/rules/50_vmware_rules.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 156 lines · 110 code · 28 blank · 18 comment · 0 complexity · 04a6ccd40af737fca5e0f9c96ab8fdf0 MD5 · raw file 

    

  1. <!-- @(#) $Id: vmware_rules.xml,v 1.3 2010/03/04 20:12:33 dcid Exp $
    2. 

  2.   -  Official VMWare ESX rules for OSSEC.
    3. 

  3.   -
    4. 

  4.   -  Copyright (C) 2009 Trend Micro Inc.
    5. 

  5.   -  All rights reserved.
    6. 

  6.   -
    7. 

  7.   -  This program is a free software; you can redistribute it
    8. 

  8.   -  and/or modify it under the terms of the GNU General Public
    9. 

  9.   -  License (version 2) as published by the FSF - Free Software
    10. 

  10.   -  Foundation.
    11. 

  11.   -
    12. 

  12.   -  License details: http://www.ossec.net/en/licensing.html
    13. 

  13.   -->
    14. 

  14.   
    15. 

  15. 

  16. <!-- SonicWall Log messages -->
    17. 

  17. <group name="vmware,">
    18. 

  18.   <rule id="19100" level="0">
    19. 

  19.     <decoded_as>vmware</decoded_as>
    20. 

  20.     <description>VMWare messages grouped.</description>
    21. 

  21.   </rule>
    22. 

  22. 

  23.   <rule id="19101" level="0">
    24. 

  24.     <decoded_as>vmware-syslog</decoded_as>
    25. 

  25.     <description>VMWare ESX syslog messages grouped.</description>
    26. 

  26.   </rule>
    27. 

  27. 

  28.   <rule id="19102" level="8">
    29. 

  29.     <if_sid>19100</if_sid>
    30. 

  30.     <status>^crit|^fatal</status>
    31. 

  31.     <description>VMware ESX critical message.</description>
    32. 

  32.   </rule>
    33. 

  33.   
    34. 

  34.  <rule id="19103" level="4">
    35. 

  35.     <if_sid>19100</if_sid>
    36. 

  36.     <status>^error</status>
    37. 

  37.     <description>VMware ESX error message.</description>
    38. 

  38.   </rule>
    39. 

  39. 

  40.   <rule id="19104" level="3">
    41. 

  41.     <if_sid>19100</if_sid>
    42. 

  42.     <status>^warn</status>
    43. 

  43.     <description>VMware ESX warning message.</description>
    44. 

  44.   </rule>
    45. 

  45. 

  46.   <rule id="19105" level="0">
    47. 

  47.     <if_sid>19100</if_sid>
    48. 

  48.     <status>^notice</status>
    49. 

  49.     <description>VMware ESX notice message.</description>
    50. 

  50.   </rule>
    51. 

  51.   
    52. 

  52.   <rule id="19106" level="0">
    53. 

  53.     <if_sid>19100</if_sid>
    54. 

  54.     <status>^info</status>
    55. 

  55.     <description>VMware ESX informational message.</description>
    56. 

  56.   </rule>
    57. 

  57.   
    58. 

  58.   <rule id="19107" level="0">
    59. 

  59.     <if_sid>19100</if_sid>
    60. 

  60.     <status>^verbose</status>
    61. 

  61.     <description>VMware ESX verbose message.</description>
    62. 

  62.   </rule>
    63. 

  63. 

  64. 

  65.   <!-- Authentication messages. -->
    66. 

  66.   
    67. 

  67.   <rule id="19110" level="3">
    68. 

  68.     <if_sid>19106</if_sid>
    69. 

  69.     <match>logged in$</match>
    70. 

  70.     <description>VMWare ESX authentication success.</description>
    71. 

  71.     <group>authentication_success,</group>
    72. 

  72.   </rule>
    73. 

  73. 

  74.   <rule id="19111" level="5">
    75. 

  75.     <if_sid>19106</if_sid>
    76. 

  76.     <match>Failed login attempt for</match>
    77. 

  77.     <description>VMWare ESX authentication failure.</description>
    78. 

  78.     <group>authentication_failed,</group>
    79. 

  79.   </rule>
    80. 

  80. 

  81.   <rule id="19112" level="3">
    82. 

  82.     <if_sid>19101</if_sid>
    83. 

  83.     <program_name>vmware-hostd|vmware-authd</program_name>
    84. 

  84.     <match>Accepted password for|login from</match>
    85. 

  85.     <description>VMWare ESX user login.</description>
    86. 

  86.     <group>authentication_success,</group>
    87. 

  87.   </rule>
    88. 

  88. 

  89.   <rule id="19113" level="3">
    90. 

  90.     <if_sid>19101</if_sid>
    91. 

  91.     <program_name>vmware-hostd|vmware-authd</program_name>
    92. 

  92.     <match>Rejected password for</match>
    93. 

  93.     <description>VMWare ESX user authentication failure.</description>
    94. 

  94.     <group>authentication_failed,</group>
    95. 

  95.   </rule>
    96. 

  96. 

  97. 

  98.   <!-- Guest OS messages. -->
    99. 

  99.   <rule id="19120" level="8">
    100. 

  100.     <if_sid>19106</if_sid>
    101. 

  101.     <match>-> VM_STATE_OFF</match>
    102. 

  102.     <description>Virtual machine state changed to OFF.</description>
    103. 

  103.     <group>service_availability,</group>
    104. 

  104.   </rule>
    105. 

  105. 

  106.   <rule id="19121" level="3">
    107. 

  107.     <if_sid>19106</if_sid>
    108. 

  108.     <match>-> VM_STATE_POWERING_ON</match>
    109. 

  109.     <description>Virtual machine being turned ON.</description>
    110. 

  110.   </rule>
    111. 

  111. 

  112.   <rule id="19122" level="3">
    113. 

  113.     <if_sid>19106</if_sid>
    114. 

  114.     <match>-> VM_STATE_ON</match>
    115. 

  115.     <description>Virtual machine state changed to ON.</description>
    116. 

  116.     <options>alert_by_email</options>
    117. 

  117.   </rule>
    118. 

  118. 

  119.   <rule id="19123" level="5">
    120. 

  120.     <if_sid>19106</if_sid>
    121. 

  121.     <match>-> VM_STATE_RECONFIGURING</match>
    122. 

  122.     <description>Virtual machine being reconfigured.</description>
    123. 

  123.     <group>config_changed,</group>
    124. 

  124.     <options>alert_by_email</options>
    125. 

  125.   </rule>
    126. 

  126. 

  127. 

  128.   <!-- Composite rules. -->
    129. 

  129. 

  130.   <rule id="19150" level="10" frequency="6" timeframe="120" ignore="60">
    131. 

  131.     <if_matched_sid>19104</if_matched_sid>
    132. 

  132.     <description>Multiple VMWare ESX warning messages.</description>
    133. 

  133.     <group>service_availability,</group>
    134. 

  134.   </rule>
    135. 

  135.   
    136. 

  136.   <rule id="19151" level="10" frequency="6" timeframe="120" ignore="60">
    137. 

  137.     <if_matched_sid>19103</if_matched_sid>
    138. 

  138.     <description>Multiple VMWare ESX error messages.</description>
    139. 

  139.     <group>service_availability,</group>
    140. 

  140.   </rule>
    141. 

  141. 

  142.   <rule id="19152" level="10" frequency="6" timeframe="120">
    143. 

  143.     <if_matched_sid>19111</if_matched_sid>
    144. 

  144.     <description>Multiple VMWare ESX authentication failures.</description>
    145. 

  145.     <group>authentication_failures,</group>
    146. 

  146.   </rule>
    147. 

  147. 

  148.   <rule id="19153" level="10" frequency="6" timeframe="120">
    149. 

  149.     <if_matched_sid>19113</if_matched_sid>
    150. 

  150.     <description>Multiple VMWare ESX user authentication failures.</description>
    151. 

  151.     <group>authentication_failures,</group>
    152. 

  152.   </rule>
    153. 

  153. 

  154. </group> <!-- VMware ESX -->
    155. 

  155. 

  156. <!-- EOF -->
    157.