/rules/50_vmware_rules.xml
XML | 156 lines | 110 code | 28 blank | 18 comment | 0 complexity | 04a6ccd40af737fca5e0f9c96ab8fdf0 MD5 | raw file
1<!-- @(#) $Id: vmware_rules.xml,v 1.3 2010/03/04 20:12:33 dcid Exp $ 2 - Official VMWare ESX rules for OSSEC. 3 - 4 - Copyright (C) 2009 Trend Micro Inc. 5 - All rights reserved. 6 - 7 - This program is a free software; you can redistribute it 8 - and/or modify it under the terms of the GNU General Public 9 - License (version 2) as published by the FSF - Free Software 10 - Foundation. 11 - 12 - License details: http://www.ossec.net/en/licensing.html 13 --> 14 15 16<!-- SonicWall Log messages --> 17<group name="vmware,"> 18 <rule id="19100" level="0"> 19 <decoded_as>vmware</decoded_as> 20 <description>VMWare messages grouped.</description> 21 </rule> 22 23 <rule id="19101" level="0"> 24 <decoded_as>vmware-syslog</decoded_as> 25 <description>VMWare ESX syslog messages grouped.</description> 26 </rule> 27 28 <rule id="19102" level="8"> 29 <if_sid>19100</if_sid> 30 <status>^crit|^fatal</status> 31 <description>VMware ESX critical message.</description> 32 </rule> 33 34 <rule id="19103" level="4"> 35 <if_sid>19100</if_sid> 36 <status>^error</status> 37 <description>VMware ESX error message.</description> 38 </rule> 39 40 <rule id="19104" level="3"> 41 <if_sid>19100</if_sid> 42 <status>^warn</status> 43 <description>VMware ESX warning message.</description> 44 </rule> 45 46 <rule id="19105" level="0"> 47 <if_sid>19100</if_sid> 48 <status>^notice</status> 49 <description>VMware ESX notice message.</description> 50 </rule> 51 52 <rule id="19106" level="0"> 53 <if_sid>19100</if_sid> 54 <status>^info</status> 55 <description>VMware ESX informational message.</description> 56 </rule> 57 58 <rule id="19107" level="0"> 59 <if_sid>19100</if_sid> 60 <status>^verbose</status> 61 <description>VMware ESX verbose message.</description> 62 </rule> 63 64 65 <!-- Authentication messages. --> 66 67 <rule id="19110" level="3"> 68 <if_sid>19106</if_sid> 69 <match>logged in$</match> 70 <description>VMWare ESX authentication success.</description> 71 <group>authentication_success,</group> 72 </rule> 73 74 <rule id="19111" level="5"> 75 <if_sid>19106</if_sid> 76 <match>Failed login attempt for</match> 77 <description>VMWare ESX authentication failure.</description> 78 <group>authentication_failed,</group> 79 </rule> 80 81 <rule id="19112" level="3"> 82 <if_sid>19101</if_sid> 83 <program_name>vmware-hostd|vmware-authd</program_name> 84 <match>Accepted password for|login from</match> 85 <description>VMWare ESX user login.</description> 86 <group>authentication_success,</group> 87 </rule> 88 89 <rule id="19113" level="3"> 90 <if_sid>19101</if_sid> 91 <program_name>vmware-hostd|vmware-authd</program_name> 92 <match>Rejected password for</match> 93 <description>VMWare ESX user authentication failure.</description> 94 <group>authentication_failed,</group> 95 </rule> 96 97 98 <!-- Guest OS messages. --> 99 <rule id="19120" level="8"> 100 <if_sid>19106</if_sid> 101 <match>-> VM_STATE_OFF</match> 102 <description>Virtual machine state changed to OFF.</description> 103 <group>service_availability,</group> 104 </rule> 105 106 <rule id="19121" level="3"> 107 <if_sid>19106</if_sid> 108 <match>-> VM_STATE_POWERING_ON</match> 109 <description>Virtual machine being turned ON.</description> 110 </rule> 111 112 <rule id="19122" level="3"> 113 <if_sid>19106</if_sid> 114 <match>-> VM_STATE_ON</match> 115 <description>Virtual machine state changed to ON.</description> 116 <options>alert_by_email</options> 117 </rule> 118 119 <rule id="19123" level="5"> 120 <if_sid>19106</if_sid> 121 <match>-> VM_STATE_RECONFIGURING</match> 122 <description>Virtual machine being reconfigured.</description> 123 <group>config_changed,</group> 124 <options>alert_by_email</options> 125 </rule> 126 127 128 <!-- Composite rules. --> 129 130 <rule id="19150" level="10" frequency="6" timeframe="120" ignore="60"> 131 <if_matched_sid>19104</if_matched_sid> 132 <description>Multiple VMWare ESX warning messages.</description> 133 <group>service_availability,</group> 134 </rule> 135 136 <rule id="19151" level="10" frequency="6" timeframe="120" ignore="60"> 137 <if_matched_sid>19103</if_matched_sid> 138 <description>Multiple VMWare ESX error messages.</description> 139 <group>service_availability,</group> 140 </rule> 141 142 <rule id="19152" level="10" frequency="6" timeframe="120"> 143 <if_matched_sid>19111</if_matched_sid> 144 <description>Multiple VMWare ESX authentication failures.</description> 145 <group>authentication_failures,</group> 146 </rule> 147 148 <rule id="19153" level="10" frequency="6" timeframe="120"> 149 <if_matched_sid>19113</if_matched_sid> 150 <description>Multiple VMWare ESX user authentication failures.</description> 151 <group>authentication_failures,</group> 152 </rule> 153 154</group> <!-- VMware ESX --> 155 156<!-- EOF -->