/rules/50_vmware_rules.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 156 lines · 110 code · 28 blank · 18 comment · 0 complexity · 04a6ccd40af737fca5e0f9c96ab8fdf0 MD5 · raw file

  1. <!-- @(#) $Id: vmware_rules.xml,v 1.3 2010/03/04 20:12:33 dcid Exp $
  2. - Official VMWare ESX rules for OSSEC.
  3. -
  4. - Copyright (C) 2009 Trend Micro Inc.
  5. - All rights reserved.
  6. -
  7. - This program is a free software; you can redistribute it
  8. - and/or modify it under the terms of the GNU General Public
  9. - License (version 2) as published by the FSF - Free Software
  10. - Foundation.
  11. -
  12. - License details: http://www.ossec.net/en/licensing.html
  13. -->
  14. <!-- SonicWall Log messages -->
  15. <group name="vmware,">
  16. <rule id="19100" level="0">
  17. <decoded_as>vmware</decoded_as>
  18. <description>VMWare messages grouped.</description>
  19. </rule>
  20. <rule id="19101" level="0">
  21. <decoded_as>vmware-syslog</decoded_as>
  22. <description>VMWare ESX syslog messages grouped.</description>
  23. </rule>
  24. <rule id="19102" level="8">
  25. <if_sid>19100</if_sid>
  26. <status>^crit|^fatal</status>
  27. <description>VMware ESX critical message.</description>
  28. </rule>
  29. <rule id="19103" level="4">
  30. <if_sid>19100</if_sid>
  31. <status>^error</status>
  32. <description>VMware ESX error message.</description>
  33. </rule>
  34. <rule id="19104" level="3">
  35. <if_sid>19100</if_sid>
  36. <status>^warn</status>
  37. <description>VMware ESX warning message.</description>
  38. </rule>
  39. <rule id="19105" level="0">
  40. <if_sid>19100</if_sid>
  41. <status>^notice</status>
  42. <description>VMware ESX notice message.</description>
  43. </rule>
  44. <rule id="19106" level="0">
  45. <if_sid>19100</if_sid>
  46. <status>^info</status>
  47. <description>VMware ESX informational message.</description>
  48. </rule>
  49. <rule id="19107" level="0">
  50. <if_sid>19100</if_sid>
  51. <status>^verbose</status>
  52. <description>VMware ESX verbose message.</description>
  53. </rule>
  54. <!-- Authentication messages. -->
  55. <rule id="19110" level="3">
  56. <if_sid>19106</if_sid>
  57. <match>logged in$</match>
  58. <description>VMWare ESX authentication success.</description>
  59. <group>authentication_success,</group>
  60. </rule>
  61. <rule id="19111" level="5">
  62. <if_sid>19106</if_sid>
  63. <match>Failed login attempt for</match>
  64. <description>VMWare ESX authentication failure.</description>
  65. <group>authentication_failed,</group>
  66. </rule>
  67. <rule id="19112" level="3">
  68. <if_sid>19101</if_sid>
  69. <program_name>vmware-hostd|vmware-authd</program_name>
  70. <match>Accepted password for|login from</match>
  71. <description>VMWare ESX user login.</description>
  72. <group>authentication_success,</group>
  73. </rule>
  74. <rule id="19113" level="3">
  75. <if_sid>19101</if_sid>
  76. <program_name>vmware-hostd|vmware-authd</program_name>
  77. <match>Rejected password for</match>
  78. <description>VMWare ESX user authentication failure.</description>
  79. <group>authentication_failed,</group>
  80. </rule>
  81. <!-- Guest OS messages. -->
  82. <rule id="19120" level="8">
  83. <if_sid>19106</if_sid>
  84. <match>-> VM_STATE_OFF</match>
  85. <description>Virtual machine state changed to OFF.</description>
  86. <group>service_availability,</group>
  87. </rule>
  88. <rule id="19121" level="3">
  89. <if_sid>19106</if_sid>
  90. <match>-> VM_STATE_POWERING_ON</match>
  91. <description>Virtual machine being turned ON.</description>
  92. </rule>
  93. <rule id="19122" level="3">
  94. <if_sid>19106</if_sid>
  95. <match>-> VM_STATE_ON</match>
  96. <description>Virtual machine state changed to ON.</description>
  97. <options>alert_by_email</options>
  98. </rule>
  99. <rule id="19123" level="5">
  100. <if_sid>19106</if_sid>
  101. <match>-> VM_STATE_RECONFIGURING</match>
  102. <description>Virtual machine being reconfigured.</description>
  103. <group>config_changed,</group>
  104. <options>alert_by_email</options>
  105. </rule>
  106. <!-- Composite rules. -->
  107. <rule id="19150" level="10" frequency="6" timeframe="120" ignore="60">
  108. <if_matched_sid>19104</if_matched_sid>
  109. <description>Multiple VMWare ESX warning messages.</description>
  110. <group>service_availability,</group>
  111. </rule>
  112. <rule id="19151" level="10" frequency="6" timeframe="120" ignore="60">
  113. <if_matched_sid>19103</if_matched_sid>
  114. <description>Multiple VMWare ESX error messages.</description>
  115. <group>service_availability,</group>
  116. </rule>
  117. <rule id="19152" level="10" frequency="6" timeframe="120">
  118. <if_matched_sid>19111</if_matched_sid>
  119. <description>Multiple VMWare ESX authentication failures.</description>
  120. <group>authentication_failures,</group>
  121. </rule>
  122. <rule id="19153" level="10" frequency="6" timeframe="120">
  123. <if_matched_sid>19113</if_matched_sid>
  124. <description>Multiple VMWare ESX user authentication failures.</description>
  125. <group>authentication_failures,</group>
  126. </rule>
  127. </group> <!-- VMware ESX -->
  128. <!-- EOF -->