PageRenderTime 22ms CodeModel.GetById 19ms app.highlight 2ms RepoModel.GetById 0ms app.codeStats 0ms

/rules/50_vmware_rules.xml

https://bitbucket.org/oscarschneider/ossec-rules
XML | 156 lines | 110 code | 28 blank | 18 comment | 0 complexity | 04a6ccd40af737fca5e0f9c96ab8fdf0 MD5 | raw file
  1<!-- @(#) $Id: vmware_rules.xml,v 1.3 2010/03/04 20:12:33 dcid Exp $
  2  -  Official VMWare ESX rules for OSSEC.
  3  -
  4  -  Copyright (C) 2009 Trend Micro Inc.
  5  -  All rights reserved.
  6  -
  7  -  This program is a free software; you can redistribute it
  8  -  and/or modify it under the terms of the GNU General Public
  9  -  License (version 2) as published by the FSF - Free Software
 10  -  Foundation.
 11  -
 12  -  License details: http://www.ossec.net/en/licensing.html
 13  -->
 14  
 15
 16<!-- SonicWall Log messages -->
 17<group name="vmware,">
 18  <rule id="19100" level="0">
 19    <decoded_as>vmware</decoded_as>
 20    <description>VMWare messages grouped.</description>
 21  </rule>
 22
 23  <rule id="19101" level="0">
 24    <decoded_as>vmware-syslog</decoded_as>
 25    <description>VMWare ESX syslog messages grouped.</description>
 26  </rule>
 27
 28  <rule id="19102" level="8">
 29    <if_sid>19100</if_sid>
 30    <status>^crit|^fatal</status>
 31    <description>VMware ESX critical message.</description>
 32  </rule>
 33  
 34 <rule id="19103" level="4">
 35    <if_sid>19100</if_sid>
 36    <status>^error</status>
 37    <description>VMware ESX error message.</description>
 38  </rule>
 39
 40  <rule id="19104" level="3">
 41    <if_sid>19100</if_sid>
 42    <status>^warn</status>
 43    <description>VMware ESX warning message.</description>
 44  </rule>
 45
 46  <rule id="19105" level="0">
 47    <if_sid>19100</if_sid>
 48    <status>^notice</status>
 49    <description>VMware ESX notice message.</description>
 50  </rule>
 51  
 52  <rule id="19106" level="0">
 53    <if_sid>19100</if_sid>
 54    <status>^info</status>
 55    <description>VMware ESX informational message.</description>
 56  </rule>
 57  
 58  <rule id="19107" level="0">
 59    <if_sid>19100</if_sid>
 60    <status>^verbose</status>
 61    <description>VMware ESX verbose message.</description>
 62  </rule>
 63
 64
 65  <!-- Authentication messages. -->
 66  
 67  <rule id="19110" level="3">
 68    <if_sid>19106</if_sid>
 69    <match>logged in$</match>
 70    <description>VMWare ESX authentication success.</description>
 71    <group>authentication_success,</group>
 72  </rule>
 73
 74  <rule id="19111" level="5">
 75    <if_sid>19106</if_sid>
 76    <match>Failed login attempt for</match>
 77    <description>VMWare ESX authentication failure.</description>
 78    <group>authentication_failed,</group>
 79  </rule>
 80
 81  <rule id="19112" level="3">
 82    <if_sid>19101</if_sid>
 83    <program_name>vmware-hostd|vmware-authd</program_name>
 84    <match>Accepted password for|login from</match>
 85    <description>VMWare ESX user login.</description>
 86    <group>authentication_success,</group>
 87  </rule>
 88
 89  <rule id="19113" level="3">
 90    <if_sid>19101</if_sid>
 91    <program_name>vmware-hostd|vmware-authd</program_name>
 92    <match>Rejected password for</match>
 93    <description>VMWare ESX user authentication failure.</description>
 94    <group>authentication_failed,</group>
 95  </rule>
 96
 97
 98  <!-- Guest OS messages. -->
 99  <rule id="19120" level="8">
100    <if_sid>19106</if_sid>
101    <match>-> VM_STATE_OFF</match>
102    <description>Virtual machine state changed to OFF.</description>
103    <group>service_availability,</group>
104  </rule>
105
106  <rule id="19121" level="3">
107    <if_sid>19106</if_sid>
108    <match>-> VM_STATE_POWERING_ON</match>
109    <description>Virtual machine being turned ON.</description>
110  </rule>
111
112  <rule id="19122" level="3">
113    <if_sid>19106</if_sid>
114    <match>-> VM_STATE_ON</match>
115    <description>Virtual machine state changed to ON.</description>
116    <options>alert_by_email</options>
117  </rule>
118
119  <rule id="19123" level="5">
120    <if_sid>19106</if_sid>
121    <match>-> VM_STATE_RECONFIGURING</match>
122    <description>Virtual machine being reconfigured.</description>
123    <group>config_changed,</group>
124    <options>alert_by_email</options>
125  </rule>
126
127
128  <!-- Composite rules. -->
129
130  <rule id="19150" level="10" frequency="6" timeframe="120" ignore="60">
131    <if_matched_sid>19104</if_matched_sid>
132    <description>Multiple VMWare ESX warning messages.</description>
133    <group>service_availability,</group>
134  </rule>
135  
136  <rule id="19151" level="10" frequency="6" timeframe="120" ignore="60">
137    <if_matched_sid>19103</if_matched_sid>
138    <description>Multiple VMWare ESX error messages.</description>
139    <group>service_availability,</group>
140  </rule>
141
142  <rule id="19152" level="10" frequency="6" timeframe="120">
143    <if_matched_sid>19111</if_matched_sid>
144    <description>Multiple VMWare ESX authentication failures.</description>
145    <group>authentication_failures,</group>
146  </rule>
147
148  <rule id="19153" level="10" frequency="6" timeframe="120">
149    <if_matched_sid>19113</if_matched_sid>
150    <description>Multiple VMWare ESX user authentication failures.</description>
151    <group>authentication_failures,</group>
152  </rule>
153
154</group> <!-- VMware ESX -->
155
156<!-- EOF -->