^in\.ftpd
10 |
11 |
12 |
13 | ftpd
14 | ^Failed authentication from: \S+ |
15 | ^repeated login failures from
16 |
17 | ^\S+ \[(\S+)\]$|^(\S+)
18 | srcip
19 |
20 |
21 |
22 | ftpd
23 | ^FTP LOGIN REFUSED
24 | \[(\S+)\]$
25 | srcip
26 |
27 |
28 |
29 | ftpd
30 | from (\S+)$
31 | srcip
32 |
33 |
34 |
35 | ftpd
36 | ^login \S+ from \S+ failed\.
37 | ^login (\S+) from (\S+) failed\.$
38 | user, srcip
39 |
40 |
41 |
42 |
43 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-grandstream_decoder.xml:
--------------------------------------------------------------------------------
1 |
3 |
4 |
5 |
6 |
7 | ^HT286: \[\w\w:\w\w:\w\w:\w\w:\w\w:\w\w\][()*+,.:;\<=>?\[\]!"'#%&$|{}-]*?.+[()*+,.:;\<=>?\[\]!"'#%&$|{}-]* |
8 | ^HT502: \[\w\w:\w\w:\w\w:\w\w:\w\w:\w\w\][()*+,.:;\<=>?\[\]!"'#%&$|{}-]*?.+[()*+,.:;\<=>?\[\]!"'#%&$|{}-]* |
9 | ^HT503: \[\w\w:\w\w:\w\w:\w\w:\w\w:\w\w\][()*+,.:;\<=>?\[\]!"'#%&$|{}-]*?.+[()*+,.:;\<=>?\[\]!"'#%&$|{}-]*
10 |
11 |
12 |
13 | grandstream-ata
14 | Received
15 | ^(\d+) response for transaction (\d+?)\(([A-Za-z0-9@_-]+)\)$
16 | status, id, action
17 |
18 |
19 |
20 | grandstream-ata
21 | Account
22 | ^(\d+) (registered), tried \d+; Next registration in \d+ seconds \(\d+/\d+\) on (.+)$
23 | id, status, extra_data
24 | name, location, extra_data
25 |
26 |
27 |
28 | grandstream-ata
29 | Vinetic::
30 | ^(startRing) with CID, Attempting to deliver CID (\d+) on port \d+$
31 | action, id
32 |
33 |
34 |
35 | grandstream-ata
36 | ^(Dialing) (\d+)$
37 | action, id
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-horde_decoder.xml:
--------------------------------------------------------------------------------
1 |
7 |
8 | ^\[[A-Za-z0-9@_-]+\] \[imp\] |^\[[A-Za-z0-9@_-]+\] \[horde\]
9 |
10 |
11 |
12 | horde_imp
13 | ^Login success
14 | ^for (\S+) \[(\S+)\]
15 | user, srcip
16 |
17 |
18 |
19 | horde_imp
20 | ^FAILED LOGIN
21 | ^ (\S+) to \S+ as (\S+)
22 | srcip, user
23 |
24 |
25 |
26 |
27 |
28 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-imapd_decoder.xml:
--------------------------------------------------------------------------------
1 |
10 |
11 | ^imapd
12 | user=(\S+) .+ \[(\S+)\]$
13 | user,srcip
14 |
15 |
16 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-ipfilter_decoder.xml:
--------------------------------------------------------------------------------
1 |
8 |
9 | firewall
10 | ^ipmon
11 | (\w) (\S+),(\d+?) -> (\S+),(\d+?) PR (\w+)
12 | action,srcip,srcport,dstip,dstport,protocol
13 |
14 |
15 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-isakmpd_decoder.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | ^isakmpd
5 |
6 |
7 |
8 | isakmpd
9 | message from
10 | from (\S+) port (\d+)
11 | srcip,srcport
12 |
13 |
14 |
15 | isakmpd
16 | from peer
17 | from peer (\S+):(\d+?)$
18 | srcip,srcport
19 |
20 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-lighttpd_decoder.xml:
--------------------------------------------------------------------------------
1 |
2 |
8 |
9 | ^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d: \(
10 |
11 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-mailscanner_decoder.xml:
--------------------------------------------------------------------------------
1 |
14 |
15 | ^MailScanner
16 |
17 |
18 |
19 | mailscanner
20 | ^Message \S+ from
21 | ^(\S+) \S+ to \S+ is (\w+)
22 | srcip, action
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-mptscsi_decoder.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 | iptables
17 | ^\[ \d+\.\d+\] mptscsih:
18 | ^\[ \d+\.\d+\] (\w+): (\w+): task abort: (\w+)
19 | id,data,status
20 |
21 |
22 |
23 | iptables
24 | ^\[ \d+\.\d+\] mptbase:
25 | ^\[ \d+\.\d+\] (\w+): (\w+):[ ]+[A-Za-z0-9@_-]+ is now (\w+), (\D+)$
26 | id,data,action,status
27 |
28 |
29 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-ms-dhcp_decoder.xml:
--------------------------------------------------------------------------------
1 |
4 |
5 |
11 |
12 |
13 | ^\d{2},\d+?/\d+?/\d{4},\d+?:\d+?:\d+?,|
14 | ^\d{2},\d+?/\d+?/\d{2},\d+?:\d+?:\d+?,
15 | ^(\d{2}),\d+?/\d+?/\d{2,},\d+?:\d+?:\d+?,([A-Za-z0-9@_-]+?),(\S+)
16 | id,extra_data,srcip
17 |
18 |
19 |
23 |
24 | ^\d{5},\d{2}/\d{2}/\d{2},\d{2}:\d{2}:\d{2},
25 | ^(\d{5}),
26 | id
27 |
28 |
29 |
30 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-mysql_decoder.xml:
--------------------------------------------------------------------------------
1 |
8 |
9 | ^MySQL log:
10 |
11 |
12 |
13 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-named_decoder.xml:
--------------------------------------------------------------------------------
1 |
9 |
10 | ^named
11 |
12 |
13 |
14 | named
15 | : query
16 | client (\S+)#\d+[ ]*?\S*:
17 | srcip,url
18 |
19 |
20 |
21 | named
22 | query: (\S+) IN|query \S+ '(\S+)/
23 | url
24 |
25 |
26 |
27 | named
28 | ^client
29 | ^(\S+)#
30 | srcip
31 |
32 |
33 |
34 | named
35 | from \[(\S+)\]
36 | srcip
37 |
38 |
39 |
40 | named
41 | for master
42 | for master (\S+):(\d+) \S+ \(source (\S+)#d\+\)$
43 | dstip,dstport,srcip
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-netscreen_decoder.xml:
--------------------------------------------------------------------------------
1 |
11 |
12 |
13 | ^NetScreen device_id
14 |
15 |
16 |
17 | netscreenfw
18 | firewall
19 |
20 | system-notification-00257
21 | \(traffic\):
22 |
23 | proto=(\w+) .+action=(\w+)
24 | .+src=(\S+) dst=(\S+) src_port=(\d+) dst_port=(\d+)
25 | protocol, action, srcip, dstip, srcport, dstport
26 |
27 |
28 |
29 | netscreenfw
30 | system-critical-.+ from |
31 | system-alert-.+ from |
32 | system-emergency-.+ From
33 |
34 | system-(\w+?)-(\d+): .+
35 | from.+(\S+)
36 | action, id, srcip
37 |
38 |
39 |
40 |
41 | netscreenfw
42 | system-(\w+?)-(\d+):
43 | action, id
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-nginx_decoder.xml:
--------------------------------------------------------------------------------
1 |
7 |
8 | ^20\d{2}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \[
9 |
10 |
11 |
12 | nginx-errorlog
13 | , client: \S+, server: \S+, request: "\S+
14 | , client: (\S+),
15 | srcip
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-nsd_decoder.xml:
--------------------------------------------------------------------------------
1 |
10 |
11 |
12 | ^nsd
13 |
14 |
15 |
16 | nsd
17 | from (\S+)@| from (\S+)
18 | srcip
19 |
20 |
21 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-ntpd_decoder.xml:
--------------------------------------------------------------------------------
1 |
14 |
15 | ^ntpd
16 |
17 |
18 |
19 | ntpd
20 | ^bad peer
21 | ^bad peer \S+ \((\S+)\)$|^bad peer from pool \S+ \((\S+)\)$
22 | srcip
23 |
24 |
25 |
26 | ntpd
27 | ^recvmsg (\S+):
28 | dstip
29 |
30 |
31 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-openbsd-pf_decoder.xml:
--------------------------------------------------------------------------------
1 |
10 |
11 | firewall
12 | ^pf$
13 | PF_Decoder
14 |
15 |
16 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-openbsd_decoder.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | ^/bsd
4 |
5 |
6 |
7 | bsd_kernel
8 | ^arp
9 | for (\S+) by (\S+) on \S+
10 | dstip, extra_data
11 |
12 |
13 |
16 |
17 |
18 | userdel
19 | user removed: name=(\S+)$
20 | srcuser
21 |
22 |
23 |
24 |
25 |
28 |
29 |
30 | ^mountd
31 |
32 |
33 |
34 | mountd
35 | from host
36 | (\S+) port \d+?$
37 | srcip
38 |
39 |
40 |
41 |
45 |
58 |
59 |
62 |
63 | groupdel
64 | ^group deleted: name=(\S+)$
65 | extra_data
66 |
67 |
68 |
69 |
70 |
71 | \[\d+/[A-Za-z0-9@_-]+/\d+:\d+:\d+:\d+ -\d+\] "
72 | ^(\S+) (\S+) \S+ \S+ \[\d+/[A-Za-z0-9@_-]+/\d+:\d+:\d+:\d+ -\d+\] "(\S+) (\S+) HTTP/\d\.\d" (\d+?) \d$
73 | url, srcip, protocol, url, status
74 | web-log
75 |
76 |
77 |
78 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-openldap_decoder.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 | ^slapd
17 |
18 |
19 |
20 |
21 | openldap
22 | ACCEPT
23 | ^conn=(\d+) fd=\d+ ACCEPT from IP=(\S+):
24 | id, srcip
25 |
26 |
27 |
28 |
29 | openldap
30 | BIND
31 | ^conn=(\d+) op=\d+ BIND dn="[A-Za-z0-9@_-]+=([A-Za-z0-9@_-]+),
32 | id, dstuser
33 |
34 |
35 |
36 |
37 |
38 | openldap
39 | RESULT
40 | ^conn=(\d+) op=\d+ RESULT
41 | id
42 |
43 |
44 |
45 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-opensmtpd_decoder.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | ^smtpd
5 |
6 |
7 |
8 | smtpd
9 | ^client
10 | ^client (\S+)
11 | srcip
12 |
13 |
14 |
15 | smtpd
16 | relay=
17 | relay=\S+ \[(\S+)\],
18 | srcip
19 |
20 |
21 |
22 | smtpd
23 | ^smtp-in:
24 | ^(\S+)
25 | status
26 |
27 |
28 |
29 | smtpd
30 | => (\d+)
31 | action
32 |
33 |
34 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-ossec_decoder.xml:
--------------------------------------------------------------------------------
1 |
4 |
5 | ^ossec:
6 | ossec
7 |
8 |
9 |
10 | ossec
11 | ^\d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} ossec-logcollector
12 | ^\(\d+?\): (.)
13 | extra_data
14 |
15 |
16 |
17 | ossec
18 | ossec
19 | ^Agent started:
20 | ^ '(\S+\S)'
21 | extra_data
22 | name, location, extra_data
23 |
24 |
25 |
26 | ossec
27 | ^ossec: Alert Level:
28 | OSSECAlert_Decoder
29 |
30 |
31 |
32 | ^ossec$
33 | OSSECAlert_Decoder
34 |
35 |
36 |
37 |
45 |
46 |
47 | ^[A-Za-z0-9@_-]{3} [A-Za-z0-9@_-]+?[ ]+?\d+? \d{2}:\d{2}:\d{2} [A-Za-z0-9@_-]+? \d+? /\S+/active-response
48 | /bin/(\S+) (\S+) - (\S+) (\d+?\.\d+?) (\d+)
49 | action, status, srcip, id, extra_data
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-portsentry_decoder.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | ^portsentry
4 |
5 |
6 |
7 | portsentry
8 | attackalert: Connect from host:
9 | (\S+)/\S+ to (\S+) port: (\d+?)$
10 | srcip,protocol,dstport
11 |
12 |
13 |
14 | portsentry
15 | is already blocked\. Ignoring$
16 | Host: (\S+) is
17 | srcip
18 |
19 |
20 |
21 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-postfix_decoder.xml:
--------------------------------------------------------------------------------
1 |
9 |
10 |
11 | ^postfix
12 |
13 |
14 |
15 | true
16 | postfix
17 | ^NOQUEUE: reject: \w{4} from
18 | \[(\S+)\]:\d+?: (\d+?) |\[(\S+)\]:(\d+?): |\[(\S+)\]: (\d+?) |\[(\S+)\]:(\d+?):
19 | srcip,id
20 |
21 |
22 |
23 | postfix
24 | ^warning: \S+: SASL
25 | ^warning: \S+\[(\S+)\]:
26 | srcip
27 |
28 |
29 |
30 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-postgresql_decoder.xml:
--------------------------------------------------------------------------------
1 |
6 |
7 | ^\[\d{4}-\d{2}-\d{2} \S+ [A-Za-z0-9@_-]+?\]
8 | ^\S+ ([A-Za-z0-9@_-]+?):
9 | status
10 |
11 |
12 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-proftpd_decoder.xml:
--------------------------------------------------------------------------------
1 |
11 |
12 | ^proftpd
13 |
14 |
15 |
16 | proftpd
17 | : Login successful
18 | ^\S+ \(\S+\[(\S+)\]\)[ ]*?\S [A-Za-z0-9@_-]+? (\S+):
19 | Login successful
20 | srcip, user
21 | name, user, srcip, location
22 |
23 |
24 |
25 | proftpd
26 | ^\S+ \(\S+\[(\S+)\]\)
27 | srcip
28 |
29 |
30 |
31 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-psad_decoder.xml:
--------------------------------------------------------------------------------
1 |
13 |
14 |
15 | psad
16 |
17 |
18 |
19 | psad
20 | ^scan detected
21 | (\S+) -> (\S+) .+ DL: (\d)
22 | srcip,dstip,status
23 |
24 |
25 |
26 | psad
27 | ^message repeated
28 | (\S+) -> (\S+) .+ DL: (\d)
29 | srcip,dstip,status
30 |
31 |
32 |
33 | psad
34 | signature match:
35 | src: (\S+) signature match: .+ port: (\d+)
36 | srcip,dstport
37 |
38 |
39 |
40 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-pure-ftpd_decoder.xml:
--------------------------------------------------------------------------------
1 |
11 |
12 | ^pure-ftpd
13 |
14 |
15 |
16 | pure-ftpd
17 | ^\S+ \[INFO\] \S+ is now logged in
18 | ^\(\?@(\S+)\) \[INFO\] (\S+) is now logged in
19 | srcip, user
20 | name, user, srcip, location
21 |
22 |
23 |
24 | pure-ftpd
25 | ^\((\S+)@(\S+)\) \[
26 | user,srcip
27 |
28 |
29 |
34 |
35 |
36 | ^\S+ - \S+ \[\d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2} \S\d{4}\] "[A-Za-z0-9@_-]+? \S+"
37 | ^(\S+) - (\S+) \[\d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2} -\d{4}\] "(\S+) (.+) (\d+) \d+$
38 | extra_data,dstuser,action,url,status
39 |
40 |
41 |
42 |
43 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-raccoon_decoder.xml:
--------------------------------------------------------------------------------
1 |
6 |
7 | ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}:
8 |
9 |
10 |
11 | racoon
12 | true
13 | ^ERROR: couldn't find the pskey
14 | ^for (\S+)
15 | srcip
16 |
17 |
18 |
19 | racoon
20 | ^([A-Za-z0-9@_-]+?):
21 | action
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-roundcube_decoder.xml:
--------------------------------------------------------------------------------
1 |
16 |
17 |
18 |
19 | ^roundcube
20 |
21 |
22 |
23 | ^\[\d{2}-[\w]{3}-\d{4} \d{2}:\d{2}:\d{2} \S+\]
24 |
25 |
26 |
27 | roundcube
28 | Successful login for
29 | ^(\S+) \(id \d+\) from (\S+)$|^(\S+) \(ID: \d+\) from (\S+)
30 | user, srcip
31 |
32 |
33 |
34 | roundcube
35 | \] \w+ Error: Authentication
36 | ^for (\S+) failed
37 | user
38 |
39 |
40 |
41 | roundcube
42 | > \w+ Error: Login failed |> Failed login
43 | ^for (\S+) from (\S+). |^for (\S+) from (\S+) in session
44 | user, srcip
45 |
46 |
47 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-rshd_decoder.xml:
--------------------------------------------------------------------------------
1 |
6 |
7 | ^rshd$
8 |
9 |
10 |
11 | rshd
12 | ^Connection from (\S+) on illegal port$
13 | srcip
14 |
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-smbd_decoder.xml:
--------------------------------------------------------------------------------
1 |
10 |
11 |
12 | ^smbd
13 |
14 |
15 |
16 | smbd
17 | User name:
18 | ^ (\S+)\.
19 | user
20 |
21 |
22 |
23 | smbd
24 | from \((\S+)\)
25 | srcip
26 |
27 |
28 |
29 | smbd
30 | from (\S+)$
31 | from (\S+)$
32 | srcip
33 |
34 |
35 |
36 | smbd
37 | to client \S+\.
38 | to client (\S+)\.
39 | srcip
40 |
41 |
42 |
43 | ^nmbd
44 |
45 |
46 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-snort_decoder.xml:
--------------------------------------------------------------------------------
1 |
18 |
19 |
20 | ^snort
21 |
22 |
23 |
24 | ids
25 | ^\[\*\*\] \[\d+:\d+:\d+\]
26 |
27 |
28 |
29 | snort
30 | ids
31 | ^\[\*\*\] \[|^\[Drop\] \[\*\*\] \[|^\[
32 | (\d+:\d+:\d+)\] .+ (\S+?):?\d* -> ([^:]+)
33 | id,srcip,dstip
34 | name,id,srcip,dstip
35 |
36 |
37 |
38 |
39 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-solaris-bsm_decoder.xml:
--------------------------------------------------------------------------------
1 |
10 |
11 | ^audit$
12 |
13 |
14 |
15 | solaris_bsm
16 | [A-Za-z0-9@_-]+? session \d+? by
17 | ([A-Za-z0-9@_-]+) session \d+ by
18 | status
19 |
20 |
21 |
22 | solaris_bsm
23 | ^ \S+ as \S+:\S+ from (\S+)
24 | srcip
25 |
26 |
27 |
28 |
29 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-sonicwall_decoder.xml:
--------------------------------------------------------------------------------
1 |
9 |
10 | firewall
11 | ^id=[A-Za-z0-9@_-]+? sn=[A-Za-z0-9@_-]+? time=\S+ \S+ fw=\S+ pri=\d
12 | SonicWall_Decoder
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-squid_decoder.xml:
--------------------------------------------------------------------------------
1 |
10 |
11 | squid
12 | ^\d+? \S+
13 | ^\d+? (\S+) ([A-Za-z0-9@_-]+?)/(\d+?) \d+? [A-Za-z0-9@_-]+? (\S+)
14 | srcip,action,id,url
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-su_decoder.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 | ^su$
17 |
18 |
19 |
20 | su
21 | ^'su
22 | ^'su (\S+)' \S+ for (\S+) on \S+$
23 | dstuser, srcuser
24 | name, srcuser, location
25 |
26 |
27 |
28 | su
29 | pam_ldap
30 | user "uid=(\S+),
31 | user
32 |
33 |
34 |
35 | ^SU \S+ \S+
36 | ^\S \S+ (\S+)-(\S+)$
37 | srcuser, dstuser
38 | name, srcuser, location
39 |
40 |
41 |
42 | su
43 | ^FAILED SU
44 | ^\(to (\S+) (\S+) on
45 | dstuser, srcuser
46 |
47 |
48 |
49 |
50 | su
51 |
52 | ^BAD SU (\S+) to (\S+) on|
53 | ^failed: \S+ changing from (\S+) to (\S+)|
54 | ^\S \S+ (\S+)[()*+,.:;\<=>?\[\]!"'#%&$|{}-](\S+)$|^(\S+) to (\S+) on
55 | srcuser, dstuser
56 | name, srcuser, location
57 |
58 |
59 |
60 |
61 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-sudo_decoder.xml:
--------------------------------------------------------------------------------
1 |
10 |
11 | ^sudo
12 | ^[ ]*?(\S+)[ ]:[ ]TTY=\S+[ ];[ ]PWD=(\S+)[ ];[ ]USER=(\S+)[ ];[ ]COMMAND=(.+)$|
13 | ^[ ]*?(\S+)[ ]:[ ]TTY=\S+[ ];[ ]PWD=(\S+)[ ];[ ]USER=(\S+)[ ];[ ]TSID=\S+[ ];[ ]COMMAND=(.+)$
14 | dstuser,url,srcuser,status
15 | name,dstuser,location
16 | First time user executed the sudo command
17 |
18 |
19 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-suhosin_decoder.xml:
--------------------------------------------------------------------------------
1 |
8 |
9 | ^suhosin
10 | ids
11 | ^ALERT - (.+) \(attacker '(\S+)',
12 | id, srcip
13 | name, location, id
14 |
15 |
16 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-symantec-av_decoder.xml:
--------------------------------------------------------------------------------
1 |
8 |
9 | ^[A-Za-z0-9@_-]{12},
10 | ^(\d+?),\d+?,\d+?,(\S+),(.+),
11 | id, system_name, extra_data
12 | name, location, id, system_name, extra_data
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-symantec-websecurity_decoder.xml:
--------------------------------------------------------------------------------
1 |
8 |
9 | ^\d{8},\d{3,},
10 | SymantecWS_Decoder
11 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-sysmon_decoder.xml:
--------------------------------------------------------------------------------
1 |
14 |
15 |
16 | windows
17 | INFORMATION\(1\)
18 | Image: (.*?) [ ]*?CommandLine: .*? [ ]*?User: (.*?) [ ]*?LogonGuid: \S*? [ ]*?LogonId: \S*? [ ]*?TerminalSessionId: \S*? [ ]*?IntegrityLevel: .*?HashType: \S*? [ ]*?Hash: (\S*?) [ ]*?ParentProcessGuid: \S*? [ ]*?ParentProcessID: \S*? [ ]*?ParentImage: (.*?) [ ]*?ParentCommandLine:
19 | status,user,url,data
20 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-telnetd_decoder.xml:
--------------------------------------------------------------------------------
1 |
13 |
14 | ^telnetd|^in\.telnetd
15 |
16 |
17 |
18 | telnetd
19 | from (\S+)$
20 | srcip
21 |
22 |
23 |
24 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-trend-osce_decoder.xml:
--------------------------------------------------------------------------------
1 |
2 |
9 |
10 | ^20\d{6}\<;>
11 | ^\d+?\<;>\S+\<;>(\d+?)\<;
12 | id
13 |
14 |
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-unbound_decoder.xml:
--------------------------------------------------------------------------------
1 |
13 |
14 |
15 |
16 | ^unbound
17 |
18 |
19 |
20 | unbound
21 | info: (\S+) (\S+)\. A IN$| info: (\S+) (\S+) AAAA IN$
22 | srcip,url
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-vm-pop3d_decoder.xml:
--------------------------------------------------------------------------------
1 |
4 |
5 | ^vm-pop3d
6 |
7 |
8 |
9 | vm-pop3d
10 | ^User '
11 | ^(\S+)' - [A-Za-z0-9@_-]+? auth,
12 | from=(\S+)$
13 | user, srcip
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-vmware-esx_decoder.xml:
--------------------------------------------------------------------------------
1 |
11 |
12 | ^\[\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3} '\S+' \d+?
13 |
14 |
15 |
16 | vmware
17 | ^([A-Za-z0-9@_-]+?)\] \S+ \S+
18 | status
19 |
20 |
21 |
22 | vmware
23 | ^: User ([A-Za-z0-9@_-]+?)@(\S+)
24 | logged |^: Failed login \w+ for ([A-Za-z0-9_-]+)@(\S+)
25 | user, srcip
26 |
27 |
28 |
29 | vmware
30 |
31 |
32 |
33 | vmware-syslog
34 | ^Accepted|^Rejected
35 | ^ \S+ for user (\S+) from (\S+)$
36 | user, srcip
37 |
38 |
39 |
40 | vmware-syslog
41 | ^login from
42 | ^(\S+) as
43 | srcip
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-vpopmail_decoder.xml:
--------------------------------------------------------------------------------
1 |
9 |
10 | ^vpopmail
11 |
12 |
13 |
14 | vpopmail
15 | ^vchkpw-\S+: password fail
16 | (\S+)@\S+:(\S+)$
17 | user, srcip
18 |
19 |
20 |
21 | vpopmail
22 | ^vchkpw-\S+: vpopmail user not
23 | ^found (\S+):(\S+)$
24 | user, srcip
25 |
26 |
27 |
28 | vpopmail
29 | ^vchkpw-\S+: null password
30 | ^given (\S+):(\S+)$
31 | user, srcip
32 |
33 |
34 |
35 | vpopmail
36 | ^vchkpw-\S+: \(\S+\) login
37 | ^success (\S+):(\S+)$
38 | user, srcip
39 |
40 |
41 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-web-accesslog_decoder.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 | web-log
17 | ^\S+ \S+ \S+ \[\S+ \S\d+\] "\w+ \S+ HTTP\S+"
18 | ^(\S+) \S+ (\S+) \[\S+ \S\d+\]
19 | "(\w+) (\S+) HTTP\S+" (\d+)
20 | srcip, srcuser, action, url, id
21 |
22 |
23 |
24 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-windows-ntsyslog_decoder.xml:
--------------------------------------------------------------------------------
1 |
8 |
9 | windows
10 | ^security\[[A-Za-z0-9@_-]+?\] \d+?
11 | ^([A-Za-z0-9@_-]+?)\[([A-Za-z0-9@_-]+?)\] (\d+?)
12 | extra_data, status, id
13 |
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-windows-snare_decoder.xml:
--------------------------------------------------------------------------------
1 |
26 |
27 | windows
28 | ^MSWinEventLog\t\d\t.+\t\d+?\t[A-Za-z0-9@_-]{3}\S+ [A-Za-z0-9@_-]{3} \d{2} \d{2}
29 | ^:\d{2}:\d{2} \d{4}\t(\d+?)\t(.+)
30 | \t(.+)\t.+\t(.+)\t(.+)\t
31 | id, extra_data, user, status, system_name
32 | name, id, location, user, system_name
33 |
34 |
35 |
36 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-windows_decoder.xml:
--------------------------------------------------------------------------------
1 |
19 |
20 | windows
21 | ^WinEvtLog
22 |
23 |
24 |
25 | windows
26 | windows
27 | ^.+: ([A-Za-z0-9@_-]+?)\((\d+?)\): (.+):
28 | (.+): .+: (\S+):
29 | status, id, extra_data, user, system_name
30 | name, location, system_name
31 |
32 |
33 |
34 | windows
35 | windows
36 | Source Network Address: (\S+)
37 | srcip
38 |
39 |
40 |
41 |
42 | windows
43 | windows
44 | Account Name:[ ]+?([A-Za-z0-9@_-]+?)[ ]+?Account
45 | user
46 |
47 |
48 |
49 | windows
50 | windows
51 | Account Domain:[ ]+?([A-Za-z0-9@_-]+?)[ ]+?Logon ID:
52 | extra_data
53 |
54 |
55 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-wordpress_decoder.xml:
--------------------------------------------------------------------------------
1 |
8 |
9 | ^WPsyslog|^wpcore
10 | ^\[
11 | ^(\S+)
12 | srcip
13 |
14 |
15 |
--------------------------------------------------------------------------------
/decoders.d/50-crs-zeus_decoder.xml:
--------------------------------------------------------------------------------
1 |
7 |
8 | ^\[\d{2}/[A-Za-z0-9@_-][A-Za-z0-9@_-][A-Za-z0-9@_-]/\d{4}:\d{2}:\d{2}:\d{2} \S+\]
9 | host=(\S+),
10 | srcip
11 |
12 |
13 |
--------------------------------------------------------------------------------
/decoders.d/60-crs-dionaea_decoder.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | dionaea\.connections
6 | ^\{"direction": "(\S+)", "protocol": "(\S+)", "ids_type": "\S+", "timestamp": "\d{4}-\d{2}-\d{2}\w\d{2}:\d{2}:\d{2}.\d+", "dionaea_action": "(\S+)", "type": "dionaea\.connections", "app": "dionaea", "src_ip": "(\S+)", "vendor_product": "Dionaea", "dest_port": (\d+), "signature": ".+", "src_port": (\d+?), "dest_ip": "(\S+)", "sensor": \S+, "transport": "\S+", "severity": "\S+"\}
7 | extra_data, protocol, action, srcip, dstport, srcport, dstip
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/decoders.d/60-crs-iis-ftp_decoder.xml:
--------------------------------------------------------------------------------
1 |
7 |
8 | windows-date-format
9 | true
10 | ^\S+ \S+ MSFTPSVC
11 | ^(\S+) (\S+) \S+ \S+ \S+
12 | \d+ \[\d+\](\S+) \S+ \S+ (\d+)
13 | srcip,user,action,id
14 |
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/decoders.d/60-crs-iis-smtp_decoder.xml:
--------------------------------------------------------------------------------
1 |
7 |
8 | windows-date-format
9 | true
10 | ^\S+ \S+ SMTPSVC
11 | ^(\S+) \S+ \S+ \S+ \S+
12 | \d+ (\S+) \S+ \S+ (\d+)
13 | srcip, action, id
14 |
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/decoders.d/60-crs-iis-web_decoder.xml:
--------------------------------------------------------------------------------
1 |
6 |
7 | windows-date-format
8 | web-log
9 | true
10 | ^\S+ \S+ W3SVC
11 | ^(\S+) \S+ \S+ \S+ \S+
12 | \d+ \S+ (\S+ \S+) (\d+)
13 | srcip,url,id
14 |
15 |
16 |
17 |
25 |
26 | windows-date-format
27 | web-log
28 | true
29 | ^W3SVC\d+ \S+ \S+ \S+
30 | ^(\S+ \S+) \d+ \S+ (\S+)
31 | \S+ \S+ \S+ \S+ \S+ (\d+)
32 | url, srcip, id
33 |
34 |
35 |
46 |
47 |
48 |
49 | windows-date-format
50 | web-log
51 | true
52 | ^\S+ GET |^\S+ POST
53 | (\S+ \S*) .* (\S+) \S*.* (\d{3}) \S+ \S+ \S+
54 | url,srcip,id
55 |
56 |
57 |
58 |
59 |
--------------------------------------------------------------------------------
/decoders.d/60-crs-windows-firewall_decoder.xml:
--------------------------------------------------------------------------------
1 |
9 |
10 | windows-date-format
11 | firewall
12 | true
13 | ^OPEN|^CLOSE|^DROP
14 | ^(\w+) (\w+)
15 | (\S+) (\S+) (\d+) (\d+)
16 | action, protocol, srcip, dstip, srcport, dstport
17 |
18 |
19 |
20 |
21 |
--------------------------------------------------------------------------------
/decoders.d/README.md:
--------------------------------------------------------------------------------
1 |
18 |
--------------------------------------------------------------------------------
/ossec-testing/tests/.pam.ini.swp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ossec/ossec-rules/051fbdab87e078aa2349802b7470c85873b89e70/ossec-testing/tests/.pam.ini.swp
--------------------------------------------------------------------------------
/ossec-testing/tests/apparmor.ini:
--------------------------------------------------------------------------------
1 | [Ignore ALLOWED or STATUS]
2 | log 1 pass = Jun 24 10:35:29 hostname kernel: [49787.970285] audit: type=1400 audit(1403598929.839:88986): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1//null-2//null-4a6" name="/home/admin/mails/new/" pid=19973 comm="imap" requested_mask="r" denied_mask="r" fsuid=1003 ouid=1003
3 |
4 | rule = 52001
5 | alert = 0
6 | decoder = iptables
7 |
8 | [Apparmor ALLOWED or STATUS]
9 | log 1 pass = Jun 23 20:46:15 hostname kernel: [ 11.103248] audit: type=1400 audit(1403549175.177:2): apparmor="STATUS" operation="profile_load" name="/sbin/klogd" pid=2185 comm="apparmor_parser"
10 |
11 | rule = 52001
12 | alert = 0
13 | decoder = iptables
14 |
15 | [Apparmor DENIED]
16 | log 1 pass = Jul 14 11:03:47 hostname kernel: [ 8665.951930] type=1400 audit(1405328627.702:54): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/xfce4/defaults.list" pid=16418 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
17 |
18 | rule = 52002
19 | alert = 3
20 | decoder = iptables
21 |
22 | [Apparmor DENIED mknod operation.]
23 | log 1 pass = Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type=1400 audit(1314853822.672:33649): apparmor="DENIED" operation="mknod" parent=27250 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/share/wordpress/1114140474e5f13bea68a4.tmp" pid=27289 comm="apache2" requested_mask="c" denied_mask="c" fsuid=33 ouid=33
24 |
25 | rule = 52004
26 | alert = 4
27 | decoder = iptables
28 |
29 | [Apparmor DENIED exec operation.]
30 | log 1 pass = Jun 16 17:37:39 hostname kernel: [891880.587989] audit: type =1400 audit(1315353795.331:33657): apparmor="DENIED" operation="exec" parent=14952 profile="/usr/lib/apache2/mpm-prefork/apache2//example.com" name="/usr/lib/sm.bin/sendmail" pid=14953 comm="sh" requested_mask="x" denied_mask="x" fsuid=33 ouid=0
31 |
32 | rule = 52003
33 | alert = 5
34 | decoder = iptables
35 |
36 |
--------------------------------------------------------------------------------
/ossec-testing/tests/asterisk.ini:
--------------------------------------------------------------------------------
1 | [login failed]
2 | log 1 pass = Aug 29 07:21:05 hostname asterisk[3284]: NOTICE[3734]: chan_sip.c:28088 in handle_request_register: Registration from '"3810" ' failed for '37.8.26.31:5065' - Wrong password
3 | log 2 pass = Dec 16 18:02:04 asterisk1 asterisk[31774]: NOTICE[31787]: chan_sip.c:11242 in handle_request_register: Registration from '"503"' failed for '192.168.1.137' - Wrong password
4 |
5 | rule = 6210
6 | alert = 5
7 | decoder = asterisk
8 |
9 | [invalid extension]
10 | log 1 pass = Aug 30 16:02:29 hostname asterisk[3284]: NOTICE[3734][C-00001c7a]: chan_sip.c:25650 in handle_request_invite: Call from '' (89.163.146.112:5071) to extension '70046313115067' rejected because extension not found in context 'default'.
11 |
12 | rule = 6258
13 | alert = 5
14 | decoder = asterisk
15 |
16 |
--------------------------------------------------------------------------------
/ossec-testing/tests/cimserver.ini:
--------------------------------------------------------------------------------
1 | [rshd: illegal]
2 | log 1 pass = Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b.
3 | log 2 fail = Dec 18 18:06:29 hostname vimserver[18575]: PGS17200: Authentication failed for user domain\jones_b.
4 |
5 |
6 | rule = 9610
7 | alert = 5
8 | decoder = cimserver
9 |
10 |
--------------------------------------------------------------------------------
/ossec-testing/tests/cisco_ios.ini:
--------------------------------------------------------------------------------
1 | [cisco ios ids: sig]
2 | log 1 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:51654 -> 10.10.10.10:4444]
3 | log 2 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:60797 -> 10.10.10.10:80]
4 | log 3 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:5123 Subsig:2 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:60797 -> 10.10.10.10:80]
5 |
6 |
7 | rule = 20100
8 | alert = 8
9 | decoder = cisco-ios
10 |
11 |
12 | [cisco ios: acl ]
13 | log 1 pass = Sep 1 10:25:29 10.10.10.1 %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.6.56(3067) -> 172.36.4.7(139), 1 packet
14 | log 2 pass = Sep 1 10:25:29 10.10.10.1 %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1477) -> 10.0.127.20(445), 1 packet
15 |
16 |
17 | rule = 4100
18 | alert = 0
19 | decoder = cisco-ios
20 |
21 |
22 |
--------------------------------------------------------------------------------
/ossec-testing/tests/cpanel.ini:
--------------------------------------------------------------------------------
1 | [successful login]
2 | log 1 fail = [2016-04-18 13:07:02 -0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN whostmgrd
3 | log 2 fail = [2016-04-18 13:07:15 -0400] info [cpsrvd] 10.1.5.19 - reseller (possessor: root) - SUCCESS LOGIN cpaneld
4 | log 3 fail = [2016-04-18 13:08:27 -0400] info [cpsrvd] 10.1.5.19 - emailaccount@reseller.com (possessor: reseller) - SUCCESS LOGIN webmaild
5 |
6 | rule = 11007
7 | alert = 3
8 | decoder = postgresql_log
9 |
10 |
11 | [cpanel attacks]
12 | log 1 fail = [2017-01-25 06:01:10 -0500] info [cpsrvd] 10.1.5.19 - test "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user test (loadcpdata failed)
13 |
14 | rule = 11001
15 | alert = 5
16 | decoder = postgresql_log
17 |
18 | [cpanel attacks 2]
19 | log 1 fail = [2016-11-18 09:32:19 +0000] info [cpsrvd] 10.1.5.19 - admin "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
20 |
21 | rule = 11000
22 | alert = 5
23 | decoder = cpanel-login
24 |
25 | [successful login 2]
26 | log 1 fail = [2016-04-18 13:07:02 +0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN whostmgrd
27 |
28 | rule = 11006
29 | alert = 3
30 | decoder = cpanel-login
31 |
32 | [session purge]
33 | log 1 fail = [2017-01-25 06:15:38 -0500] info [cpsrvd] 10.1.5.19 PURGE root:Nmm4xzhSpA2Sddv3 logout
34 |
35 | rule = 11009
36 | alert = 3
37 | decoder = postgresql_log
38 |
39 |
--------------------------------------------------------------------------------
/ossec-testing/tests/dnsmasq.ini:
--------------------------------------------------------------------------------
1 | [dnsmasq group]
2 | log 1 pass = Jul 17 14:49:57 dnsmasq[15210]: 21745 10.10.10.33/59490 query[A] server.example.com from 10.10.10.33
3 | log 2 pass = Jul 17 14:49:57 dnsmasq[15210]: 21745 10.10.10.33/59490 forwarded server.example.com to 10.20.20.10
4 | log 3 pass = Jul 17 14:49:57 dnsmasq[15210]: 21745 10.10.10.33/59490 reply server.example.com is
5 |
6 | rule = 53551
7 | alert = 0
8 | decoder = dnsmasq
9 |
10 |
--------------------------------------------------------------------------------
/ossec-testing/tests/doas.ini:
--------------------------------------------------------------------------------
1 | [failed command]
2 | log 1 pass = Apr 13 08:49:20 ix doas: failed command for ddp2: ls
3 |
4 | rule = 51554
5 | alert = 5
6 | decoder = doas
7 |
8 | [command run as root]
9 | log 1 pass = Mar 22 07:21:58 ix doas: ddp ran command /bin/ksh as root from /data/ddp/projects/git/sysconf/ossec/rules
10 |
11 | rule = 51556
12 | alert = 2
13 | decoder = doas
14 |
15 | [failed auth]
16 | log 1 pass = Feb 29 14:58:39 ix doas: failed auth for ddp
17 |
18 | rule = 51557
19 | alert = 5
20 | decoder = doas
21 |
22 | [doas command run]
23 | log 1 pass = Aug 13 15:16:40 ix doas: ddp ran command as ddpnfs: ls
24 |
25 | rule = 51555
26 | alert = 1
27 | decoder = doas
28 |
29 |
--------------------------------------------------------------------------------
/ossec-testing/tests/dovecot.ini:
--------------------------------------------------------------------------------
1 | [auth failed]
2 | log 1 pass = Dec 19 06:21:06 ny dovecot: imap-login: Disconnected (auth failed, 7 attempts in 111 secs): user=, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203, session=<+hgd5vxDBMZtycjJ>
3 | log 2 pass = Jan 11 03:45:09 hostname dovecot: auth-worker(default): sql(username,1.2.3.4): unknown user
4 | log 3 pass = Jan 11 03:42:09 hostname dovecot: auth(default): pam(user@example.com,1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module
5 |
6 | rule = 9705
7 | alert = 5
8 | decoder = dovecot
9 |
10 | [dovecot is starting]
11 | log 1 pass = Jun 17 10:15:24 hostname dovecot: Dovecot v1.2.rc3 starting up (core dumps disabled)
12 |
13 | rule = 9703
14 | alert = 3
15 | decoder = dovecot
16 |
17 | [fatal error]
18 | log 1 pass = Jun 17 10:15:24 hostname dovecot: Fatal: auth(default): Support not compiled in for passdb driver 'ldap'
19 | log 2 pass = Jun 17 10:15:24 hostname dovecot: Fatal: Auth process died too early - shutting down
20 |
21 | rule = 9704
22 | alert = 2
23 | decoder = dovecot
24 |
25 | [user authentication failure]
26 | log 1 pass = Jun 23 15:04:05 Info: imap-login: Login: user=, method=PLAIN, rip=1.2.3.4, lip=1.2.3.5 Authentication Failure:
27 |
28 | rule = 9770
29 | alert = 0
30 | decoder = dovecot-info
31 |
32 | [dovecot auth failed]
33 | log 1 pass = Jan 11 03:42:09 hostname dovecot: auth-worker(default): sql(user@example.com,1.2.3.4): Password mismatch
34 |
35 | rule = 9702
36 | alert = 5
37 | decoder = dovecot
38 |
39 | [XXX nothing]
40 | log 1 fail = Jan 07 14:46:28 Warn: auth(default): userdb(username,::ffff:127.0.0.1): user not found from userdb
41 | log 3 fail = May 31 09:43:57 Info: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5, secured
42 |
43 | rule = 1002
44 | alert = 2
45 | decoder =
46 |
47 | [XXX unknown 1002]
48 | log 1 pass = Mar 13 15:25:07 Info: auth(default): pam(user@example.com,::ffff:1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module
49 |
50 | rule = 9771
51 | alert = 5
52 | decoder = dovecot-info
53 |
54 | [session disconnected]
55 | log 1 pass = Jul 4 17:30:51 hostname dovecot[2992]: pop3-login: Disconnected: rip=1.2.3.4, lip=1.2.3.5
56 |
57 | rule = 9706
58 | alert = 3
59 | decoder = dovecot
60 |
61 | [aborted login]
62 | log 1 pass = Jan 30 09:37:55 hostname dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5
63 |
64 | rule = 9707
65 | alert = 5
66 | decoder = dovecot
67 |
68 | [XXX logged out]
69 | log 1 fail = Jun 23 15:04:06 Info: IMAP(username): Disconnected: Logged out bytes=59/566
70 |
71 | rule = 1002
72 | alert = 2
73 | decoder = dovecot-info
74 |
75 | [unknown user]
76 | log 1 pass = Mar 13 15:25:07 Info: auth(default): passwd-file(user@example.com,::ffff:1.2.3.4): unknown user
77 |
78 | rule = 9771
79 | alert = 5
80 | decoder = dovecot-info
81 |
82 |
--------------------------------------------------------------------------------
/ossec-testing/tests/dpkg.ini:
--------------------------------------------------------------------------------
1 | [dpkg log]
2 | log 1 pass = 2018-05-31 12:09:56 upgrade vlc-plugin-visualization:amd64 3.0.2-1+b1 3.0.3-1
3 | log 2 pass = 2018-05-11 09:41:49 conffile /etc/redis/redis.conf keep
4 |
5 | rule = 2900
6 | alert = 0
7 | decoder = windows-date-format
8 |
9 |
--------------------------------------------------------------------------------
/ossec-testing/tests/dropbear.ini:
--------------------------------------------------------------------------------
1 | [already listening]
2 | log 1 pass = Jun 25 14:04:30 10.0.0.1 dropbear[30746]: Failed listening on '7001': Error listening: Address already in use
3 |
4 | rule = 51011
5 | alert = 1
6 | decoder = dropbear
7 |
8 | [User successfully logged in using a public key]
9 | log 1 pass = Jan 8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with key md5 78:d6:41:ca:78:37:80:88:1d:15:0a:68:91:d1:4e:ad from 10.10.10.241:51737
10 |
11 | rule = 51010
12 | alert = 0
13 | decoder = dropbear
14 |
15 | [Bad password attempt.]
16 | log 1 pass = Jan 8 16:39:33 tp.lan dropbear[14824]: Bad password attempt for 'root' from 193.219.28.149:48629
17 |
18 | rule = 51003
19 | alert = 5
20 | decoder = dropbear
21 |
22 | [Bad password attempt for non existent user.]
23 | log 1 pass = Jan 8 19:54:12 tp.lan dropbear[15197]: Login attempt for nonexistent user from 182.72.89.122:4328
24 |
25 | rule = 51093
26 | alert = 5
27 | decoder = dropbear
28 |
29 |
30 |
31 |
32 |
--------------------------------------------------------------------------------
/ossec-testing/tests/exim.ini:
--------------------------------------------------------------------------------
1 | [auth failure]
2 | log 1 pass = 2017-01-23 03:44:14 dovecot_login authenticator failed for (hydra) [10.101.1.18]:35686: 535 Incorrect authentication data (set_id=user)
3 | log 2 pass = 2017-01-24 05:22:29 dovecot_plain authenticator failed for (test) [::1]:39454: 535 Incorrect authentication data (set_id=test)
4 |
5 | rule = 13006
6 | alert = 5
7 | decoder = windows-date-format
8 |
9 | [exim connection]
10 | log 1 pass = 2017-01-24 03:09:46 SMTP connection from [10.101.1.10]:55010 (TCP/IP connection count = 1)
11 |
12 | rule = 13008
13 | alert = 0
14 | decoder = windows-date-format
15 |
16 | [exim connection lost]
17 | log 1 pass = 2017-01-24 02:53:13 SMTP connection from (hydra) [10.101.1.10]:53682 lost
18 |
19 | rule = 13009
20 | alert = 1
21 | decoder = windows-date-format
22 |
23 | [exim syntax/protocol error]
24 | log 1 pass = 2017-01-24 05:36:23 SMTP call from (000000) [::1]:39480 dropped: too many syntax or protocol errors (last command was "123")
25 |
26 | rule = 13010
27 | alert = 5
28 | decoder = windows-date-format
29 |
30 |
--------------------------------------------------------------------------------
/ossec-testing/tests/firewalld.ini:
--------------------------------------------------------------------------------
1 | [Incorrect chain/target/match.]
2 | log 3 fail = Jul 18 10:51:43 localhost firewalld: 2014-07-18 10:51:43 ERROR: '/sbin/iptables -D INPUT_ZONES -t filter -i enp1s0 -g IN_public' failed: iptables: No chain/target/match by that name.
3 |
4 | rule = 40902
5 | alert = 3
6 | decoder =
7 |
8 | [Incorrect chain/target/match.]
9 | log 3 fail = Jul 18 10:51:43 localhost firewalld: 2014-07-18 10:51:43 ERROR: COMMAND_FAILED: '/sbin/iptables -D INPUT_ZONES -t filter -i enp1s0 -g IN_public' failed: iptables: No chain/target/match by that name.
10 |
11 | rule = 40902
12 | alert = 3
13 | decoder =
14 |
15 | [firewalld: zone already set]
16 | log 3 fail = Jul 18 11:04:51 localhost firewalld: 2014-07-18 11:04:51 ERROR: ZONE_ALREADY_SET
17 |
18 | rule = 40903
19 | alert = 2
20 | decoder =
21 |
22 |
--------------------------------------------------------------------------------
/ossec-testing/tests/mailscanner.ini:
--------------------------------------------------------------------------------
1 | [update phishing]
2 | log 1 fail = Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad sites list updated
3 | rule = 3752
4 | alert = 0
5 | decoder =
6 |
7 |
--------------------------------------------------------------------------------
/ossec-testing/tests/named.ini:
--------------------------------------------------------------------------------
1 | [Query cache denied]
2 | log 1 pass = Aug 29 15:33:13 ns3 named[464]: client 217.148.39.3#1036: query (cache) denied
3 | log 2 pass = Aug 29 15:33:13 ns3 named[464]: client 217.148.39.4#32769: query (cache) denied
4 | log 3 pass = Aug 29 15:33:13 ns3 named[464]: client 217.148.39.3#1036: query (cache) denied
5 | log 4 fail = Aug 29 15:33:13 ns3 name[464]: client 217.148.39.4#32769: query (cache) denied
6 | log 5 pass = Aug 29 15:33:13 ns3 named[464]: client 217.148.39.3#1036: query (cache)
7 | log 6 pass = Mar 13 01:42:45 net19 named[6147]: client 31.150.218.239#6173 (odcdavcxkvin.games.yuanyou8.com): query (cache) 'odcdavcxkvin.games.yuanyou8.com/A/IN' denied
8 |
9 | rule = 12108
10 | alert = 5
11 | decoder = named
12 |
--------------------------------------------------------------------------------
/ossec-testing/tests/netscreen.ini:
--------------------------------------------------------------------------------
1 | [Firewall configuration changed.]
2 | log 1 pass = 2014-05-23T10:25:58.681222-04:00 10.10.10.1 ssg5-serial: NetScreen device_id=0275112227993284 [Root]system-information-00767: System configuration saved by netscreen via web from host 10.10.10.101 to 10.10.10.1:443 by netscreen. (2014-05-23 10:58:17)
3 |
4 | rule = 4509
5 | alert = 8
6 | decoder = netscreenfw
7 |
8 | [Firewall policy changed.]
9 | log 1 pass = 2014-05-23T10:29:55.704201-04:00 10.10.10.1 ssg5-serial: NetScreen device_id=0275112227993284 [Root]system-notification-00018: Policy (5, Trust->Untrust, 10.10.10.0/24->172.16.19.0/24,ANY, Permit) was modified by netscreen via web from host 10.10.10.101 to 10.10.10.1:443. (2014-05-23 11:02:13)
10 |
11 | rule = 4508
12 | alert = 8
13 | decoder = netscreenfw
14 |
15 | [Successfull admin login to the Netscreen firewall]
16 | log 1 pass = 2014-05-23T10:39:20.681154-04:00 10.10.10.1 ssg5-serial: NetScreen device_id=0275112227993284 [Root]system-warning-00515: Management session via SSH from 10.10.10.100:0 for admin netscreen has timed out (2014-05-23 11:11:39)
17 |
18 | rule = 4507
19 | alert = 8
20 | decoder = netscreenfw
21 |
22 | [syn flood]
23 | log 1 pass = Jul 7 05:02:34 ssg5.17.168.192.in-addr.arpa ssg5: NetScreen device_id=ssg5 [Root]system-emergency-00005: SYN flood! From 192.168.18.53:41437 to 192.168.17.251:9612, proto TCP (zone Untrust int ethernet0/0). Occurred 1 times. (2016-07-07 05:02:32)
24 |
25 | rule = 4560
26 | alert = 3
27 | decoder = netscreenfw
28 |
29 |
--------------------------------------------------------------------------------
/ossec-testing/tests/nginx.ini:
--------------------------------------------------------------------------------
1 | ; YYYY/MM/DD HH:MM:SS [LEVEL] PID:TID yadda yadda
2 | [Nginx messages grouped.]
3 | log 1 pass = 2014/12/30 06:07:37 [yadda] 80:2 yadda yadda
4 |
5 | rule = 31300
6 | alert = 0
7 | decoder = nginx-errorlog
8 |
9 | [Nginx error message.]
10 | log 1 pass = 2014/12/30 06:07:37 [error] 80:2 yadda yadda
11 |
12 | rule = 31301
13 | alert = 3
14 | decoder = nginx-errorlog
15 |
16 | [Nginx warning message.]
17 | log 1 pass = 2014/12/30 06:07:37 [warn] 80:2 yadda yadda
18 |
19 | rule = 31302
20 | alert = 3
21 | decoder = nginx-errorlog
22 |
23 | [Nginx critical message.]
24 | log 1 pass = 2014/12/30 06:07:37 [crit] 80:2
25 |
26 | rule = 31303
27 | alert = 5
28 | decoder = nginx-errorlog
29 |
30 | [Server returned 404 (reported in the access.log).]
31 | log 1 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah failed (2: No such file or directory)
32 | log 2 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah is not found (2: No such file or directory)
33 |
34 | rule = 31310
35 | alert = 0
36 | decoder = nginx-errorlog
37 |
38 | [Incomplete client request.]
39 | log 1 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah accept() failed (53: Software caused connection abort)
40 |
41 | rule = 31311
42 | alert = 0
43 | decoder = nginx-errorlog
44 |
45 | [Initial 401 authentication request.]
46 | log 1 pass = 2015/01/08 11:31:23 [error] 80:2 no user/password was provided for basic authentication
47 |
48 | rule = 31312
49 | alert = 0
50 | decoder = nginx-errorlog
51 |
52 | [Web authentication failed.]
53 | log 1 pass = 2015/01/08 11:31:23 [error] 80:2 yadda password mismatch, client yadda
54 | log 2 pass = 2015/01/08 11:31:23 [error] 80:2 yadda was not found in yadda
55 |
56 | rule = 31315
57 | alert = 5
58 | decoder = nginx-errorlog
59 |
60 | # Can't yet test frequency
61 | ;[Multiple web authentication failures.]
62 | ;
63 | ;rule = 31316
64 | ;alert = 10
65 | ;decoder = nginx-errorlog
66 |
67 | [Common cache error when files were removed.]
68 | log 1 pass = 2015/01/08 11:31:23 [crit] 80:2 yadda yadda failed (2: No such file or directory
69 |
70 | rule = 31317
71 | alert = 0
72 | decoder = nginx-errorlog
73 |
74 | [Invalid URI, file name too long.]
75 | log 1 pass = 2015/01/08 11:31:23 [error] 80:2 yadda yadda failed (36: File name too long)
76 |
77 | rule = 31320
78 | alert = 10
79 | decoder = nginx-errorlog
80 |
--------------------------------------------------------------------------------
/ossec-testing/tests/openbsd-dhcpd.ini:
--------------------------------------------------------------------------------
1 | [lease release]
2 | log 1 pass = Jan 26 18:12:55 junction dhcpd[4842]: IP address 192.168.1.16 answers a ping after sending a release
3 | log 2 pass = Jan 26 18:12:40 junction dhcpd[4842]: Possible release spoof - Not releasing address 192.168.17.160
4 |
5 | rule = 53003
6 | alert = 5
7 | decoder = dhcpd
8 |
9 | [no free leases]
10 | log 1 pass = Jan 26 17:42:32 junction dhcpd[4842]: no free leases on subnet 192.168.17.0
11 |
12 | rule = 53011
13 | alert = 7
14 | decoder = dhcpd
15 |
16 | [normal dhcp stuff]
17 | log 1 pass = Jan 27 09:25:36 junction dhcpd[71391]: DHCPREQUEST for 192.168.17.164 from f4:8c:50:9d:eb:35 via em1
18 | log 2 pass = Jan 27 09:25:36 junction dhcpd[71391]: DHCPDISCOVER from f4:8c:50:9d:eb:35 via em1
19 | log 3 pass = Jan 27 09:25:31 junction dhcpd[71391]: DHCPOFFER on 192.168.17.164 to f4:8c:50:9d:eb:35 via em1
20 |
21 | rule = 53001
22 | alert = 1
23 | decoder = dhcpd
24 |
25 |
26 |
--------------------------------------------------------------------------------
/ossec-testing/tests/openbsd-httpd.ini:
--------------------------------------------------------------------------------
1 | [access]
2 | log 1 pass = wafflelab.online 192.168.18.8 - - [08/Jul/2018:00:29:48 -0400] "GET / HTTP/1.0" 302 0
3 | log 2 pass = wafflelab.online 192.168.18.8 - - [08/Jul/2018:00:32:57 -0400] "GET /nmaplowercheck1531024375 HTTP/1.1" 302 0
4 | rule = 31100
5 | alert = 0
6 | decoder = openbsd-httpd
7 |
8 | [POST]
9 | log 1 pass = www.wafflelab.online 192.168.18.8 - - [08/Jul/2018:00:33:13 -0400] "POST /sdk HTTP/1.1" 404 0
10 |
11 | rule = 31530
12 | alert = 3
13 | decoder = openbsd-httpd
14 |
15 |
--------------------------------------------------------------------------------
/ossec-testing/tests/openbsd.ini:
--------------------------------------------------------------------------------
1 | [sendsyslog drop]
2 | log 1 fail = Oct 16 08:15:07 ix sendsyslog: dropped 2 messages, error 55
3 |
4 | rule = 51558
5 | alert = 4
6 | decoder =
7 |
8 |
--------------------------------------------------------------------------------
/ossec-testing/tests/opensmtpd.ini:
--------------------------------------------------------------------------------
1 | [message failed]
2 | log 1 pass = Aug 14 10:15:25 junction.example.com smtpd[28882]: smtp-in: Failed command on session 1f55bdcdf16e28a3: "MAIL FROM: " => 421 4.3.0: Temporary Error
3 |
4 | rule = 53501
5 | alert = 3
6 | decoder = smtpd
7 |
8 | [new session]
9 | log 1 pass = Aug 17 01:26:02 ix smtpd[22704]: smtp-in: New session 08d856b172f69c5c from host ix.example.com [local]
10 |
11 | rule = 53502
12 | alert = 0
13 | decoder = smtpd
14 |
15 | [message accepted]
16 | log 1 pass = Aug 17 01:26:02 ix smtpd[22704]: smtp-in: Accepted message 4296f490 on session 08d856b172f69c5c: from=, to=, size=1746, ndest=1, proto=ESMTP
17 |
18 | rule = 53504
19 | alert = 0
20 | decoder = smtpd
21 |
22 | [session closed]
23 | log 1 pass = Aug 17 01:26:02 ix smtpd[22704]: smtp-in: Closing session 08d856b172f69c5c
24 |
25 | rule = 53503
26 | alert = 0
27 | decoder = smtpd
28 |
29 | [disconnect]
30 | log 1 pass = Mar 4 00:11:00 ix smtpd[22421]: smtp-in: Received disconnect from session 427e7493ebe154ae
31 |
32 | rule = 53500
33 | alert = 0
34 | decoder = smtpd
35 |
36 | [no ssl]
37 | log 1 pass = Mar 4 00:13:55 ix smtpd[22421]: smtp-in: Disconnecting session 427e7497e03518ef: IO error: No SSL error
38 |
39 | rule = 53507
40 | alert = 2
41 | decoder = smtpd
42 |
43 | [started tls]
44 | log 1 pass = Mar 4 00:13:55 ix smtpd[22421]: smtp-in: Started TLS on session 427e749c2e46f809: version=TLSv1.2, cipher=EDH-RSA-DES-CBC3-SHA, bits=112
45 |
46 | rule = 53500
47 | alert = 0
48 | decoder = smtpd
49 |
50 |
--------------------------------------------------------------------------------
/ossec-testing/tests/pam.ini:
--------------------------------------------------------------------------------
1 | [User login failed.]
2 | log 1 pass = Nov 11 22:46:29 localhost su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit
3 | log 2 pass = Jun 28 23:01:27 xxxx auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=lipjigaglgihgoeadcdaa.p.salmon@xxx.xxx.xxx.xxx rhost=91.195.103.44
4 |
5 | rule = 5503
6 | alert = 5
7 | decoder = pam
8 |
9 | [Attempt to login with an invalid user.]
10 | log 1 pass = Nov 11 22:46:29 localhost vsftpd(pam_unix)[25073]: check pass; user unknown
11 | log 2 pass = Mar 29 00:42:09 server saslauthd[1230]: pam_succeed_if(smtp:auth): error retrieving information about user demo
12 |
13 | rule = 5504
14 | alert = 5
15 | decoder = pam
16 |
17 | [Login session opened.]
18 | log 1 pass = Nov 11 22:46:29 localhost su(pam_unix)[14592]: session opened for user news by (uid=0)
19 |
20 | rule = 5501
21 | alert = 3
22 | decoder = pam
23 |
24 | [Login session closed.]
25 | log 1 pass = Nov 11 22:46:29 localhost su(pam_unix)[14592]: session closed for user news
26 |
27 | rule = 5502
28 | alert = 3
29 | decoder = pam
30 |
31 | [User missed the password more than one time]
32 | log 1 pass = Nov 11 22:46:29 localhost sshd(pam_unix)[15794]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.3.1 user=root
33 |
34 | rule = 2502
35 | alert = 10
36 | decoder = pam
37 |
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/ossec-testing/tests/postfix.ini:
--------------------------------------------------------------------------------
1 | [reject rcpt]
2 | log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable; client [157.122.148.242] blocked using bl.spamcop.net; from=, to=, proto=ESMTP, helo=
3 |
4 | rule = 3306
5 | alert = 6
6 | decoder = postfix-reject
7 |
8 | [domain not found]
9 | log 1 pass = Jun 18 20:59:29 mybox postfix/postscreen[12181]: NOQUEUE: reject: RCPT from [213.158.187.41]:45263: 450 4.3.2 Service currently unavailable; from=, to=, proto=ESMTP, helo=
10 |
11 | rule = 3303
12 | alert = 5
13 | decoder = postfix-reject
14 |
15 |
--------------------------------------------------------------------------------
/ossec-testing/tests/proftpd.ini:
--------------------------------------------------------------------------------
1 | [unable to open incoming connection (reason may vary)]
2 | log 1 pass = Jan 04 22:51:57 server proftpd[26169] server.example.net: Fatal: unable to open incoming connection: Der Socket ist nicht verbunden
3 | rule = 11222
4 | alert = 4
5 | decoder = proftpd
6 |
7 | [FTP Authentication success]
8 | log 1 pass = Jan 04 22:51:57 hayaletgemi proftpd[26916]: hayaletgemi (85.101.218.135[85.101.218.135]) - ANON anonymous: Login successful.
9 | log 2 pass = Jan 04 22:51:57 juf01 proftpd[12564]: juf01 (pD9EE35B1.dip.t-dialin.net[217.238.53.177]) - USER jufu: Login successful
10 | log 3 pass = Jan 04 22:51:57 xx.yy.zz proftpd[30362] xx.yy.zz (aa.bb.cc[aa.bb.vv.dd]): USER backup: Login successful.
11 | rule = 11205
12 | alert = 3
13 | decoder = proftpd
14 |
15 | [Connection refused by TCP Wrappers]
16 | log 1 pass = Jan 04 22:51:57 server proftpd[2344]: refused connect from 192.168.1.2 (192.168.1.2)
17 | rule = 11207
18 | alert = 5
19 | decoder = proftpd
20 |
21 | [Connection denied by ProFTPD configuration]
22 | log 1 pass = Jan 04 22:51:57 valhalla proftpd[15181]: valhalla (crawl-66-249-66-80.googlebot.com[66.249.66.80]) - Connection from crawl-66-249-66-80.googlebot.com [66.249.66.80] denied.
23 | rule = 11206
24 | alert = 5
25 | decoder = proftpd
26 |
27 | [Login failed accessing the FTP server]
28 | log 1 pass = 2015-04-16 21:51:02,805 zuse proftpd[26189] zuse.domain.com (182.100.67.115[182.100.67.115]): USER root (Login failed): Incorrect password
29 | rule = 11204
30 | alert = 5
31 | decoder = proftpd
32 |
33 |
--------------------------------------------------------------------------------
/ossec-testing/tests/rsh.ini:
--------------------------------------------------------------------------------
1 | [rshd: illegal]
2 | log 1 pass = Dec 17 10:49:23 hostname rshd[347339]: Connection from 10.217.223.31 on illegal port
3 | log 2 fail = Dec 17 10:49:23 hostname rhsd[347339]: Connection from 10.217.223.31 on illegal port
4 |
5 | rule = 2551
6 | alert = 10
7 | decoder = rshd
8 |
9 |
--------------------------------------------------------------------------------
/ossec-testing/tests/samba.ini:
--------------------------------------------------------------------------------
1 | [samba: denied connect]
2 | log 1 pass = Dec 18 18:06:28 hostname smbd[832]: Denied connection from (192.168.3.23)
3 |
4 |
5 | rule = 13102
6 | alert = 5
7 | decoder = smbd
8 |
9 | [samba: connect denied]
10 | log 1 pass = Dec 18 18:06:28 hostname smbd[832]: Denied connection from (192.168.3.23)
11 |
12 |
13 | rule = 13102
14 | alert = 5
15 | decoder = smbd
16 |
17 | [samba: permission denied]
18 | log 1 fail = Dec 18 18:06:28 hostname smbd[17535]: Permission denied user not allowed to delete, pause, or resume print job. User name: ahmet. Printer name: prnq1.
19 | log 2 fail = Dec 18 18:06:28 hostname smbd[17535]: Permission denied\-\- user not allowed to delete, pause, or resume print job. User name: ahmet. Printer name: prnq1.
20 |
21 | rule = 13102
22 | alert = 5
23 | decoder = smbd
24 |
--------------------------------------------------------------------------------
/ossec-testing/tests/su.ini:
--------------------------------------------------------------------------------
1 | [su: failed ]
2 | log 1 pass = Apr 27 15:22:23 niban su[2921936]: failed: ttyq4 changing from ldap to root
3 | log 2 pass = Jun 20 17:19:59 dactyl su: FAILED SU (to root) mmoorcro on pts/0
4 | rule = 5302
5 | alert = 9
6 | decoder = su
7 |
8 | [su: bad pass]
9 | log 1 pass = Apr 27 15:22:23 niban su[234]: BAD SU ger to fwmaster on /dev/ttyp0
10 | rule = 5301
11 | alert = 5
12 | decoder = su
13 |
14 | [su: pam - auth fail]
15 | log 1 fail = Apr 27 15:22:23 niban su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit
16 | log 2 fail = Apr 27 15:22:23 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root
17 | rule = 5503
18 | alert = 5
19 | decoder = su
20 |
21 |
22 | [su: work fts]
23 | log 1 pass = Apr 22 17:51:51 enigma su: dcid to root on /dev/ttyp1
24 | rule = 5305
25 | alert = 4
26 | decoder = su
27 |
28 |
--------------------------------------------------------------------------------
/ossec-testing/tests/sudo.ini:
--------------------------------------------------------------------------------
1 | [sudo: all]
2 | log 1 pass = Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast
3 | log 2 pass = Apr 14 10:59:01 enigma sudo: dcid : TTY=ttyp3 ; PWD=/home/dcid/ossec-hids.0.1a/src/analysisd ; USER=root ; COMMAND=/bin/cp -pr ../../bin/addagent ../../bin/osaudit-logaudit ../../bin/ossec-execd ../../bin/ossec-logcollector ../../bin/ossec-maild ../../bin/ossec-remoted /var/ossec/bin
4 | log 3 pass = Apr 19 14:52:02 enigma sudo: dcid : TTY=ttyp3 ; PWD=/var/www/alex ; USER=root ; COMMAND=/sbin/chown dcid.dcid .
5 | log 4 pass = Dec 30 19:36:11 rheltest sudo: cplummer : TTY=pts/2 ; PWD=/home/cplummer1 ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash
6 |
7 | rule = 5403
8 | alert = 4
9 | decoder = sudo
10 |
11 | [Failed attempt to run sudo]
12 | log 1 pass = Jun 25 15:51:13 precise32 sudo: mike : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls
13 |
14 | rule = 5401
15 | alert = 5
16 | decoder = sudo
17 |
18 | [First time user executed sudo]
19 | log 1 pass = Jun 25 15:48:21 precise32 sudo: mike : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/su -
20 |
21 | rule = 5403
22 | alert = 4
23 | decoder = sudo
24 |
25 | [3 incorrect password attempts]
26 | log 1 pass = Jun 25 16:15:45 precise32 sudo: mike : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls
27 |
28 | rule = 5404
29 | alert = 10
30 | decoder = sudo
31 |
32 | [unauthorized user]
33 | log 1 pass = Apr 13 08:36:31 ix sudo: ddp2 : user NOT in sudoers ; TTY=ttypZ ; PWD=/home/ddp2 ; USER=root ; COMMAND=/bin/ls
34 |
35 | rule = 5405
36 | alert = 5
37 | decoder = sudo
38 |
39 |
--------------------------------------------------------------------------------
/ossec-testing/tests/syslog.ini:
--------------------------------------------------------------------------------
1 | [Uninteresting nouveau error.]
2 | log 1 fail = Jul 18 09:21:57 localhost kernel: nouveau E[ PGRAPH][0000:0f:00.0] DATA_ERROR BEGIN_END_ACTIVE
3 |
4 | rule = 2944
5 | alert = 1
6 | decoder =
7 |
8 | [Uninteresting nouveau error.]
9 | log 1 fail = Jul 18 09:21:57 localhost kernel: nouveau E[ PGRAPH][0000:0f:00.0] DATA_ERROR
10 |
11 | rule = 2944
12 | alert = 1
13 | decoder =
14 |
15 | [Incorrect chain/target/match.]
16 | log 3 fail = Jul 18 10:51:43 localhost NetworkManager[1366]: (enp1s0) firewall zone remove failed: (32) COMMAND_FAILED: '/sbin/iptables -D INPUT_ZONES -t filter -i enp1s0 -g IN_public' failed: ipta
17 | bles: No chain/target/match by that name.
18 |
19 | rule = 2941
20 | alert = 3
21 | decoder = NetworkManager
22 |
23 | [rsyslog may be dropping messages due to rate-limiting.]
24 | log 1 fail = Feb 5 13:07:52 plugh rsyslogd-2177: imuxsock begins to drop messages from pid 12105 due to rate-limiting
25 |
26 | rule = 2945
27 | alert = 4
28 | decoder =
29 |
30 | [Non-standard syslog-ng format with year.]
31 | log 1 fail = 2015 2015 Nov 13 13:40:01 ether rsyslogd-2177: imuxsock begins to drop messages from pid 17840 due to rate-limiting
32 |
33 | rule = 2945
34 | alert = 4
35 | decoder =
36 |
37 | [useradd failed]
38 | log 1 fail = May 4 18:21:10 collectd useradd[15178]: failed adding user 'ansible', data deleted
39 |
40 | rule = 5905
41 | alert = 0
42 | decoder =
43 |
44 |
--------------------------------------------------------------------------------
/ossec-testing/tests/sysmon.ini:
--------------------------------------------------------------------------------
1 | [Sysmon EventID#1 - Suspicious svchost process]
2 | log 1 pass = 2014 Dec 20 14:29:48 (HME-TEST-01) 10.0.15.14->WinEvtLog 2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP: Process Create: UtcTime: 12/20/2014 2:29 PM ProcessGuid: {00000000-87DB-5495-0000-001045F25A00} ProcessId: 3048 Image: C:\Windows\system32\svchost.exe CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\ossec.log User: WIN-U93G48C7BOP\Administrator LogonGuid: {00000000-84B8-5494-0000-0020CB330200} LogonId: 0x233CB TerminalSessionId: 1 IntegrityLevel: High HashType: SHA1 Hash: 9FEF303BEDF8430403915951564E0D9888F6F365 ParentProcessGuid: {00000000-84B9-5494-0000-0010BE4A0200} ParentProcessId: 848 ParentImage: C:\Windows\Explorer.EXE ParentCommandLine: C:\Windows\Explorer.EXE
3 | rule = 18501
4 | alert = 12
5 | decoder = Sysmon-EventID#1
6 |
7 | [Sysmon EventID#1 - non-Suspicious svchost process]
8 | log 1 pass = 2014 Dec 20 12:15:13 (HME-TEST-01) 10.0.15.14->WinEvtLog 2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP: Process Create: UtcTime: 12/20/2014 12:15 PM ProcessGuid: {00000000-87DB-5495-0000-001045F25A00} ProcessId: 3048 Image: C:\Windows\system32\svchost.exe CommandLine: "C:\windows\system32\svchost.exe -k defragsvc" User: NT AUTHORITY\SYSTEM LogonGuid: {00000000-84B8-5494-0000-0020CB330200} LogonId: 0x233CB TerminalSessionId: 1 IntegrityLevel: High HashType: SHA1 Hash: 9FEF303BEDF8430403915951564E0D9888F6F365 ParentProcessGuid: {00000000-84B9-5494-0000-0010BE4A0200} ParentProcessId: 848 ParentImage: C:\Windows\System32\services.exe ParentCommandLine: C:\Windows\System32\services.exe
9 | rule = 18502
10 | alert = 0
11 | decoder = Sysmon-EventID#1
12 |
13 | [Windows Event]
14 | 2015 Mar 30 15:47:04 WinEvtLog: System: INFORMATION(1): Sysmon: UserName: SYSTEM-NAME: SYSTEM-NAME: Process Create: UtcTime: 3/30/2015 10:47:04.494 PM ProcessGuid: {7531FA7E-D268-5519-0000-00105DF81A06} ProcessId: 4388 Image: C:\WINDOWS\system32\cmd.exe CommandLine: "C:\windows\system32\cmd.exe" User: SYSTEM-NAME\UserName LogonGuid: {7531FA7E-CFE1-5519-0000-0020F62C1906} LogonId: 0x6192cf6 TerminalSessionId: 3 IntegrityLevel: no level HashType: SHA1 Hash: 254E37EC33C921C5AB253F14F9274F349B3CCC2D ParentProcessGuid: {7531FA7E-CFE2-5519-0000-0010CC5A1906} ParentProcessId: 1008 ParentImage: C:\WINDOWS\explorer.exe ParentCommandLine: C:\windows\Explorer.EXE
15 | rule = 18101
16 | alert = 0
17 | decoder = Sysmon-EventID#1
18 |
19 |
--------------------------------------------------------------------------------
/ossec-testing/tests/systemd.ini:
--------------------------------------------------------------------------------
1 | [Stale file handle.]
2 | log 3 fail = Jul 19 07:28:02 localhost systemd: Failed to mark scope session-1024.scope as abandoned : Stale file handle
3 |
4 | rule = 40701
5 | alert = 0
6 | decoder =
7 |
8 |
--------------------------------------------------------------------------------
/ossec-testing/tests/unbound.ini:
--------------------------------------------------------------------------------
1 | ;[Can't assign requested address.]
2 | ;log 1 pass = 2014-05-20T09:01:07.283219-04:00 arrakis unbound: [9405:0] notice: sendto failed: Can't assign requested address
3 | ;
4 | ;rule = 500100
5 | ;alert = 2
6 | ;decoder = unbound
7 | ;
8 | ;[DNS A request]
9 | ;log 1 pass = 2014-07-14T14:00:02.814490-04:00 arrakis unbound: [2541:0] info: 127.0.0.1 talkgadget.google.com. A IN
10 | ;
11 | ;rule = 500101
12 | ;alert = 0
13 | ;decoder = unbound
14 | ;
15 | ;[Info grouping.]
16 | ;log 1 pass = 2014-07-14T14:00:05.507848-04:00 arrakis unbound: [2541:0] info: server stats for thread 0: 3 queries, 2 answers from cache, 1 recursions, 0 prefetch
17 | ;
18 | ;rule = 500002
19 | ;alert = 1
20 | ;decoder = unbound
21 | ;
22 | ;[Info grouping.]
23 | ;log 1 pass = 2014-07-14T14:00:05.507955-04:00 arrakis unbound: [2541:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
24 | ;
25 | ;rule = 500002
26 | ;alert = 1
27 | ;decoder = unbound
28 | ;
29 |
30 |
31 |
--------------------------------------------------------------------------------
/ossec-testing/tests/vsftpd.ini:
--------------------------------------------------------------------------------
1 | [CONNECT]
2 | log 1 pass = Wed Jul 27 18:32:27 2016 [pid 2] CONNECT: Client "fe80::baac:6fff:fe7d:d2e0"
3 | log 2 pass = Wed Jul 27 18:32:27 2016 [pid 2] CONNECT: Client "10.11.12.13"
4 |
5 | rule = 11401
6 | alert = 3
7 | decoder = vsftpd
8 |
9 | [LOGIN]
10 | log 1 pass = Mon Oct 24 11:32:53 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101"
11 | log 2 pass = Mon Oct 24 11:32:53 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "fe80::baac:6fff:fe7d:d2e0"
12 |
13 | rule = 11403
14 | alert = 5
15 | decoder = vsftpd
16 |
17 |
--------------------------------------------------------------------------------
/rules.d/00-crs-rules_config.xml:
--------------------------------------------------------------------------------
1 |
17 |
18 |
19 |
20 |
21 | syslog
22 | Generic template for all syslog rules.
23 |
24 |
25 |
26 |
27 |
28 | firewall
29 | Generic template for all firewall rules.
30 |
31 |
32 |
33 |
34 |
35 | ids
36 | Generic template for all ids rules.
37 |
38 |
39 |
40 |
41 |
42 | web-log
43 | Generic template for all web rules.
44 |
45 |
46 |
47 |
48 |
49 | squid
50 | Generic template for all web proxy rules.
51 |
52 |
53 |
54 |
55 |
56 | windows
57 | Generic template for all windows rules.
58 |
59 |
60 |
61 |
62 |
63 | ossec
64 | Generic template for all ossec rules.
65 |
66 |
67 |
68 |
69 |
70 |
--------------------------------------------------------------------------------
/rules.d/50-crs-apparmor_rules.xml:
--------------------------------------------------------------------------------
1 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 | 5100
18 | iptables
19 | apparmor=
20 | Apparmor grouping
21 |
22 |
23 |
24 | 52000
25 | ALLOWED|STATUS
26 | Ignore ALLOWED or STATUS
27 |
28 |
29 |
30 | 52000
31 | DENIED
32 | apparmor=
33 | Apparmor DENIED
34 |
35 |
36 |
37 | 52002
38 | exec
39 | Apparmor DENIED exec operation.
40 |
41 |
42 |
43 | 52002
44 | mknod
45 | Apparmor DENIED mknod operation.
46 |
47 |
48 |
49 |
50 |
51 |
52 |
--------------------------------------------------------------------------------
/rules.d/50-crs-arpwatch_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 |
18 |
19 | arpwatch
20 | Grouping of the arpwatch rules.
21 |
22 |
23 |
24 | 7200
25 | alert_by_email
26 |
27 | Arpwatch new host detected.
28 | new_host,
29 |
30 |
31 |
32 | 7200
33 | flip flop
34 | Arpwatch "flip flop" message.
35 | IP address/MAC relation changing too often.
36 | ip_spoof,
37 |
38 |
39 |
40 | 7200
41 | reaper: pid
42 | Arpwatch exiting.
43 | service_availability,
44 |
45 |
46 |
47 | 7200
48 | changed ethernet address
49 | Changed network interface for ip address.
50 | ip_spoof,
51 |
52 |
53 |
54 | 7200
55 | bad interface eth0|exiting|Running as
56 | Arpwatch startup/exiting messages.
57 |
58 |
59 |
60 | 7200
61 | sent bad addr len
62 | Arpwatch detected bad address len (ignored).
63 |
64 |
65 |
66 | 7200
67 | /dev/bpf0: Permission denied
68 | arpwatch probably run with wrong permissions
69 |
70 |
71 |
72 | 7200
73 | reused old ethernet address
74 | An IP has reverted to an old ethernet address.
75 |
76 |
77 |
78 | 7200
79 | ethernet mismatch
80 | Possible arpspoofing attempt.
81 | ip_spoof,
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
--------------------------------------------------------------------------------
/rules.d/50-crs-cimserver_rules.xml:
--------------------------------------------------------------------------------
1 |
14 |
15 |
16 |
17 | cimserver
18 | cimserver messages grouped.
19 |
20 |
21 |
22 | 9600
23 | Authentication failed
24 | Compaq Insight Manager authentication failure.
25 | authentication_failed,
26 |
27 |
28 |
29 | 9600
30 | Server stopped
31 | Compaq Insight Manager stopped.
32 | service_availability,
33 |
34 |
35 |
36 |
37 |
--------------------------------------------------------------------------------
/rules.d/50-crs-cisco-ios_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 |
18 |
19 | cisco-ios
20 | Grouping of Cisco IOS rules.
21 |
22 |
23 |
24 | 4700
25 | -0-
26 | Cisco IOS emergency message.
27 |
28 |
29 |
30 |
31 | 4700
32 | -1-
33 | Cisco IOS alert message.
34 |
35 |
36 |
37 | 4700
38 | -2-
39 | Cisco IOS critical message.
40 |
41 |
42 |
43 | 4700
44 | -3-
45 | Cisco IOS error message.
46 |
47 |
48 |
49 | 4700
50 | -4-
51 | Cisco IOS warning message.
52 |
53 |
54 |
55 | 4700
56 | -5-
57 | Cisco IOS notification message.
58 |
59 |
60 |
61 | 4700
62 | -6-
63 | Cisco IOS informational message.
64 |
65 |
66 |
67 | 4700
68 | -7-
69 | Cisco IOS debug message.
70 |
71 |
72 |
73 | 4715
74 | ^%SYS-5-CONFIG
75 | Cisco IOS router configuration changed.
76 | config_changed,
77 |
78 |
79 |
80 | 4715
81 | ^%SEC_LOGIN-5-LOGIN_SUCCESS
82 | Successful login to the router.
83 | authentication_success,
84 |
85 |
86 |
87 | 4714
88 | ^%SEC_LOGIN-4-LOGIN_FAILED
89 | Failed login to the router.
90 | authentication_failed,
91 |
92 |
93 |
94 |
95 |
96 |
97 |
--------------------------------------------------------------------------------
/rules.d/50-crs-clam_av_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | clamd
6 | Grouping of the clamd rules.
7 |
8 |
9 |
10 | freshclam
11 | ClamAV database update
12 |
13 |
14 |
15 | 52500
16 | FOUND
17 | Virus detected
18 | virus
19 |
20 |
21 |
22 | 52500
23 | ^ERROR:
24 | Clamd error
25 | virus
26 |
27 |
28 |
29 | 52500
30 | ^WARNING:
31 | Clamd warning
32 | virus
33 |
34 |
35 |
36 | 52500
37 | clamd daemon
38 | Clamd restarted
39 | virus
40 |
41 |
42 |
43 | 52500
44 | Database modification detected
45 | Clamd database updated
46 | virus
47 |
48 |
49 |
50 | 52501
51 | ClamAV update process started
52 | ClamAV database update
53 | virus
54 |
55 |
56 |
57 | 52501
58 | Database updated
59 | ClamAV database updated
60 | virus
61 |
62 |
63 |
64 | 52501
65 | Incremental update failed|Error while reading database from|Update failed\.
66 | Could not download the incremental virus definition updates.
67 |
68 |
69 |
70 |
--------------------------------------------------------------------------------
/rules.d/50-crs-courier_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 |
18 |
19 |
20 | courier
21 | Grouping for the courier rules.
22 |
23 |
24 |
25 | 3900
26 | ^Connection,
27 | New courier (imap/pop3) connection.
28 | connection_attempt,
29 |
30 |
31 |
32 | 3900
33 | ^LOGIN FAILED,| FAILED:
34 | Courier (imap/pop3) authentication failed.
35 | authentication_failed,
36 |
37 |
38 |
39 | 3900
40 | ^LOGOUT,|^DISCONNECTED
41 | Courier logout/timeout.
42 |
43 |
44 |
45 | 3900
46 | ^LOGIN,
47 | Courier (imap/pop3) authentication success.
48 | authentication_success,
49 |
50 |
51 |
52 | 3902
53 | Courier brute force (multiple failed logins).
54 | authentication_failures,
55 |
56 |
57 |
58 |
59 | 3901
60 |
61 | Multiple connection attempts from same source.
62 | recon,
63 |
64 |
65 |
66 |
67 |
68 |
--------------------------------------------------------------------------------
/rules.d/50-crs-dnsmasq_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | dnsmasq
5 | dnsmasq grouping rule.
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
--------------------------------------------------------------------------------
/rules.d/50-crs-dovecot_rules.xml:
--------------------------------------------------------------------------------
1 |
7 |
8 |
9 |
10 |
11 | dovecot
12 | Dovecot Messages Grouped.
13 |
14 |
15 |
16 | 9700
17 | login: Login:
18 | Dovecot Authentication Success.
19 | authentication_success,
20 |
21 |
22 |
23 | 9700
24 | Password mismatch$
25 | Dovecot Authentication Failed.
26 | authentication_failed,
27 |
28 |
29 |
30 | 9700
31 | starting up
32 | Dovecot is Starting Up.
33 |
34 |
35 |
36 | 9700
37 | ^Fatal:
38 | alert_by_email
39 | Dovecot Fatal Failure.
40 |
41 |
42 |
43 | 9700
44 | user not found|User not known|unknown user|auth failed
45 | Dovecot Invalid User Login Attempt.
46 | invalid_login,authentication_failed,
47 |
48 |
49 |
50 | 9700
51 | : Disconnected:
52 | Dovecot Session Disconnected.
53 |
54 |
55 |
56 | 9700
57 | : Aborted login
58 | Dovecot Aborted Login.
59 | invalid_login,
60 |
61 |
62 |
63 |
64 |
65 | 9702
66 |
67 | Dovecot Multiple Authentication Failures.
68 | authentication_failures,
69 |
70 |
71 |
72 | 9705
73 |
74 | Dovecot brute force attack (multiple auth failures).
75 | authentication_failures,
76 |
77 |
78 |
79 | dovecot-info
80 | dovecot-info grouping.
81 |
82 |
83 |
84 | 9770
85 | user not found|User not known|unknown user|auth failed
86 | Dovecot Invalid User Login Attempt.
87 | invalid_login,authentication_failed,
88 |
89 |
90 |
91 |
92 |
--------------------------------------------------------------------------------
/rules.d/50-crs-exim_rules.xml:
--------------------------------------------------------------------------------
1 |
9 |
10 |
11 |
12 | windows-date-format
13 | ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} SMTP
14 | Exim SMTP Messages Grouped.
15 |
16 |
17 |
18 | windows-date-format
19 | ^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} dovecot
20 | dovecot messages grouped.
21 |
22 |
23 |
24 | 13001
25 | authenticator failed
26 | Exim Auth failed
27 | invalid_login,authentication_failed,
28 |
29 |
30 |
31 | 13006
32 |
33 | Exim brute force attack (multiple auth failures).
34 | authentication_failures,
35 |
36 |
37 |
38 | 13000
39 | connection count =
40 | Exim connection
41 |
42 |
43 |
44 | 13000
45 | lost$
46 | Exim connection lost
47 |
48 |
49 |
50 | 13000
51 | dropped: too many syntax or protocol errors
52 | Exim syntax or protocol errors
53 |
54 |
55 |
56 |
--------------------------------------------------------------------------------
/rules.d/50-crs-firewall_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 |
18 |
19 | firewall
20 | Firewall rules grouped.
21 |
22 |
23 |
26 |
27 | 4100
28 | DROP
29 | no_log
30 | Firewall drop event.
31 | firewall_drop,
32 |
33 |
34 |
35 | 4100
36 | Deny
37 | no_log
38 | Firewall drop event.
39 | firewall_drop,
40 |
41 |
42 |
43 | 4101
44 |
45 | Multiple Firewall drop events from same source.
46 | multiple_drops,
47 |
48 |
49 |
--------------------------------------------------------------------------------
/rules.d/50-crs-firewalld_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | ^firewalld
4 | firewalld grouping
5 |
6 |
7 |
8 | 40900
9 | ERROR:
10 | firewalld error
11 |
12 |
13 |
14 | 40901
15 | No chain/target/match by that name\.$
16 | Incorrect chain/target/match.
17 |
18 |
19 |
20 | 40901
21 | ZONE_ALREADY_SET$
22 | firewalld: zone already set.
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/rules.d/50-crs-hordeimp_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 |
18 |
19 | horde_imp
20 | Grouping for the Horde imp rules.
21 |
22 |
23 |
24 | 9300
25 | ^\[info\]
26 | Horde IMP informational message.
27 |
28 |
29 |
30 | 9300
31 | ^\[notice\]
32 | Horde IMP notice message.
33 |
34 |
35 |
36 | 9300
37 | ^\[error\]
38 | Horde IMP error message.
39 |
40 |
41 |
42 | 9300
43 | ^\[emergency\]
44 | Horde IMP emergency message.
45 | service_availability,
46 |
47 |
48 |
49 | 9302
50 | Login success for
51 | Horde IMP successful login.
52 | authentication_success,
53 |
54 |
55 |
56 | 9303
57 | FAILED LOGIN
58 | Horde IMP Failed login.
59 | authentication_failed,
60 |
61 |
62 |
63 | 9306
64 |
65 | Horde brute force (multiple failed logins).
66 | authentication_failures,
67 |
68 |
69 |
70 | 9304
71 | Multiple Horde emergency messages.
72 | service_availability,
73 |
74 |
75 |
76 |
77 |
78 |
79 |
--------------------------------------------------------------------------------
/rules.d/50-crs-imapd_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 | 6
18 |
19 |
20 |
21 | imapd
22 | Grouping of the imapd rules.
23 |
24 |
25 |
26 | 3600
27 | Login failed user=|AUTHENTICATE LOGIN failure
28 | Imapd user login failed.
29 | authentication_failed,
30 |
31 |
32 |
33 | 3600
34 | Authenticated user=
35 | Imapd user login.
36 | authentication_success,
37 |
38 |
39 |
40 | 3600
41 | Logout user=
42 | Imapd user logout.
43 |
44 |
45 |
46 | 3601
47 |
48 | Multiple failed logins from same source ip.
49 | authentication_failures,
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/rules.d/50-crs-lighttpd_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | lighttpd
4 | fastcgi
5 | FastCGI error message.
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/rules.d/50-crs-linux_usbdetect_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 | kernel
7 | usb
8 | Linux USB detection messages grouped
9 |
10 |
11 |
12 |
13 | 53600
14 | New USB device found
15 | A new USB device was found by the system
16 | linux,
17 |
18 |
19 |
20 |
21 | 53600
22 | new low-speed USB device
23 | New Low-Speed USB Device was connected.
24 | linux,
25 |
26 |
27 |
28 |
29 | 53600
30 | new high-speed USB device
31 | New High-Speed USB Device was connected
32 | linux,
33 |
34 |
35 |
36 |
37 | 53600
38 | USB disconnect
39 | USB device was disconnected
40 | linux,
41 |
42 |
43 |
44 |
--------------------------------------------------------------------------------
/rules.d/50-crs-mailscanner_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 |
18 |
19 | mailscanner
20 | Grouping of mailscanner rules.
21 |
22 |
23 |
24 | 3700
25 | not
26 | Non spam message. Ignored.
27 |
28 |
29 |
30 | 3700
31 | spam
32 | Mail Scanner spam detected.
33 | spam,
34 |
35 |
36 |
37 | 3702
38 |
39 | Multiple attempts of spam.
40 | multiple_spam,
41 |
42 |
43 |
44 | 1002
45 | update\.bad\.phishing\.sites
46 | ^Phishing bad sites list updated
47 | ignore
48 |
49 |
50 |
51 |
52 |
--------------------------------------------------------------------------------
/rules.d/50-crs-mhn_cowrie_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 | cowrie
10 | SSH login attempted on cowrie honeypot
11 | SSH login attempted on cowrie honeypot
12 |
13 |
14 |
15 | cowrie
16 | SSH session on cowrie honeypot
17 | SSH session established on cowrie honeypot
18 |
19 |
20 |
21 | cowrie
22 | command attempted on cowrie honeypot
23 | A command was attempted in SSH session on cowrie honeypot
24 |
25 |
26 |
27 |
--------------------------------------------------------------------------------
/rules.d/50-crs-mhn_dionaea_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 | dionaea
10 | Connection to Dionaea Honeypot identified
11 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/rules.d/50-crs-ms-exchange_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | msexchange
23 | Grouping of Exchange rules.
24 |
25 |
26 |
27 | 3800
28 | RCPT
29 | ^550
30 | E-mail rcpt is not valid (invalid account).
31 | spam,
32 |
33 |
34 |
35 | 3800
36 | ^5
37 | E-mail 500 error code.
38 | spam,
39 |
40 |
41 |
42 | 3801
43 |
44 | Multiple e-mail attempts to an invalid account.
45 | multiple_spam,
46 |
47 |
48 |
49 | 3802
50 |
51 | Multiple e-mail 500 error code (spam).
52 | multiple_spam,
53 |
54 |
55 |
56 |
57 |
--------------------------------------------------------------------------------
/rules.d/50-crs-ms_ftpd_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 |
18 |
19 | msftp
20 | Grouping for the Microsoft ftp rules.
21 |
22 |
23 |
24 | 11500
25 | USER
26 | New FTP connection.
27 | connection_attempt,
28 |
29 |
30 |
31 | 11500
32 | PASS
33 | 530
34 | FTP Authentication failed.
35 | authentication_failed,
36 |
37 |
38 |
39 | 11500
40 | PASS
41 | 230
42 | FTP Authentication success.
43 | authentication_success,
44 |
45 |
46 |
47 | 11500
48 | ^5
49 | FTP client request failed.
50 |
51 |
52 |
53 | 11502
54 | FTP brute force (multiple failed logins).
55 | authentication_failures,
56 |
57 |
58 |
59 | 11501
60 |
61 | Multiple connection attempts from same source.
62 | recon,
63 |
64 |
65 |
66 | 11504
67 |
68 | Multiple FTP errors from same source.
69 |
70 |
71 |
72 |
73 |
74 |
--------------------------------------------------------------------------------
/rules.d/50-crs-mysql_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 |
18 |
19 |
20 | mysql_log
21 | MySQL messages grouped.
22 |
23 |
24 |
25 | 50100
26 | ^MySQL log: \d+ \S+ \d+ Connect
27 | Database authentication success.
28 | authentication_success,
29 |
30 |
31 |
32 | 50105
33 | Access denied for user
34 | Database authentication failure.
35 | authentication_failed,
36 |
37 |
38 |
39 | 50100
40 | ^MySQL log: \d+ \S+ \d+ Query
41 | Database query.
42 |
43 |
44 |
45 | 50100
46 | ^MySQL log: \d+ \S+ \d+ Quit
47 | User disconnected from database.
48 |
49 |
50 |
51 | 50100
52 | mysqld ended|Shutdown complete
53 | Database shutdown message.
54 | service_availability,
55 |
56 |
57 |
58 | 50100
59 | mysqld started|mysqld restarted
60 | Database startup message.
61 | service_availability,
62 |
63 |
64 |
65 | 50100
66 | ^MySQL log: \d+ \S+ \d+ \[ERROR\]
67 | Database error.
68 |
69 |
70 |
71 | 50125
72 | Fatal error:
73 | Database fatal error.
74 | service_availability,
75 |
76 |
77 |
78 | 50125
79 | Multiple database errors.
80 | service_availability,
81 |
82 |
83 |
84 |
85 |
86 |
--------------------------------------------------------------------------------
/rules.d/50-crs-opensmtpd_rules.xml:
--------------------------------------------------------------------------------
1 |
5 |
6 |
7 |
8 |
9 | smtpd
10 | OpenSMTPd grouping.
11 |
12 |
13 |
14 | smtpd
15 | 53500
16 | Failed
17 | Message failed.
18 |
19 |
20 |
21 | smtpd
22 | 53500
23 | New session
24 | New session created.
25 |
26 |
27 |
28 | smtpd
29 | 53500
30 | Closing session
31 | Session closed.
32 |
33 |
34 |
35 | smtpd
36 | 53500
37 | Accepted
38 | Message accepted.
39 |
40 |
41 |
42 | smtpd
43 | 53500
44 | delivery: Ok
45 | Email delivered.
46 |
47 |
48 |
49 | 53501
50 | Command not supported$
51 | SMTP command not supported.
52 |
53 |
54 |
55 | smtpd
56 | 53500
57 | IO error: No SSL error$
58 | OpenSMTPd: no SSL
59 |
60 |
61 |
62 | smtpd
63 | 53500
64 | Server certificate verification failed
65 | Server TLS certificate verification failed.
66 |
67 |
68 |
69 |
--------------------------------------------------------------------------------
/rules.d/50-crs-pure-ftpd_rules.xml:
--------------------------------------------------------------------------------
1 |
8 |
9 |
10 |
11 |
12 | pure-ftpd
13 | Grouping for the pure-ftpd rules.
14 |
15 |
16 |
17 | 11300
18 | \[INFO\] New connection from
19 | New FTP connection.
20 | connection_attempt,
21 |
22 |
23 |
24 | 11300
25 | \[WARNING\] Authentication failed for user
26 | FTP Authentication failed.
27 | authentication_failed,
28 |
29 |
30 |
31 | 11300
32 | \[INFO\] Logout| \[INFO\] Timeout
33 | FTP user logout/timeout
34 |
35 |
36 |
37 | 11300
38 | \[NOTICE\]
39 | FTP notice messages
40 |
41 |
42 |
43 | 11300
44 | \[INFO\] Can't change directory to
45 | Attempt to access invalid directory
46 |
47 |
48 |
49 | 11302
50 |
51 | FTP brute force (multiple failed logins).
52 | authentication_failures,
53 |
54 |
55 |
56 | 11301
57 |
58 | Multiple connection attempts from same source.
59 | recon,
60 |
61 |
62 |
63 | 11300
64 | is now logged in
65 | FTP Authentication success.
66 | authentication_success,
67 |
68 |
69 |
70 | pure-transfer
71 | Rule grouping for pure ftpd transfers.
72 |
73 |
74 |
75 | 11310
76 | PUT
77 | File added to ftpd.
78 |
79 |
80 |
81 | 11310
82 | GET
83 | File retrieved from ftpd.
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
--------------------------------------------------------------------------------
/rules.d/50-crs-racoon_rules.xml:
--------------------------------------------------------------------------------
1 |
7 |
8 |
9 |
10 |
11 |
12 |
13 | racoon
14 | Grouping of racoon rules.
15 |
16 |
17 |
18 | racoon-failed
19 | VPN authentication failed.
20 | authentication_failed,
21 |
22 |
23 |
24 | 14100
25 | INFO
26 | Racoon informational message.
27 |
28 |
29 |
30 | 14100
31 | ERROR
32 | Racoon error message.
33 |
34 |
35 |
36 | 14100
37 | WARNING
38 | Racoon warning message.
39 |
40 |
41 |
42 | 14110
43 | ISAKMP-SA established
44 | authentication_success
45 | VPN established.
46 |
47 |
48 |
49 | 14111
50 | such policy does not already exist
51 | Roadwarrior configuration (ignored error).
52 |
53 |
54 |
55 | 14112
56 | ignore INITIAL-CONTACT notification
57 | Roadwarrior configuration (ignored warning).
58 |
59 |
60 |
61 | 14111
62 | ERROR: invalid attribute|ERROR: rejected
63 | Invalid configuration settings (ignored error).
64 |
65 |
66 |
67 | 14101
68 |
69 | Multiple failed VPN logins.
70 |
71 |
72 |
--------------------------------------------------------------------------------
/rules.d/50-crs-roundcube_rules.xml:
--------------------------------------------------------------------------------
1 |
14 |
15 |
16 |
17 | roundcube
18 | Roundcube messages grouped.
19 |
20 |
21 |
22 | 9400
23 | failed \(LOGIN\)| Login failed | Authentication failed| Failed login
24 | Roundcube authentication failed.
25 | authentication_failed,
26 |
27 |
28 |
29 | 9400
30 | Successful login
31 | Roundcube authentication succeeded.
32 | authentication_success,
33 |
34 |
35 |
36 | 9401
37 |
38 | Roundcube brute force (multiple failed logins).
39 | authentication_failures,
40 |
41 |
42 |
43 |
44 |
45 |
--------------------------------------------------------------------------------
/rules.d/50-crs-solaris_bsm_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 |
18 |
19 |
20 | solaris_bsm
21 | Solaris BSM Auditing messages grouped.
22 |
23 |
24 |
25 | 6100
26 | ^failed
27 | Auditing session failed.
28 |
29 |
30 |
31 | 6100
32 | ^ok
33 | Auditing session succeeded.
34 |
35 |
36 |
37 | 6102
38 | ^login
39 | Login session succeeded.
40 | authentication_success,
41 |
42 |
43 |
44 | 6101
45 | ^login
46 | Login session failed.
47 | authentication_failed,
48 |
49 |
50 |
51 | 6102
52 | ^su
53 | User successfully changed UID.
54 | authentication_success,
55 |
56 |
57 |
58 | 6103
59 | ^su
60 | User failed to change UID (user id).
61 | authentication_failed,
62 |
63 |
64 |
65 |
66 |
--------------------------------------------------------------------------------
/rules.d/50-crs-spamd_rules.xml:
--------------------------------------------------------------------------------
1 |
8 |
9 |
10 |
11 |
12 |
13 | ^spamd
14 | Grouping for the spamd rules
15 |
16 |
17 |
18 | 3500
19 | : result:
20 | SPAMD result message (not very usefull here).
21 |
22 |
23 |
24 | 3500
25 | checking message | processing message
26 | Spamd debug event (reading message).
27 |
28 |
29 |
30 |
31 |
32 |
--------------------------------------------------------------------------------
/rules.d/50-crs-symantec-av_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 |
21 |
22 |
23 |
24 |
25 | symantec-av
26 | Grouping of Symantec AV rules.
27 |
28 |
29 |
30 | windows
31 | ^Symantec AntiVirus
32 | Grouping of Symantec AV rules from eventlog.
33 |
34 |
35 |
36 | 7300, 7301
37 | ^5$|^17$
38 | virus
39 | Virus detected.
40 |
41 |
42 |
43 | 7300, 7301
44 | ^2$|^3$|^4$|^13$
45 | Virus scan updated,started or stopped.
46 |
47 |
48 |
49 |
50 |
51 |
52 |
--------------------------------------------------------------------------------
/rules.d/50-crs-symantec-ws_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 |
21 |
22 |
23 |
24 |
25 |
26 | symantec-websecurity
27 | Grouping of Symantec Web Security rules.
28 |
29 |
30 |
31 | 7400
32 | ^3=2,2=1
33 | Login failed accessing the web proxy.
34 | authentication_failed,
35 |
36 |
37 |
38 | 7400
39 | ^3=1,2=1
40 | Login success accessing the web proxy.
41 | authentication_success,
42 |
43 |
44 |
45 | 7415
46 | virtadmin
47 | Admin Login success to the web proxy.
48 | authentication_success,
49 |
50 |
51 |
60 |
61 |
62 |
63 |
64 |
65 |
--------------------------------------------------------------------------------
/rules.d/50-crs-systemd_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | ^systemd$|^systemctl$
5 | Systemd rules
6 |
7 |
8 |
9 | 40700
10 | Stale file handle$
11 | Stale file handle.
12 |
13 |
14 |
15 | 40700
16 | Failed to get unit file state for
17 | Failed to get unit state for service. This means that the .service file is missing
18 |
19 |
20 |
21 | 40700
22 | entered failed state
23 | Service has entered a failed state, and likely has not started.
24 |
25 |
26 |
27 |
28 |
--------------------------------------------------------------------------------
/rules.d/50-crs-telnetd_rules.xml:
--------------------------------------------------------------------------------
1 |
7 |
8 |
9 |
10 |
11 | telnetd
12 | Grouping for the telnetd rules
13 |
14 |
15 |
16 | 5600
17 | refused connect from
18 | Connection refused by TCP Wrappers.
19 |
20 |
21 |
22 | 5600
23 | : connect from
24 | Remote host established a telnet connection.
25 |
26 |
27 |
28 | ttloop: peer died:|ttloop: read:
29 | 5602
30 | Remote host invalid connection.
31 |
32 |
33 |
34 | warning: can't verify hostname:
35 | Reverse lookup error (bad hostname config).
36 |
37 |
38 |
39 | 5602
40 |
41 | Multiple connection attempts from same source
42 | (possible scan).
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/rules.d/50-crs-trend-osce_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 |
20 |
21 |
22 |
23 |
24 | trend-osce
25 | Grouping of Trend OSCE rules.
26 |
27 |
28 |
29 | 7600
30 | ^0|$|^1$|^2$|^33|^10$|^11$|^12$
31 | virus
32 | Virus detected and cleaned/quarantined/removed
33 |
34 |
35 |
36 | 7600
37 | ^5$|^6$|^7$|^8$|^14$|^15$|^16$
38 | virus
39 | Virus detected and unable to clean up.
40 |
41 |
42 |
43 | 7600
44 | ^4$|^13$
45 | Virus scan completed with no errors detected.
46 |
47 |
48 |
49 | 7600
50 | ^25$
51 | Virus scan passed by found potential security risk.
52 |
53 |
54 |
55 |
56 |
57 |
--------------------------------------------------------------------------------
/rules.d/50-crs-unbound_rules.xml:
--------------------------------------------------------------------------------
1 |
9 |
10 |
11 |
12 |
13 | unbound
14 | Unbound grouping.
15 |
16 |
17 |
18 | 53760
19 | notice:
20 | Notice grouping.
21 |
22 |
23 |
24 | 53760
25 | info:
26 | Info grouping.
27 |
28 |
29 |
30 | 53761
31 | sendto failed: Can't assign requested address
32 | Can't assign requested address.
33 |
34 |
35 |
36 | 53762
37 | A IN$
38 | DNS A request.
39 |
40 |
41 |
42 | 53762
43 | AAAA IN$
44 | DNS AAAA request.
45 |
46 |
47 |
48 | 53771,53772
49 | \.top\.|\.to\.|\.gq\.|\.cf\.|\.men\.|\.loan\.|\.ml\.|\.work\.|\.click\.|\.tk\.|\.country\.|\.pw\.|\.party\.|\.trade\.|\.review\.|\.club\.|\.bid\.|\.country\.|\.stream\.|\.download\.|\.xin\.|\.gdn\.|\.racing\.|\.jetzt\.|\.win\.|\.vip\.|\.ren\.|\.kim\.|\.mom\.|\.date\.|\.wang\.|\.accountants\.|\.science\.|\.work\.|\.ninja\.|\.xyz\.|\.faith\.|\.zip\.|\.racing\.|\.cricket\.|\.space\.|\.realtor\.|\.christmas\.|\.gdn\.|\.pro\.
50 | Maybe critical URL requested
51 |
52 |
53 |
54 | 53760
55 | info: validation failure
56 | DNSSEC validation failure
57 |
58 |
59 |
60 | 53774
61 | no keys have a DS with algorithm
62 | Algorithm mismatch.
63 |
64 |
65 |
66 |
--------------------------------------------------------------------------------
/rules.d/50-crs-vmpop3d_rules.xml:
--------------------------------------------------------------------------------
1 |
7 |
8 |
9 |
10 |
11 | vm-pop3d
12 | Grouping for the vm-pop3d rules.
13 |
14 |
15 |
16 | 9800
17 | failed auth
18 | authentication_failed,
19 | Login failed accessing the pop3 server.
20 |
21 |
22 |
23 | 9801
24 |
25 | POP3 brute force (multiple failed logins).
26 | authentication_failures,
27 |
28 |
29 |
30 |
31 |
32 |
33 |
--------------------------------------------------------------------------------
/rules.d/50-crs-vpn_concentrator_rules.xml:
--------------------------------------------------------------------------------
1 |
16 |
17 |
18 |
21 |
22 |
23 |
24 |
25 | cisco-vpn-concentrator
26 | Grouping of Cisco VPN concentrator rules
27 |
28 |
29 |
30 | 14200
31 | ^IKE/52$
32 | VPN authentication successful.
33 | authentication_success,
34 |
35 |
36 |
37 | 14200
38 | ^AUTH/5$|^AUTH/9$|^IKE/167$|^PPP/9$|^SSH/33$|^PSH/23$
39 | VPN authentication failed.
40 | authentication_failed,
41 |
42 |
43 |
44 | 14200
45 | ^HTTP/47$|^SSH/16$
46 | alert_by_email
47 | VPN Admin authentication successful.
48 | authentication_success,
49 |
50 |
51 |
52 | 14202
53 |
54 | Multiple VPN authentication failures.
55 | authentication_failures,
56 |
57 |
58 |
59 |
60 |
61 |
--------------------------------------------------------------------------------
/rules.d/50-crs-vpopmail_rules.xml:
--------------------------------------------------------------------------------
1 |
8 |
9 |
10 |
11 |
12 | vpopmail
13 | Grouping for the vpopmail rules.
14 |
15 |
16 |
17 | 9900
18 | password fail
19 | authentication_failed,
20 | Login failed for vpopmail.
21 |
22 |
23 |
24 | 9900
25 | vpopmail user not found
26 | invalid_login,
27 | Attempt to login to vpopmail with invalid username.
28 |
29 |
30 |
31 | 9900
32 | null password given
33 | authentication_failed,
34 | Attempt to login to vpopmail with empty password.
35 |
36 |
37 |
38 | 9900
39 | login success
40 | authentication_success,
41 | Vpopmail successful login.
42 |
43 |
44 |
45 |
46 | 9901
47 |
48 | Vpopmail brute force (multiple failed logins).
49 | authentication_failures,
50 |
51 |
52 |
53 | 9902
54 |
55 | Vpopmail brute force (email harvesting).
56 | authentication_failures,
57 |
58 |
59 |
60 | 9903
61 |
62 | VPOPMAIL brute force (empty password).
63 | authentication_failures,
64 |
65 |
66 |
67 |
68 |
69 |
--------------------------------------------------------------------------------
/rules.d/50-crs-vsftpd_rules.xml:
--------------------------------------------------------------------------------
1 |
9 |
10 |
11 |
12 |
13 | vsftpd
14 | Grouping for the vsftpd rules.
15 |
16 |
17 |
18 | 11400
19 | CONNECT: Client
20 | connection_attempt
21 | FTP session opened.
22 |
23 |
24 |
25 | 11400
26 | OK LOGIN:
27 | FTP Authentication success.
28 | authentication_success,
29 |
30 |
31 |
32 | 11400
33 | FAIL LOGIN:
34 | Login failed accessing the FTP server.
35 | authentication_failed,
36 |
37 |
38 |
39 | 11400
40 | OK UPLOAD:
41 | FTP server file upload.
42 |
43 |
44 |
45 | 11403
46 |
47 | FTP brute force (multiple failed logins).
48 | authentication_failures,
49 |
50 |
51 |
52 | 11401
53 |
54 | Multiple FTP connection attempts from
55 | same source IP.
56 | recon,
57 |
58 |
59 |
60 |
61 |
62 |
63 |
--------------------------------------------------------------------------------
/rules.d/50-crs-wordpress_rules.xml:
--------------------------------------------------------------------------------
1 |
14 |
15 |
16 |
17 | wordpress
18 | Wordpress messages grouped.
19 |
20 |
21 |
22 | 9500
23 | User authentication failed
24 | Wordpress authentication failed.
25 | authentication_failed,
26 |
27 |
28 |
29 | 9500
30 | User logged in
31 | Wordpress authentication succeeded.
32 | authentication_success,
33 |
34 |
35 |
36 | 9500
37 | WPsyslog was successfully initiali
38 | WPsyslog was successfully initialized.
39 |
40 |
41 |
42 | 9500
43 | Plugin deactivated
44 | Wordpress plugin deactivated.
45 |
46 |
47 |
48 | 9500
49 | Warning: Comment flood attempt
50 | Wordpress Comment Flood Attempt.
51 |
52 |
53 |
54 | 9500
55 | Warning: IDS:
56 | Attack against Wordpress detected.
57 |
58 |
59 |
60 | 9501
61 |
62 | Multiple wordpress authentication failures.
63 | authentication_failures,
64 |
65 |
66 |
67 |
68 |
69 |
70 |
--------------------------------------------------------------------------------
/rules.d/50-crs-zeus_rules.xml:
--------------------------------------------------------------------------------
1 |
18 |
19 |
20 |
23 |
24 |
25 |
26 |
27 | zeus
28 | Grouping of Zeus rules.
29 |
30 |
31 |
32 | 31200
33 | ^\[\S+ \S+\] INFO:|^\[\S+ \S+\] SSL:
34 | Grouping of Zeus informational logs.
35 |
36 |
37 |
38 | 31200
39 | ^\[\S+ \S+\] WARN:
40 | Zeus warning log.
41 |
42 |
43 |
44 | 31200
45 | ^\[\S+ \S+\] SERIOUS:
46 | Zeus serious log.
47 |
48 |
49 |
50 | 31200
51 | ^\[\S+ \S+\] FATAL:
52 | Zeus fatal log.
53 |
54 |
55 |
56 | 31202
57 | admin:Authentication failure
58 | Admin authentication failed.
59 | authentication_failed,
60 |
61 |
62 |
63 | 31202
64 | Unknown directive
65 | Configuration warning (ignored).
66 |
67 |
68 |
69 | 31202
70 | Multiple Zeus warnings.
71 |
72 |
73 |
74 |
75 |
76 |
--------------------------------------------------------------------------------
/rules.d/55-crs-topleveldomain_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 | 31100
10 | \.top:|\.to:|\.gq:|\.cf:|\.men:|\.loan:|\.ml:|\.work:|\.click:|\.tk:|\.country:|\.pw:|\.party:|\.trade:|\.review:|\.club:|\.bid:|\.country:|\.stream:|\.download:|\.xin:|\.gdn:|\.racing:|\.jetzt:|\.win:|\.vip:|\.ren:|\.kim:|\.mom:|\.date:|\.wang:|\.accountants:|\.science:|\.work:|\.ninja:|\.xyz:|\.faith:|\.zip:|\.racing:|\.cricket:|\.space:|\.realtor:|\.christmas:|\.gdn:|\.pro:
11 | Maybe critical URL access attempt
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/rules.d/60-crs-ms1016_usbdetect_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | 18104
6 | ^6416$
7 | A new external device was recognized by the System
8 | windows,
9 |
10 |
11 |
--------------------------------------------------------------------------------
/rules.d/70-crs-last_rootlogin_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | 535
9 | root|reboot|admin|superuser|administrator|supervisor|toor
10 | sensitive login detected
11 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/rules.d/70-crs-openbsd-dhcp_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
6 |
7 |
8 |
9 | dhcpd
10 | dhcpd grouping.
11 |
12 |
13 |
14 | 53000
15 | ^DHCPREQUEST|^DHCPOFFER |^DHCPDISCOVER|^DHCPACK
16 | Normal dhcp.
17 |
18 |
19 |
20 | 53000
21 | answers a ping after sending a release|Possible release spoof
22 | A host issued a release but is responding to pings.
23 |
24 |
25 |
26 | 53000
27 | expecting left brace\.$|
28 | fixed-address parameter not allowed here\.$|
29 | parameters not allowed after first declaration\.$|
30 | Configuration file errors encountered
31 | Configuration errors.
32 |
33 |
34 |
35 | 53000
36 | exiting\.$
37 | dhcpd is exiting.
38 |
39 |
40 |
41 | 53000
42 | Can't listen on
43 | dhcpd cannot listen to an interface.
44 |
45 |
46 |
47 | 53006
48 | has no subnet declaration for
49 | dhcpd is not configured to listen to an interface.
50 |
51 |
52 |
53 | 53000
54 | Listening on
55 | dhcpd has been started.
56 |
57 |
58 |
59 | 53000
60 | ^Address range
61 | Message with address range.
62 |
63 |
64 |
65 | 53009
66 | not on net
67 | Defined address range is not on the configured network.
68 |
69 |
70 |
71 | 53000
72 | ^no free leases
73 | DHCP server has run out of leases.
74 |
75 |
76 |
77 | 53000
78 | ^already acking lease
79 | Multiple acks.
80 |
81 |
82 |
83 |
84 |
85 |
--------------------------------------------------------------------------------
/rules.d/70-crs-owncloud_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | owncloud
4 | ownCloud messages grouped.
5 |
6 |
7 |
8 | 53300
9 | Login failed:
10 | ownCloud authentication failed.
11 | authentication_failed,
12 |
13 |
14 |
15 | 53301
16 |
17 | ownCloud brute force (multiple failed logins).
18 | authentication_failures,
19 |
20 |
21 |
22 | 53300
23 | Passed filename is not valid, might be malicious
24 | ownCloud possible malicious request.
25 | web,appsec,attack,
26 |
27 |
28 |
29 | 53300
30 | ^4$
31 | ownCloud FATAL message.
32 |
33 |
34 |
35 | 53300
36 | ^3$
37 | ownCloud ERROR message.
38 |
39 |
40 |
41 | 53300
42 | ^2$
43 | ownCloud WARN message.
44 |
45 |
46 |
47 | 53300
48 | ^1$
49 | ownCloud INFO message.
50 |
51 |
52 |
53 | 53300
54 | ^0$
55 | ownCloud DEBUG message.
56 |
57 |
58 |
--------------------------------------------------------------------------------
/rules.d/70-crs-proxmox-ve_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | pvedaemon
4 | pvedaemon messages grouped.
5 |
6 |
7 |
8 | 53400
9 | authentication failure;
10 | Proxmox VE authentication failed.
11 | authentication_failed,
12 |
13 |
14 |
15 | 53401
16 |
17 | Proxmox VE brute force (multiple failed logins).
18 | authentication_failures,
19 |
20 |
21 |
22 | 53400
23 | successful auth for user
24 | Proxmox VE authentication succeeded.
25 | authentication_success,
26 |
27 |
28 |
--------------------------------------------------------------------------------
/rules.d/70-crs-psad_rules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | psad
4 | psad
5 | PSAD group
6 |
7 |
8 |
9 | 53700
10 | scan detected
11 | PSAD group scan detected
12 |
13 |
14 | 53700
15 | added iptables
16 | PSAD group added iptables
17 |
18 |
19 |
20 | 53701
21 | DL: 4|DL: 5
22 | PSAD portscan
23 |
24 |
25 | 53702
26 | auto-block against
27 | PSAD auto-block
28 |
29 |
30 |
31 | 53701
32 | DL: 3
33 | PSAD level 3 warning
34 |
35 |
36 | 53713
37 |
38 | many PSAD level 3 warnings from same source
39 |
40 |
41 | 53713
42 |
43 | many PSAD level 3 warnings from same source (slow scan)
44 |
45 |
46 |
47 | 53700
48 | signature match:
49 | PSAD signature match
50 |
51 |
52 |
--------------------------------------------------------------------------------
/rules.d/99-crs-policy_rules.xml:
--------------------------------------------------------------------------------
1 |
15 |
16 |
17 |
18 |
19 | authentication_success
20 |
21 | Successful login during non-business hours.
22 | login_time,
23 | no_ar
24 |
25 |
26 |
27 | authentication_success
28 | weekends
29 | Successful login during weekend.
30 | login_day,
31 | no_ar
32 |
33 |
34 |
35 |
36 |
37 |
--------------------------------------------------------------------------------