0% found this document useful (0 votes)

440 views23 pages

Ossec

The document contains rules for analyzing syslog messages and identifying potential security events. It includes rules grouped by categories like attacks, scans, privilege escalation attempts. Specific rules define matches for signatures related to exploits, viruses, firewall drops and authentication failures.

Uploaded by

Soumya Rout

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

440 views23 pages

Ossec

Uploaded by

Soumya Rout

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

You are on page 1/ 23

<rule id="30101" level="0"> <if_sid>30100</if_sid> <match>^[error] </match> <description>Apache error messages grouped.

</description> </rule> <rule id="30101" level="0"> <if_sid>30100</if_sid> <match>^[error] </match> <description>Apache error messages grouped.</description> </rule> <rule id="30101" level="0"> <if_sid>30100</if_sid> <match>^[error] </match> <description>Apache error messages grouped.</description> </rule> <rule id="30101" level="0"> <if_sid>30100</if_sid> <match>^[error] </match> <description>Apache error messages grouped.</description> </rule> <rule id="30101" level="0"> <if_sid>30100</if_sid> <match>^[error] </match> <description>Apache error messages grouped.</description> </rule> <rule id="30107" level="6"> <if_sid>30101</if_sid> <match>Client sent malformed Host header</match> <description>Code Red attack.</description> <info type="link">http://www.cert.org/advisories/CA-2001-19.html</info> <info type="text">CERT: Advisory CA-2001-19 "Code Red" Worm Exploiting Buffe r Overflow In IIS Indexing Service DLL</info> <group>automatic_attack,</group> </rule> <rule id="30115" level="5"> <if_sid>30101</if_sid> <match>Invalid URI in request</match> <description>Invalid URI (bad client request).</description> <group>invalid_request,</group> </rule> <rule id="30116" level="10" frequency="8" timeframe="120"> <if_matched_sid>30115</if_matched_sid> <same_source_ip /> <description>Multiple Invalid URI requests from </description> <description>same source.</description> <group>invalid_request,</group> </rule> <rule id="30118" level="6"> <if_sid>30101</if_sid> <match>mod_security: Access denied|ModSecurity: Access denied</match> <description>Access attempt blocked by Mod Security.</description> <group>access_denied,</group> </rule> <rule id="30116" level="10" frequency="8" timeframe="120"> <if_matched_sid>30115</if_matched_sid> <same_source_ip /> <description>Multiple Invalid URI requests from </description> <description>same source.</description> <group>invalid_request,</group>

</rule> <rule id="30201" level="6"> <if_sid>30200</if_sid> <match>^mod_security-message: Access denied </match> <description>Modsecurity access denied.</description> <group>access_denied,</group> </rule> <rule id="30202" level="10" frequency="8" timeframe="120"> <if_matched_sid>30201</if_matched_sid> <description>Multiple attempts blocked by Mod Security.</description> <group>access_denied,</group> </rule>  <group name="syslog,attacks,"> <rule id="40101" level="12"> <if_group>authentication_success</if_group> <user>$SYS_USERS</user> <description>System user successfully logged to the system.</description> <group>invalid_login,</group> </rule> <rule id="40102" level="14"> <regex>^rpc.statd[\d+]: gethostbyname error for \W+</regex> <description>Buffer overflow attack on rpc.statd</description> <group>exploit_attempt,</group> </rule> <rule id="40103" level="14"> <regex>ftpd[\d+]: \S+ FTP LOGIN FROM \.+ 0bin0sh</regex> <description>Buffer overflow on WU-FTPD versions prior to 2.6</description> <group>exploit_attempt,</group> </rule> <rule id="40104" level="13"> <match>?????????????????????</match> <description>Possible buffer overflow attempt.</description> <group>exploit_attempt,</group> </rule> <rule id="40105" level="12"> <match>changed by $\(null$</match> <description>"Null" user changed some information.</description> <group>exploit_attempt,</group> </rule> <rule id="40106" level="12"> <match>@@@@@@@@@@@@@@@@@@@@@@@@@</match> <description>Buffer overflow attempt (probably on yppasswd).</description> <group>exploit_attempt,</group> </rule> <rule id="40107" level="14"> <regex>cachefsd: Segmentation Fault - core dumped</regex> <description>Heap overflow in the Solaris cachefsd service.</description> <info type='cve'>2002-0033</info> <group>exploit_attempt,</group> </rule>

<rule id="40109" level="12"> <match>attempt to execute code on stack by</match> <description>Stack overflow attempt or program exiting </description> <description>with SEGV (Solaris).</description> <info type="link">http://snap.nlc.dcccd.edu/reference/sysadmin/julian/ch18/3 89-392.html</info> <group>exploit_attempt,</group> </rule> <rule id="40111" level="10" frequency="10" timeframe="160"> <if_matched_group>authentication_failed</if_matched_group> <description>Multiple authentication failures.</description> <group>authentication_failures,</group> </rule> <rule id="40112" level="12" timeframe="240"> <if_group>authentication_success</if_group> <if_matched_group>authentication_failures</if_matched_group> <same_source_ip /> <description>Multiple authentication failures followed </description> <description>by a success.</description> </rule> <rule id="40113" level="12" frequency="6" timeframe="360"> <if_matched_group>virus</if_matched_group> <description>Multiple viruses detected - Possible outbreak.</description> <group>virus,</group> </rule> </group>

<group name="syslog,elevation_of_privilege,"> <rule id="40501" level="15" timeframe="300" frequency="2"> <if_group>adduser</if_group> <if_matched_group>attacks</if_matched_group> <description>Attacks followed by the addition </description> <description>of an user.</description> </rule> </group>

<rule id="40113" level="12" frequency="6" timeframe="360"> <if_matched_group>virus</if_matched_group> <description>Multiple viruses detected - Possible outbreak.</description> <group>virus,</group> </rule> </group>

<group name="syslog,recon,"> <rule id="40601" level="10" frequency="10" timeframe="90" ignore="90"> <if_matched_group>connection_attempt</if_matched_group> <description>Network scan from same source ip.</description> <same_source_ip /> <info type="link">http://project.honeynet.org/papers/enemy2/</info> </rule> <rule id="52000" level="0"> <decoded_as>bro-ids</decoded_as> <description>Grouping for all bro-ids events.</description> </rule> <rule id="52007" level="4"> <if_sid>52000</if_sid> <match>no=ZoneTransfer</match> <description>Bro-ids Zone Transfer alert.</description> </rule> <rule id="52008" level="4"> <if_sid>52000</if_sid> <match>no=SensitivePortMapperAccess</match> <description>Bro-ids detected acces to the portmapper port.</description> </rule> </group>  <rule id="52009" level="4"> <if_sid>52000</if_sid> <match>no=PortScan </match> <description>Bro-ids detected a portscan.</description> </rule> <rule id="52500" level="0" noalert="1"> <decoded_as>clamd</decoded_as> <description>Grouping of the clamd rules.</description> </rule> <rule id="52502" level="8"> <if_sid>52500</if_sid> <match>FOUND</match> <description>Virus detected</description> <group>virus</group> </rule> <group name="firewall,"> <rule id="4100" level="0"> <category>firewall</category> <description>Firewall rules grouped.</description> </rule>  <rule id="4101" level="5"> <if_sid>4100</if_sid> <action>DROP</action> <options>no_log</options> <description>Firewall drop event.</description> <group>firewall_drop,</group> </rule>

<rule id="4151" level="10" frequency="16" timeframe="45" ignore="240"> <if_matched_sid>4101</if_matched_sid> <same_source_ip /> <description>Multiple Firewall drop events from same source.</description> <group>multiple_drops,</group> </rule> </group> <rule id="11107" level="5"> <if_sid>11100</if_sid> <match>refused connect from</match> <group>access_denied,</group> <description>Connection blocked by Tcp Wrappers.</description> </rule> <rule id="11108" level="5"> <if_sid>11100</if_sid> <match>warning: can't verify hostname: |gethostbyaddr: </match> <description>Reverse lookup error (bad ISP config).</description> <group>client_misconfig,</group> </rule> <rule id="11109" level="10"> <if_sid>11100</if_sid> <match>repeated login failures</match> <description>Multiple FTP failed login attempts.</description> <group>authentication_failures,</group> </rule> <rule id="11111" level="9"> <if_sid>11100</if_sid> <match>PAM_ERROR_MSG: Account is disabled</match> <description>Attempt to login with disabled account.</description> <group>authentication_failed,</group> </rule> <rule id="11111" level="9"> <if_sid>11100</if_sid> <match>PAM_ERROR_MSG: Account is disabled</match> <description>Attempt to login with disabled account.</description> <group>authentication_failed,</group> </rule> <rule id="31100" level="0"> <category>web-log</category> <description>Access log messages grouped.</description> </rule> <rule id="31103" level="6"> <if_sid>31100</if_sid> <url>='|select%20|select+|insert%20|%20from%20|%20where%20|union%20|</url> <url>union+|where+|null,null|xp_cmdshell</url> <description>SQL injection attempt.</description> <group>attack,sql_injection,</group> </rule> <rule id="31104" level="6"> <if_sid>31100</if_sid>  <url>%027|%00|%01|%7f|%2E%2E|%0A|%0D|../..|..\..|echo;|..|</url> <url>cmd.exe|.exe|_mem_bin|msadc|/winnt/|</url> <url>/x90/|default.ida|/sumthin|nsiislog.dll|chmod%|wget%|cd%20|</url> <url>cat%20|exec%20|rm%20</url> <description>Common web attack.</description>

<group>attack,</group> </rule> <rule id="31105" level="6"> <if_sid>31100</if_sid> <url>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url> <url>%20ONLOAD=|INPUT%20|iframe%20</url> <description>XSS (Cross Site Scripting) attempt.</description> <group>attack,</group> </rule> <rule id="31106" level="6"> <if_sid>31103, 31104, 31105</if_sid> <id>^200</id> <description>A web attack returned code 200 (success).</description> <group>attack,</group> </rule> <rule id="31110" level="6"> <if_sid>31100</if_sid> <url>?-d|?-s|?-a|?-b|?-w</url> <description>PHP CGI-bin vulnerability attempt.</description> <group>attack,</group> </rule> <rule id="31109" level="6"> <if_sid>31100</if_sid> <url>+as+varchar(8000)</url> <regex>%2Bchar$\d+$%2Bchar$\d+$%2Bchar$\d+$%2Bchar$\d+$%2Bchar$\d+\ )%2Bchar\(\d+$</regex> <description>MSSQL Injection attempt (/ur.php, urchin.js)</description> <group>attack,</group> </rule>  <rule id="31107" level="0"> <if_sid>31103, 31104, 31105</if_sid> <url>^/search.php?search=|^/index.php?searchword=</url> <description>Ignored URLs for the web attacks</description> </rule>

<rule id="31152" level="10" frequency="6" timeframe="120"> <if_matched_sid>31103</if_matched_sid> <same_source_ip /> <description>Multiple SQL injection attempts from same </description> <description>souce ip.</description> <group>attack,sql_injection,</group> </rule> <rule id="31153" level="10" frequency="8" timeframe="120"> <if_matched_sid>31104</if_matched_sid> <same_source_ip /> <description>Multiple common web attacks from same souce ip.</description> <group>attack,</group> </rule>

<rule id="31154" level="10" frequency="8" timeframe="120"> <if_matched_sid>31105</if_matched_sid> <same_source_ip /> <description>Multiple XSS (Cross Site Scripting) attempts </description> <description>from same souce ip.</description> <group>attack,</group> </rule> <rule id="31163" level="10" frequency="8" timeframe="120"> <if_matched_sid>31123</if_matched_sid> <same_source_ip /> <description>Multiple web server 503 error code (Service unavailable).</desc ription> <group>web_scan,recon,</group> </rule> <rule id="5700" level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages grouped.</description> </rule> <group name="ossec,"> <rule id="500" level="0"> <category>ossec</category> <decoded_as>ossec</decoded_as> <description>Grouping of ossec rules.</description> </rule>

<rule id="509" level="0"> <category>ossec</category> <decoded_as>rootcheck</decoded_as> <description>Rootcheck event.</description> <group>rootcheck,</group> </rule> <rule id="510" level="7"> <if_sid>509</if_sid> <description>Host-based anomaly detection event (rootcheck).</description> <group>rootcheck,</group> <if_fts /> </rule> <rule id="511" level="0"> <if_sid>510</if_sid> <match>^NTFS Alternate data stream found</match> <regex>Thumbs.db:encryptable'.|:Zone.Identifier'.|</regex> <regex>Exchsrvr/Mailroot/vsi</regex> <description>Ignored common NTFS ADS entries.</description> <group>rootcheck,</group> </rule> <rule id="513" level="9"> <if_sid>510</if_sid> <match>^Windows Malware</match>

<description>Windows malware detected.</description> <group>rootcheck,</group> </rule> <rule id="514" level="2"> <if_sid>510</if_sid> <match>Âpplication Found</match> <description>Windows application monitor event.</description> <group>rootcheck,</group> </rule> <rule id="515" level="0"> <if_sid>510</if_sid> <match>^Starting rootcheck scan|Ênding rootcheck scan.|</match> <match>^Starting syscheck scan|Ênding syscheck scan.</match> <description>Ignoring rootcheck/syscheck scan messages.</description> <group>rootcheck,syscheck</group> </rule> <rule id="518" level="9"> <if_sid>514</if_sid> <match>Adware|Spyware</match> <description>Windows Adware/Spyware application found.</description> <group>rootcheck,</group> </rule> <rule id="519" level="7"> <if_sid>516</if_sid> <match>^System Audit: Web vulnerability</match> <description>System Audit: Vulnerable web application found.</description> <group>rootcheck,</group> </rule>

<rule id="533" level="7"> <if_sid>530</if_sid> <match>ossec: output: 'netstat -tan</match> <check_diff /> <description>Listened ports status (netstat) changed (new port opened or clo sed).</description> </rule>

<rule id="552" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_3rd</decoded_as> <description>Integrity checksum changed again (3rd time).</description> <group>syscheck,</group>

</rule> <rule id="553" level="7"> <category>ossec</category> <decoded_as>syscheck_deleted</decoded_as> <description>File deleted. Unable to retrieve checksum.</description> <group>syscheck,</group> </rule> <rule id="554" level="0"> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group> </rule> <rule id="555" level="7"> <if_sid>500</if_sid> <match>^ossec: agentless: </match> <description>Integrity checksum for agentless device changed.</description> <group>syscheck,agentless</group> </rule>  <rule id="580" level="8"> <category>ossec</category> <decoded_as>hostinfo_modified</decoded_as> <description>Host information changed.</description> <group>hostinfo,</group> </rule> <rule id="581" level="8"> <category>ossec</category> <decoded_as>hostinfo_new</decoded_as> <description>Host information added.</description> <group>hostinfo,</group> </rule>  <rule id="591" level="3"> <if_sid>500</if_sid> <match>^ossec: File rotated </match> <description>Log file rotated.</description> </rule>

<rule id="593" level="9"> <if_sid>500</if_sid> <match>^ossec: Event log cleared</match> <description>Microsoft Event log cleared.</description> <group>logs_cleared,</group> </rule>

<rule id="596" level="5"> <category>ossec</category>

<if_sid>552</if_sid> <hostname>syscheck-registry</hostname> <group>syscheck,</group> <description>Registry Integrity Checksum Changed Again (3rd time)</descripti on> </rule> <rule id="597" level="5"> <category>ossec</category> <if_sid>553</if_sid> <hostname>syscheck-registry</hostname> <group>syscheck,</group> <description>Registry Entry Deleted. Unable to Retrieve Checksum</descriptio n> </rule> <rule id="598" level="5"> <category>ossec</category> <if_sid>554</if_sid> <hostname>syscheck-registry</hostname> <group>syscheck,</group> <description>Registry Entry Added to the System</description> </rule>

<rule id="600" level="0"> <decoded_as>ar_log</decoded_as> <description>Active Response Messages Grouped</description> <group>active_response,</group> </rule> <rule id="601" level="3"> <if_sid>600</if_sid> <action>firewall-drop.sh</action> <status>add</status> <description>Host Blocked by firewall-drop.sh Active Response</description> <group>active_response,</group> </rule>

<rule id="603" level="3"> <if_sid>600</if_sid> <action>host-deny.sh</action> <status>add</status> <description>Host Blocked by host-deny.sh Active Response</description> <group>active_response,</group> </rule>

<rule id="605" level="3"> <if_sid>600</if_sid> <action>route-null.sh</action> <status>add</status> <description>Host Blocked by route-null.sh Active Response</description> <group>active_response,</group> </rule>

<rule id="12119" level="3"> <if_sid>12100</if_sid> <match>starting BIND</match> <description>BIND has been started</description> </rule> <rule id="12120" level="1"> <if_sid>12100</if_sid> <match>has no address records</match> <description>Missing A or AAAA record</description> </rule> <rule id="12121" level="1"> <if_sid>12100</if_sid> <regex>zone \S+: $master$ removed</regex> <description>Zone has been removed from a master server</description> </rule> <rule id="12122" level="1"> <if_sid>12100</if_sid> <regex>loading from master file \S+ failed: not at top of zone$</regex> <description>Origin of zone and owner name of SOA do not match.</description > </rule> <rule id="12123" level="0"> <if_sid>12100</if_sid> <match>already exists previous definition</match> <description>Zone has been duplicated</description> </rule> <rule id="12125" level="3"> <if_sid>12100</if_sid> <match>reloading configuration failed: unexpected end of input</match> <description>BIND Configuration error.</description> </rule> <rule id="12126" level="0"> <if_sid>12100</if_sid> <regex>zone \S+: $master$ removed</regex> <description>Zone has been removed from a master server</description> </rule> <rule id="12127" level="1"> <if_sid>12100</if_sid> <regex>loading from master file \S+ failed: not at top of zone$</regex> <description>Origin of zone and owner name of SOA do not match.</description > </rule> <rule id="12128" level="1"> <if_sid>12100</if_sid> <match>^transfer of|</match> <match>AXFR started$</match> <description>Zone transfer.</description> </rule> <rule id="12129" level="4"> <if_sid>12128</if_sid>

<match>failed to connect: connection refused</match> <description>Zone transfer failed, unable to connect to master.</description > </rule> <rule id="12130" level="2"> <if_sid>12100</if_sid> <match>IPv6 interfaces failed</match> <description>Could not listen on IPv6 interface.</description> </rule> <rule id="12131" level="2"> <if_sid>12100</if_sid> <match>failed; interface ignored</match> <description>Could not bind to an interface.</description> </rule> <rule id="12132" level="0"> <if_sid>12128</if_sid> <match>failed while receiving responses: not authoritative</match> <description>Master is not authoritative for zone.</description> </rule> <rule id="12133" level="4"> <if_sid>12100</if_sid> <regex>open: \S+: permission denied$</regex> <description>Could not open configuration file, permission denied.</descript ion> </rule> <rule id="12134" level="4"> <if_sid>12100</if_sid> <match>loading configuration: permission denied</match> <description>Could not open configuration file, permission denied.</descript ion> </rule> <rule id="12135" level="0"> <if_sid>12100</if_sid> <match>IN SOA -E</match> <description>Domain in SOA -E.</description> </rule> <rule id="12136" level="4"> <if_sid>12128</if_sid> <match>failed to connect: host unreachable</match> <description>Master appears to be down.</description> </rule> <rule id="12137" level="0"> <if_sid>12100</if_sid> <match>IN AXFR -</match> <description>Domain is queried for a zone transferred.</description> </rule> <rule id="12138" level="0"> <if_sid>12100</if_sid> <match> IN A +</match> <description>Domain A record found.</description> </rule>

<rule id="12139" level="3"> <if_sid>12100</if_sid> <regex>client \S+: bad zone transfer request: \S+: non-authoritative zone $ NOTAUTH$</regex> <description>Bad zone transfer request.</description> </rule> <rule id="12140" level="2"> <if_sid>12100</if_sid> <match>refresh: failure trying master</match> <description>Cannot refresh a domain from the master server.</description> </rule> <rule id="12141" level="1"> <if_sid>12100</if_sid> <match>SOA record not at top of zone</match> <description>Origin of zone and owner name of SOA do not match.</description > </rule> <rule id="12142" level="0"> <if_sid>12100</if_sid> <match>command channel listening on</match> <description>named command channel is listening.</description> </rule> <rule id="12143" level="0"> <if_sid>12100</if_sid> <match>automatic empty zone</match> <description>named has created an automatic empty zone.</description> </rule> <rule id="12144" level="9"> <if_sid>12100</if_sid> <match>reloading configuration failed: out of memory</match> <description>Server does not have enough memory to reload the configuration. </description> </rule> <rule id="12145" level="1"> <if_sid>12100</if_sid> <regex>zone transfer \S+ denied</regex> <description>zone transfer denied</description> </rule> <rule id="12146" level="0"> <if_sid>12100</if_sid> <match>error sending response: host unreachable$</match> <description>Cannot send a DNS response.</description> </rule> <rule id="12147" level="0"> <if_sid>12100</if_sid> <regex>update forwarding \.+ denied$</regex> <description>Cannot update forwarding domain.</description> </rule> <rule id="12148" level="0"> <if_sid>12100</if_sid>

<match>: parsing failed$</match> <description>Parsing of a configuration file has failed.</description> </rule> </group>  [root@localhost rules]# cat named_rules.xml  <group name="syslog,named,"> <rule id="12100" level="0"> <decoded_as>named</decoded_as> <description>Grouping of the named rules</description> </rule> <rule id="12101" level="12"> <if_sid>12100</if_sid> <match>dropping source port zero packet from</match> <description>Invalid DNS packet. Possibility of attack.</description> <group>invalid_access,</group> </rule> <rule id="12102" level="9"> <if_sid>12100</if_sid> <match>denied AXFR from</match> <description>Failed attempt to perform a zone transfer.</description> <group>access_denied,</group> </rule> <rule id="12103" level="4"> <if_sid>12100</if_sid> <match>denied update from|unapproved update from</match> <description>DNS update denied. </description> <description>Generally mis-configuration.</description> <info type="link">http://seclists.org/incidents/2000/May/217</info> <group>client_misconfig,</group> </rule> <rule id="12104" level="4"> <if_sid>12100</if_sid> <match>unable to rename log file</match> <description>Log permission misconfiguration in Named.</description> <group>system_error,</group> </rule> <rule id="12105" level="4"> <if_sid>12100</if_sid>

<match>unexpected RCODE </match> <description>Unexpected error while resolving domain.</description> </rule> <rule id="12106" level="4"> <if_sid>12100</if_sid> <match>refused notify from non-master</match> <description>DNS configuration error.</description> </rule> <rule id="12107" level="0"> <if_sid>12100</if_sid> <regex>update \S+ denied</regex> <description>DNS update using RFC2136 Dynamic protocol.</description> </rule>

<rule id="12113" level="0"> <if_sid>12100</if_sid> <match>zone transfer deferred due to quota</match> <description>Zone transfer deferred.</description> </rule>

<rule id="12117" level="1"> <if_sid>12100</if_sid> <regex>refresh: retry limit for master \S+ exceeded</regex> <description>Zone transfer rety limit exceeded</description> </rule> <rule id="12118" level="1"> <if_sid>12100</if_sid> <match>already exists previous definition</match> <description>Zone has been duplicated.</description> </rule>

<rule id="12122" level="1"> <if_sid>12100</if_sid> <regex>loading from master file \S+ failed: not at top of zone$</regex> <description>Origin of zone and owner name of SOA do not match.</description > </rule>

<rule id="12127" level="1"> <if_sid>12100</if_sid> <regex>loading from master file \S+ failed: not at top of zone$</regex> <description>Origin of zone and owner name of SOA do not match.</description > </rule> <rule id="12128" level="1"> <if_sid>12100</if_sid> <match>^transfer of|</match> <match>AXFR started$</match> <description>Zone transfer.</description> </rule>

<rule id="12133" level="4"> <if_sid>12100</if_sid> <regex>open: \S+: permission denied$</regex> <description>Could not open configuration file, permission denied.</descript ion> </rule> <rule id="12134" level="4"> <if_sid>12100</if_sid> <match>loading configuration: permission denied</match> <description>Could not open configuration file, permission denied.</descript ion> </rule>

<rule id="12143" level="0"> <if_sid>12100</if_sid> <match>automatic empty zone</match> <description>named has created an automatic empty zone.</description> </rule>

<rule id="12145" level="1"> <if_sid>12100</if_sid> <regex>zone transfer \S+ denied</regex> <description>zone transfer denied</description> </rule>

<rule id="12147" level="0"> <if_sid>12100</if_sid> <regex>update forwarding \.+ denied$</regex> <description>Cannot update forwarding domain.</description> </rule> <group name="syslog,msftp,"> <rule id="11500" level="0"> <decoded_as>msftp</decoded_as> <description>Grouping for the Microsoft ftp rules.</description> </rule> <rule id="11501" level="3"> <if_sid>11500</if_sid> <action>USER</action> <description>New FTP connection.</description> <group>connection_attempt,</group> </rule> <rule id="11502" level="5"> <if_sid>11500</if_sid> <action>PASS</action> <id>530</id> <description>FTP Authentication failed.</description> <group>authentication_failed,</group> </rule> <rule id="11503" level="3"> <if_sid>11500</if_sid> <action>PASS</action> <id>230</id> <description>FTP Authentication success.</description> <group>authentication_success,</group> </rule> <rule id="11504" level="4"> <if_sid>11500</if_sid> <id>^5</id> <description>FTP client request failed.</description> </rule> <rule id="11510" level="10" frequency="6" timeframe="120"> <if_matched_sid>11502</if_matched_sid> <description>FTP brute force (multiple failed logins).</description> <group>authentication_failures,</group> </rule> <rule id="11511" level="10" frequency="8" timeframe="30"> <if_matched_sid>11501</if_matched_sid> <same_source_ip /> <description>Multiple connection attempts from same source.</description> <group>recon,</group> </rule> <rule id="11512" level="10" frequency="6" timeframe="120"> <if_matched_sid>11504</if_matched_sid> <same_source_ip /> <description>Multiple FTP errors from same source.</description> </rule>

</group>  <group>group_changed,win_group_changed,</group> <info>http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event. aspx?eventid=633</info> </rule>  <rule id="18170" level="10"> <if_sid>18139</if_sid> <match>Failure Code: 0x1F</match> <description>Windows DC integrity check on decrypted </description> <description>field failed.</description> <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</in fo> <group>win_authentication_failed,attacks,</group> </rule> <rule id="18171" level="10"> <if_sid>18139</if_sid> <match>Failure Code: 0x22</match> <description>Windows DC - Possible replay attack.</description> <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</in fo> <group>win_authentication_failed,attacks,</group> </rule> <rule id="18172" level="7"> <if_sid>18139</if_sid> <match>Failure Code: 0x25</match> <description>Windows DC - Clock skew too great.</description> <info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</in fo> <group>win_authentication_failed,attacks,</group> </rule> <rule id="18156" level="10" frequency="$MS_FREQ" timeframe="240"> <if_matched_sid>18125</if_matched_sid> <description>Multiple remote access login failures.</description> <group>authentication_failures,</group> </rule> </group> <rule id="31501" level="6"> <if_sid>31100</if_sid> <match>POST /</match> <url>/wp-comments-post.php</url> <regex>Googlebot|MSNBot|BingBot</regex> <description>WordPress Comment Spam (coming from a fake search engine UA).</ description> </rule>  <rule id="31502" level="6"> <if_sid>31100</if_sid> <url>thumb.php|timthumb.php</url> <regex> "GET \S+thumb.php?src=\S+.php</regex> <description>TimThumb vulnerability exploit attempt.</description> </rule>

<rule id="31503" level="6"> <if_sid>31100</if_sid> <url>login.php</url> <regex> "POST /\S+.php/login.php?cPath=</regex> <description>osCommerce login.php bypass attempt.</description> </rule>  <rule id="31504" level="6"> <if_sid>31100</if_sid> <url>login.php</url> <regex> "GET /\S+/admin/file_manager.php/login.php</regex> <description>osCommerce file manager login.php bypass attempt.</description> </rule>  <rule id="31505" level="6"> <if_sid>31100</if_sid> <url>/cache/external</url> <regex> "GET /\S+/cache/external\S+.php</regex> <description>TimThumb backdoor access attempt.</description> </rule>  <rule id="31506" level="6"> <if_sid>31100</if_sid> <url>cart.php</url> <regex> "GET /\S+cart.php?\S+templatefile=../</regex> <description>Cart.php directory transversal attempt.</description> </rule>  <rule id="31507" level="6"> <if_sid>31100</if_sid> <url>DECLARE%20@S%20CHAR|%20AS%20CHAR</url> <description>MSSQL Injection attempt (ur.php, urchin.js).</description> </rule>  <rule id="31508" level="6"> <if_sid>31100</if_sid> <match> "ZmEu"| "libwww-perl/</match> <description>Blacklisted user agent (known malicious user agent).</descripti on> </rule>  <rule id="31509" level="3"> <if_sid>31108</if_sid> <url>wp-login.php</url> <regex>] "POST \S+wp-login.php</regex> <description>WordPress login attempt.</description> </rule>

<rule id="31510" level="6" frequency="4" timeframe="120" ignore="30"> <if_matched_sid>31509</if_matched_sid> <same_source_ip /> <description>WordPress wp-login.php brute force attempt.</description> </rule>  <rule id="31511" level="6"> <if_sid>31100</if_sid> <match>" "Wget/</match> <description>Blacklisted user agent (wget).</description> </rule>  <rule id="31512" level="6"> <if_sid>31100</if_sid> <url>uploadify.php</url> <regex> "GET /\S+/uploadify.php?src=http://\S+.php</regex> <description>TimThumb vulnerability exploit attempt.</description> </rule>  <rule id="31513" level="6"> <if_sid>31100</if_sid> <url>delete.php</url> <regex> "GET \S+/delete.php?board_skin_path=http://\S+.php</regex> <description>BBS delete.php exploit attempt.</description> </rule>  <rule id="31550" level="6"> <if_sid>31100</if_sid> <url>%00</url> <regex> "GET /\S+.php?\S+%00</regex> <description>Anomaly URL query (attempting to pass null termination).</descr iption> </rule> <group name="web,accesslog,"> <rule id="31100" level="0"> <category>web-log</category> <description>Access log messages grouped.</description> </rule> <rule id="31108" level="0"> <if_sid>31100</if_sid> <id>^2|^3</id> <compiled_rule>is_simple_http_request</compiled_rule> <description>Ignored URLs (simple queries).</description> </rule> <rule id="31101" level="5"> <if_sid>31100</if_sid> <id>^4</id> <description>Web server 400 error code.</description> </rule>

<rule id="31107" level="0"> <if_sid>31103, 31104, 31105</if_sid> <url>^/search.php?search=|^/index.php?searchword=</url> <description>Ignored URLs for the web attacks</description> </rule> <rule id="31115" level="13" maxsize="5900"> <if_sid>31100</if_sid> <description>URL too long. Higher than allowed on most </description> <description>browsers. Possible attack.</description> <group>invalid_access,</group> </rule>

OSCP - 2022 - Standalones - October - 19 Machines
No ratings yet
OSCP - 2022 - Standalones - October - 19 Machines
32 pages
eJPT Solution
No ratings yet
eJPT Solution
23 pages
FCPS Part 1 Surgery Allied 20 Feb 2024
No ratings yet
FCPS Part 1 Surgery Allied 20 Feb 2024
206 pages
Challenge 5
100% (1)
Challenge 5
22 pages
Vulnerability Scan Report - Sample
No ratings yet
Vulnerability Scan Report - Sample
102 pages
RedHat Hardening Exam
100% (2)
RedHat Hardening Exam
14 pages
Curs Numerologie
13% (8)
Curs Numerologie
98 pages
Checkpoint Troubleshooting
100% (1)
Checkpoint Troubleshooting
33 pages
Nouveau Document Texte
No ratings yet
Nouveau Document Texte
9 pages
Checkpoint Firewall Presentation
100% (1)
Checkpoint Firewall Presentation
42 pages
Platform Events
No ratings yet
Platform Events
584 pages
A Nice OSCP Cheat Sheet
50% (2)
A Nice OSCP Cheat Sheet
12 pages
CCOA ISACA Certified Cybersecurity Operations Analyst Exam Dumps
No ratings yet
CCOA ISACA Certified Cybersecurity Operations Analyst Exam Dumps
15 pages
Privilege Escalation Cheatsheet PDF
100% (1)
Privilege Escalation Cheatsheet PDF
1 page
SIEM Use Cases - Comprehensive List
100% (1)
SIEM Use Cases - Comprehensive List
20 pages
20198488733
No ratings yet
20198488733
3 pages
Scan Report Metaspolite
No ratings yet
Scan Report Metaspolite
37 pages
Important Questions For Class 12 Computer Science (Python) - Review of Python
100% (1)
Important Questions For Class 12 Computer Science (Python) - Review of Python
31 pages
Handout 10613 AS10613 More Practical Dynamo Marcello Sgambelluri HANDOUT
100% (1)
Handout 10613 AS10613 More Practical Dynamo Marcello Sgambelluri HANDOUT
42 pages
VxRail 8.0.XXX Concepts
No ratings yet
VxRail 8.0.XXX Concepts
2 pages
The Flexible Body Move Better Anywhere Anytime
No ratings yet
The Flexible Body Move Better Anywhere Anytime
1 page
Project Report Final Defence
No ratings yet
Project Report Final Defence
42 pages
Log
No ratings yet
Log
359 pages
Traffic
No ratings yet
Traffic
192 pages
Log
No ratings yet
Log
255 pages
GSM and WCDMA Single Site Verification SSV
No ratings yet
GSM and WCDMA Single Site Verification SSV
10 pages
Unix Administration II
100% (1)
Unix Administration II
6 pages
CCTE Material ApostilaPPT
No ratings yet
CCTE Material ApostilaPPT
128 pages
Command Conversion CISCO ACE - A10
No ratings yet
Command Conversion CISCO ACE - A10
18 pages
Kioptrix 1
No ratings yet
Kioptrix 1
14 pages
Hack Sheet
100% (2)
Hack Sheet
3 pages
389 Directory Server
No ratings yet
389 Directory Server
24 pages
Document 4 (2) - Merged
No ratings yet
Document 4 (2) - Merged
72 pages
ISC Config Production
No ratings yet
ISC Config Production
83 pages
KB
No ratings yet
KB
69 pages
Project Report - Stock
No ratings yet
Project Report - Stock
56 pages
Student Resource Portal: Meghan Patil, Mihir Prajapati, Ankit Patel
No ratings yet
Student Resource Portal: Meghan Patil, Mihir Prajapati, Ankit Patel
18 pages
SIEM Usecase
No ratings yet
SIEM Usecase
23 pages
Message
No ratings yet
Message
11 pages
Proyek Akhir
No ratings yet
Proyek Akhir
13 pages
Putty
No ratings yet
Putty
74 pages
Course Noteh
No ratings yet
Course Noteh
22 pages
Report 1
No ratings yet
Report 1
33 pages
Commands Used in Server
No ratings yet
Commands Used in Server
98 pages
Lab 13
No ratings yet
Lab 13
9 pages
Ffuf
No ratings yet
Ffuf
2 pages
Re - (Packetfence-Users) Packetfence & Nessus Configuration - PacketFence
No ratings yet
Re - (Packetfence-Users) Packetfence & Nessus Configuration - PacketFence
17 pages
Lab Security Onion
No ratings yet
Lab Security Onion
15 pages
Network Errors Linux
No ratings yet
Network Errors Linux
10 pages
PGW Post
No ratings yet
PGW Post
9 pages
Scan Report
No ratings yet
Scan Report
35 pages
Network - Diagnostics - 2023 01 09.14 09 29
No ratings yet
Network - Diagnostics - 2023 01 09.14 09 29
23 pages
Peas
No ratings yet
Peas
8 pages
Eaheart CurrentInternetThreats
No ratings yet
Eaheart CurrentInternetThreats
32 pages
Mazak Programming
No ratings yet
Mazak Programming
4 pages
NNT PCI DSS Compliance Report 2012R2 MemberServer
No ratings yet
NNT PCI DSS Compliance Report 2012R2 MemberServer
15 pages
REQUEST 901 INITIALIZATION - Conf
No ratings yet
REQUEST 901 INITIALIZATION - Conf
8 pages
KB 192.100.100.66
No ratings yet
KB 192.100.100.66
5 pages
Solidworks Enterprise PDM 2012 Pro/E Connector Best Practices Guide
No ratings yet
Solidworks Enterprise PDM 2012 Pro/E Connector Best Practices Guide
27 pages
PIT - SNMP - File Upload: Enumeration Code Execution Initial Access Privilege Escalation
No ratings yet
PIT - SNMP - File Upload: Enumeration Code Execution Initial Access Privilege Escalation
23 pages
Result A
No ratings yet
Result A
3 pages
Umer Ziyad Resume QualityEngineer
No ratings yet
Umer Ziyad Resume QualityEngineer
3 pages
CBE Online Form
No ratings yet
CBE Online Form
20 pages
Windows Penetration Testing Command
No ratings yet
Windows Penetration Testing Command
16 pages
Chee T Sheet
No ratings yet
Chee T Sheet
2 pages
Jebemtimutavce
No ratings yet
Jebemtimutavce
5 pages
Assignment in Automata Theory and Compiler Design
No ratings yet
Assignment in Automata Theory and Compiler Design
18 pages
TypeScript - Training Contents-1 Days
No ratings yet
TypeScript - Training Contents-1 Days
1 page
Interoperability Between BIM Models and 4.0 Approach: Theoretical Models and Practical Cases
No ratings yet
Interoperability Between BIM Models and 4.0 Approach: Theoretical Models and Practical Cases
11 pages
Checkpoint FW Commands
No ratings yet
Checkpoint FW Commands
6 pages
Random Idea
No ratings yet
Random Idea
4 pages
Ilomilo PC Game
No ratings yet
Ilomilo PC Game
2 pages
Palo Alto - Filtering Security Policy Rules
No ratings yet
Palo Alto - Filtering Security Policy Rules
2 pages
Policy Filter Cheat Sheet
No ratings yet
Policy Filter Cheat Sheet
1 page
Config Ejemplo Huawei
No ratings yet
Config Ejemplo Huawei
7 pages
Auditing Checkpoint FW1: The Combat Overview: Welcome!
No ratings yet
Auditing Checkpoint FW1: The Combat Overview: Welcome!
42 pages
Lesson 2: Written Communication
No ratings yet
Lesson 2: Written Communication
3 pages
Beep Machine: Escaneo Y Enumeracion
No ratings yet
Beep Machine: Escaneo Y Enumeracion
8 pages
Introduction To Database Programming: Record
No ratings yet
Introduction To Database Programming: Record
19 pages
Z3k0sec's Blog Z3k0sec's Blog: Hacker - Penetration Tester - Security Researcher
No ratings yet
Z3k0sec's Blog Z3k0sec's Blog: Hacker - Penetration Tester - Security Researcher
1 page
Data Conversion Plan
No ratings yet
Data Conversion Plan
22 pages
Cubes - Models and Schemas
No ratings yet
Cubes - Models and Schemas
6 pages
UNix and Puppet Commands
No ratings yet
UNix and Puppet Commands
10 pages
Active and Passive Filter Synthesis Using MATLAB
No ratings yet
Active and Passive Filter Synthesis Using MATLAB
11 pages
Sobre Los Log en Los Server 98 99
No ratings yet
Sobre Los Log en Los Server 98 99
6 pages
Unix Script Audit
No ratings yet
Unix Script Audit
10 pages
Vulnhub - Kioptrix - Level 1 (#1) - Guillermo Cura
No ratings yet
Vulnhub - Kioptrix - Level 1 (#1) - Guillermo Cura
1 page
GV500 Quick Start V100.160124534
No ratings yet
GV500 Quick Start V100.160124534
2 pages
Django Admin Cookbook
From Everand
Django Admin Cookbook
Shabda Raaj
No ratings yet
Basic DBA Query v.1: Oracle Database
From Everand
Basic DBA Query v.1: Oracle Database
Oraclesql-plsql
5/5 (1)

Ossec

Uploaded by

Ossec

Uploaded by

<rule id="30101" level="0"> <if_sid>30100</if_sid> <match>^[error] </match> <description>Apache error messages grouped.

<rule id="596" level="5"> <category>ossec</category>

You might also like