Permalink
Browse files

Merge branch '3.0'

  • Loading branch information...
jesuslinares committed Oct 31, 2017
2 parents c6e54be + 90572cd commit 501755be32e47fd38a8e6ced7e172443fe5bd90b
Showing with 2,111,912 additions and 601,702 deletions.
  1. +1 −1 decoders/0200-ossec_decoders.xml
  2. +31 −31 rules/0015-ossec_rules.xml
  3. +44 −40 rules/0020-syslog_rules.xml
  4. +4 −4 rules/0040-imapd_rules.xml
  5. +1 −1 rules/0045-mailscanner_rules.xml
  6. +2 −2 rules/0050-ms-exchange_rules.xml
  7. +4 −4 rules/0055-courier_rules.xml
  8. +2 −2 rules/0060-firewall_rules.xml
  9. +22 −22 rules/0065-pix_rules.xml
  10. +6 −6 rules/0070-netscreenfw_rules.xml
  11. +7 −3 rules/0075-cisco-ios_rules.xml
  12. +6 −3 rules/0080-sonicwall_rules.xml
  13. +9 −9 rules/0085-pam_rules.xml
  14. +24 −24 rules/0095-sshd_rules.xml
  15. +4 −4 rules/0100-solaris_bsm_rules.xml
  16. +13 −10 rules/0105-asterisk_rules.xml
  17. +12 −12 rules/0110-ms_dhcp_rules.xml
  18. +1 −1 rules/0115-arpwatch_rules.xml
  19. +1 −1 rules/0120-symantec-av_rules.xml
  20. +3 −3 rules/0125-symantec-ws_rules.xml
  21. +2 −2 rules/0130-trend-osce_rules.xml
  22. +4 −4 rules/0135-hordeimp_rules.xml
  23. +2 −2 rules/0140-roundcube_rules.xml
  24. +3 −3 rules/0145-wordpress_rules.xml
  25. +2 −2 rules/0150-cimserver_rules.xml
  26. +9 −9 rules/0155-dovecot_rules.xml
  27. +2 −2 rules/0160-vmpop3d_rules.xml
  28. +7 −7 rules/0165-vpopmail_rules.xml
  29. +4 −4 rules/0170-ftpd_rules.xml
  30. +4 −4 rules/0175-proftpd_rules.xml
  31. +4 −4 rules/0180-pure-ftpd_rules.xml
  32. +3 −3 rules/0185-vsftpd_rules.xml
  33. +3 −3 rules/0190-ms_ftpd_rules.xml
  34. +9 −9 rules/0195-named_rules.xml
  35. +2 −2 rules/0205-racoon_rules.xml
  36. +4 −4 rules/0210-vpn_concentrator_rules.xml
  37. +2 −2 rules/0215-policy_rules.xml
  38. +95 −94 rules/0220-msauth_rules.xml
  39. +12 −10 rules/0225-mcafee_av_rules.xml
  40. +12 −12 rules/0230-ms-se_rules.xml
  41. +15 −10 rules/0235-vmware_rules.xml
  42. +9 −9 rules/0250-apache_rules.xml
  43. +6 −3 rules/0255-zeus_rules.xml
  44. +5 −5 rules/0260-nginx_rules.xml
  45. +8 −8 rules/0265-php_rules.xml
  46. +3 −3 rules/0275-squid_rules.xml
  47. +4 −4 rules/0280-attack_rules.xml
  48. +2 −0 rules/0285-systemd_rules.xml
  49. +8 −7 rules/0295-mysql_rules.xml
  50. +7 −7 rules/0300-postgresql_rules.xml
  51. +5 −5 rules/0305-dropbear_rules.xml
  52. +16 −10 rules/0310-openbsd_rules.xml
  53. +9 −9 rules/0320-clam_av_rules.xml
  54. +18 −0 rules/0340-puppet_rules.xml
  55. +15 −15 rules/0345-netscaler_rules.xml
  56. +13 −7 rules/0360-serv-u_rules.xml
  57. +22 −21 rules/0365-auditd_rules.xml
  58. +1 −0 rules/0375-usb_rules.xml
  59. +14 −14 rules/0390-fortigate_rules.xml
  60. +2 −2 rules/0395-hp_rules.xml
  61. +1 −1 rules/0400-openvpn_rules.xml
  62. +3 −3 rules/0405-rsa-auth-manager_rules.xml
  63. +1 −0 rules/0415-sophos_rules.xml
  64. +1 −1 rules/0420-freeipa_rules.xml
  65. +3 −3 rules/0425-cisco-estreamer_rules.xml
  66. +3 −3 rules/0435-ms_logs_rules.xml
  67. +4 −4 rules/0440-ms_sqlserver_rules.xml
  68. +3 −3 rules/0445-identity_guard_rules.xml
  69. +3 −3 rules/0450-mongodb_rules.xml
  70. +3 −0 rules/0470-vshell_rules.xml
  71. +48 −0 rules/0490-virustotal_rules.xml
  72. +555,600 −0 scap_content/cve-debian-8-oval.xml
  73. +494,048 −0 scap_content/cve-debian-9-oval.xml
  74. +0 −131,705 scap_content/cve-debian-oval.xml
  75. +49,793 −35,138 scap_content/cve-redhat-6-ds.xml
  76. +41,388 −15,813 scap_content/cve-redhat-7-ds.xml
  77. +354,181 −0 scap_content/cve-ubuntu-xenial-oval.xml
  78. +113,657 −86,932 scap_content/ssg-centos-6-ds.xml
  79. +180,567 −111,971 scap_content/ssg-centos-7-ds.xml
  80. +856 −770 scap_content/ssg-debian-8-ds.xml
  81. +36,320 −0 scap_content/ssg-fedora-24-ds.xml
  82. +0 −24,533 scap_content/ssg-fedora-ds.xml
  83. +100,743 −76,063 scap_content/ssg-rhel-6-ds.xml
  84. +175,333 −106,826 scap_content/ssg-rhel-7-ds.xml
  85. +801 −705 scap_content/ssg-ubuntu-1404-ds.xml
  86. +7,988 −10,721 scap_content/ssg-ubuntu-1604-ds.xml
@@ -24,7 +24,7 @@
<parent>ossec</parent>
<type>ossec</type>
<prematch offset="after_parent">^Agent started:</prematch>
<regex offset="after_prematch">^ '(\S+)'</regex>
<regex offset="after_prematch">^ '(\S+\S)'</regex>
<order>extra_data</order>
<fts>name, location, extra_data</fts>
</decoder>
View
@@ -19,31 +19,31 @@
<options>alert_by_email</options>
<match>Agent started</match>
<description>New ossec agent connected.</description>
<group>pci_dss_10.6.1,</group>
<group>pci_dss_10.6.1,gpg13_10.1,</group>
</rule>
<rule id="502" level="3">
<if_sid>500</if_sid>
<options>alert_by_email</options>
<match>Ossec started</match>
<description>Ossec server started.</description>
<group>pci_dss_10.6.1,</group>
<group>pci_dss_10.6.1,gpg13_10.1,</group>
</rule>
<rule id="503" level="3">
<if_sid>500</if_sid>
<options>alert_by_email</options>
<match>Agent started</match>
<description>Ossec agent started.</description>
<group>pci_dss_10.6.1,pci_dss_10.2.6,</group>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,</group>
</rule>
<rule id="504" level="3">
<if_sid>500</if_sid>
<options>alert_by_email</options>
<match>Agent disconnected</match>
<description>Ossec agent disconnected.</description>
<group>pci_dss_10.6.1,pci_dss_10.2.6,</group>
<group>pci_dss_10.6.1,pci_dss_10.2.6,gpg13_10.1,</group>
</rule>
<rule id="509" level="0">
@@ -80,7 +80,7 @@
<if_sid>510</if_sid>
<match>^Windows Malware</match>
<description>Windows malware detected.</description>
<group>rootcheck,</group>
<group>rootcheck,gpg13_4.2,</group>
</rule>
<rule id="514" level="2">
@@ -109,7 +109,7 @@
<if_sid>514</if_sid>
<match>Adware|Spyware</match>
<description>Windows Adware/Spyware application found.</description>
<group>rootcheck,</group>
<group>rootcheck,gpg13_4.2,</group>
</rule>
<rule id="519" level="7">
@@ -123,7 +123,7 @@
<if_sid>500</if_sid>
<match>Duplicated IP</match>
<description>Trying to add an agent with duplicated IP.</description>
<group>pci_dss_10.6.1,</group>
<group>pci_dss_10.6.1,gpg13_10.1,</group>
</rule>
@@ -140,7 +140,7 @@
<match>ossec: output: 'df -P': /dev/</match>
<regex>100%</regex>
<description>Partition usage reached 100% (disk space monitor).</description>
<group>low_diskspace,pci_dss_10.6.1,</group>
<group>low_diskspace,pci_dss_10.6.1,gpg13_10.1,</group>
</rule>
<rule id="532" level="0">
@@ -154,7 +154,7 @@
<match>ossec: output: 'netstat listening ports</match>
<check_diff />
<description>Listened ports status (netstat) changed (new port opened or closed).</description>
<group>pci_dss_10.2.7,pci_dss_10.6.1,</group>
<group>pci_dss_10.2.7,pci_dss_10.6.1,gpg13_10.1,</group>
</rule>
<rule id="534" level="1">
@@ -177,57 +177,57 @@
<category>ossec</category>
<decoded_as>syscheck_integrity_changed</decoded_as>
<description>Integrity checksum changed.</description>
<group>syscheck,pci_dss_11.5,</group>
<group>syscheck,pci_dss_11.5,gpg13_4.11,</group>
</rule>
<rule id="551" level="7">
<category>ossec</category>
<decoded_as>syscheck_integrity_changed_2nd</decoded_as>
<description>Integrity checksum changed again (2nd time).</description>
<group>syscheck,pci_dss_11.5,</group>
<group>syscheck,pci_dss_11.5,gpg13_4.11,</group>
</rule>
<rule id="552" level="7">
<category>ossec</category>
<decoded_as>syscheck_integrity_changed_3rd</decoded_as>
<description>Integrity checksum changed again (3rd time).</description>
<group>syscheck,pci_dss_11.5,</group>
<group>syscheck,pci_dss_11.5,gpg13_4.11,</group>
</rule>
<rule id="553" level="7">
<category>ossec</category>
<decoded_as>syscheck_deleted</decoded_as>
<description>File deleted. Unable to retrieve checksum.</description>
<group>syscheck,pci_dss_11.5,</group>
<group>syscheck,pci_dss_11.5,gpg13_4.11,</group>
</rule>
<rule id="554" level="5">
<category>ossec</category>
<decoded_as>syscheck_new_entry</decoded_as>
<description>File added to the system.</description>
<group>syscheck,pci_dss_11.5,</group>
<group>syscheck,pci_dss_11.5,gpg13_4.11,</group>
</rule>
<rule id="555" level="7">
<if_sid>500</if_sid>
<match>^ossec: agentless: </match>
<description>Integrity checksum for agentless device changed.</description>
<group>syscheck,agentless,pci_dss_11.5,pci_dss_10.6.1,</group>
<group>syscheck,agentless,pci_dss_11.5,pci_dss_10.6.1,gpg13_4.11,</group>
</rule>
<!-- Hostinfo rules -->
<rule id="580" level="8">
<category>ossec</category>
<decoded_as>hostinfo_modified</decoded_as>
<description>Host information changed.</description>
<group>hostinfo,pci_dss_10.2.7,</group>
<group>hostinfo,pci_dss_10.2.7,gpg13_4.13,</group>
</rule>
<rule id="581" level="8">
<category>ossec</category>
<decoded_as>hostinfo_new</decoded_as>
<description>Host information added.</description>
<group>hostinfo,pci_dss_10.2.7,</group>
<group>hostinfo,pci_dss_10.2.7,gpg13_4.13,</group>
</rule>
@@ -236,60 +236,60 @@
<if_sid>500</if_sid>
<match>^ossec: File rotated </match>
<description>Log file rotated.</description>
<group>pci_dss_10.5.2,pci_dss_10.5.5,</group>
<group>pci_dss_10.5.2,pci_dss_10.5.5,gpg13_10.1,</group>
</rule>
<rule id="592" level="8">
<if_sid>500</if_sid>
<match>^ossec: File size reduced</match>
<description>Log file size reduced.</description>
<group>attacks,pci_dss_10.5.2,pci_dss_11.4,</group>
<group>attacks,pci_dss_10.5.2,pci_dss_11.4,gpg13_10.1,</group>
</rule>
<rule id="593" level="9">
<if_sid>500</if_sid>
<match>^ossec: Event log cleared</match>
<description>Microsoft Event log cleared.</description>
<group>logs_cleared,pci_dss_10.5.2,</group>
<group>logs_cleared,pci_dss_10.5.2,gpg13_10.1,</group>
</rule>
<rule id="594" level="5">
<category>ossec</category>
<if_sid>550</if_sid>
<hostname>syscheck-registry</hostname>
<group>syscheck,pci_dss_11.5,</group>
<group>syscheck,pci_dss_11.5,gpg13_4.13,</group>
<description>Registry Integrity Checksum Changed</description>
</rule>
<rule id="595" level="5">
<category>ossec</category>
<if_sid>551</if_sid>
<hostname>syscheck-registry</hostname>
<group>syscheck,pci_dss_11.5,</group>
<group>syscheck,pci_dss_11.5,gpg13_4.13,</group>
<description>Registry Integrity Checksum Changed Again (2nd time)</description>
</rule>
<rule id="596" level="5">
<category>ossec</category>
<if_sid>552</if_sid>
<hostname>syscheck-registry</hostname>
<group>syscheck,pci_dss_11.5,</group>
<group>syscheck,pci_dss_11.5,gpg13_4.13,</group>
<description>Registry Integrity Checksum Changed Again (3rd time)</description>
</rule>
<rule id="597" level="5">
<category>ossec</category>
<if_sid>553</if_sid>
<hostname>syscheck-registry</hostname>
<group>syscheck,pci_dss_11.5,</group>
<group>syscheck,pci_dss_11.5,gpg13_4.13,</group>
<description>Registry Entry Deleted. Unable to Retrieve Checksum</description>
</rule>
<rule id="598" level="5">
<category>ossec</category>
<if_sid>554</if_sid>
<hostname>syscheck-registry</hostname>
<group>syscheck,pci_dss_11.5,</group>
<group>syscheck,pci_dss_11.5,gpg13_4.13,</group>
<description>Registry Entry Added to the System</description>
</rule>
@@ -309,47 +309,47 @@
<field name="script">firewall-drop.sh</field>
<field name="type">add</field>
<description>Host Blocked by firewall-drop.sh Active Response</description>
<group>active_response,pci_dss_11.4,</group>
<group>active_response,pci_dss_11.4,gpg13_4.13,</group>
</rule>
<rule id="602" level="3">
<if_sid>600</if_sid>
<field name="script">firewall-drop.sh</field>
<field name="type">delete</field>
<description>Host Unblocked by firewall-drop.sh Active Response</description>
<group>active_response,pci_dss_11.4,</group>
<group>active_response,pci_dss_11.4,gpg13_4.13,</group>
</rule>
<rule id="603" level="3">
<if_sid>600</if_sid>
<field name="script">host-deny.sh</field>
<field name="type">add</field>
<description>Host Blocked by host-deny.sh Active Response</description>
<group>active_response,pci_dss_11.4,</group>
<group>active_response,pci_dss_11.4,gpg13_4.13,</group>
</rule>
<rule id="604" level="3">
<if_sid>600</if_sid>
<field name="script">host-deny.sh</field>
<field name="type">delete</field>
<description>Host Unblocked by host-deny.sh Active Response</description>
<group>active_response,pci_dss_11.4,</group>
<group>active_response,pci_dss_11.4,gpg13_4.13,</group>
</rule>
<rule id="605" level="3">
<if_sid>600</if_sid>
<field name="script">route-null</field>
<field name="type">add</field>
<description>Host Blocked by $(script) Active Response</description>
<group>active_response,pci_dss_11.4,</group>
<group>active_response,pci_dss_11.4,gpg13_4.13,</group>
</rule>
<rule id="606" level="3">
<if_sid>600</if_sid>
<field name="script">route-null</field>
<field name="type">delete</field>
<description>Host Unblocked by $(script) Active Response</description>
<group>active_response,pci_dss_11.4,</group>
<group>active_response,pci_dss_11.4,gpg13_4.13,</group>
</rule>
<rule id="607" level="3">
Oops, something went wrong.

0 comments on commit 501755b

Please sign in to comment.