/rules/50_vmware_rules.xml
https://bitbucket.org/oscarschneider/ossec-rules · XML · 156 lines · 110 code · 28 blank · 18 comment · 0 complexity · 04a6ccd40af737fca5e0f9c96ab8fdf0 MD5 · raw file
- <!-- @(#) $Id: vmware_rules.xml,v 1.3 2010/03/04 20:12:33 dcid Exp $
- - Official VMWare ESX rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
- <!-- SonicWall Log messages -->
- <group name="vmware,">
- <rule id="19100" level="0">
- <decoded_as>vmware</decoded_as>
- <description>VMWare messages grouped.</description>
- </rule>
- <rule id="19101" level="0">
- <decoded_as>vmware-syslog</decoded_as>
- <description>VMWare ESX syslog messages grouped.</description>
- </rule>
- <rule id="19102" level="8">
- <if_sid>19100</if_sid>
- <status>^crit|^fatal</status>
- <description>VMware ESX critical message.</description>
- </rule>
-
- <rule id="19103" level="4">
- <if_sid>19100</if_sid>
- <status>^error</status>
- <description>VMware ESX error message.</description>
- </rule>
- <rule id="19104" level="3">
- <if_sid>19100</if_sid>
- <status>^warn</status>
- <description>VMware ESX warning message.</description>
- </rule>
- <rule id="19105" level="0">
- <if_sid>19100</if_sid>
- <status>^notice</status>
- <description>VMware ESX notice message.</description>
- </rule>
-
- <rule id="19106" level="0">
- <if_sid>19100</if_sid>
- <status>^info</status>
- <description>VMware ESX informational message.</description>
- </rule>
-
- <rule id="19107" level="0">
- <if_sid>19100</if_sid>
- <status>^verbose</status>
- <description>VMware ESX verbose message.</description>
- </rule>
- <!-- Authentication messages. -->
-
- <rule id="19110" level="3">
- <if_sid>19106</if_sid>
- <match>logged in$</match>
- <description>VMWare ESX authentication success.</description>
- <group>authentication_success,</group>
- </rule>
- <rule id="19111" level="5">
- <if_sid>19106</if_sid>
- <match>Failed login attempt for</match>
- <description>VMWare ESX authentication failure.</description>
- <group>authentication_failed,</group>
- </rule>
- <rule id="19112" level="3">
- <if_sid>19101</if_sid>
- <program_name>vmware-hostd|vmware-authd</program_name>
- <match>Accepted password for|login from</match>
- <description>VMWare ESX user login.</description>
- <group>authentication_success,</group>
- </rule>
- <rule id="19113" level="3">
- <if_sid>19101</if_sid>
- <program_name>vmware-hostd|vmware-authd</program_name>
- <match>Rejected password for</match>
- <description>VMWare ESX user authentication failure.</description>
- <group>authentication_failed,</group>
- </rule>
- <!-- Guest OS messages. -->
- <rule id="19120" level="8">
- <if_sid>19106</if_sid>
- <match>-> VM_STATE_OFF</match>
- <description>Virtual machine state changed to OFF.</description>
- <group>service_availability,</group>
- </rule>
- <rule id="19121" level="3">
- <if_sid>19106</if_sid>
- <match>-> VM_STATE_POWERING_ON</match>
- <description>Virtual machine being turned ON.</description>
- </rule>
- <rule id="19122" level="3">
- <if_sid>19106</if_sid>
- <match>-> VM_STATE_ON</match>
- <description>Virtual machine state changed to ON.</description>
- <options>alert_by_email</options>
- </rule>
- <rule id="19123" level="5">
- <if_sid>19106</if_sid>
- <match>-> VM_STATE_RECONFIGURING</match>
- <description>Virtual machine being reconfigured.</description>
- <group>config_changed,</group>
- <options>alert_by_email</options>
- </rule>
- <!-- Composite rules. -->
- <rule id="19150" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>19104</if_matched_sid>
- <description>Multiple VMWare ESX warning messages.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="19151" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>19103</if_matched_sid>
- <description>Multiple VMWare ESX error messages.</description>
- <group>service_availability,</group>
- </rule>
- <rule id="19152" level="10" frequency="6" timeframe="120">
- <if_matched_sid>19111</if_matched_sid>
- <description>Multiple VMWare ESX authentication failures.</description>
- <group>authentication_failures,</group>
- </rule>
- <rule id="19153" level="10" frequency="6" timeframe="120">
- <if_matched_sid>19113</if_matched_sid>
- <description>Multiple VMWare ESX user authentication failures.</description>
- <group>authentication_failures,</group>
- </rule>
- </group> <!-- VMware ESX -->
- <!-- EOF -->