/rules/50_sonicwall_rules.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 92 lines · 63 code · 14 blank · 15 comment · 0 complexity · 377b89a9722f6f7a3925cc3adee24e13 MD5 · raw file 

    

  1. <!-- @(#) $Id: sonicwall_rules.xml,v 1.4 2010/03/04 20:12:33 dcid Exp $
    2. 

  2.   -  Official SonicWall rules for OSSEC.
    3. 

  3.   -
    4. 

  4.   -  Copyright (C) 2009 Trend Micro Inc.
    5. 

  5.   -  All rights reserved.
    6. 

  6.   -
    7. 

  7.   -  This program is a free software; you can redistribute it
    8. 

  8.   -  and/or modify it under the terms of the GNU General Public
    9. 

  9.   -  License (version 2) as published by the FSF - Free Software
    10. 

  10.   -  Foundation.
    11. 

  11.   -
    12. 

  12.   -  License details: http://www.ossec.net/en/licensing.html
    13. 

  13.   -->
    14. 

  14.   
    15. 

  15. 

  16. <!-- SonicWall Log messages -->
    17. 

  17. <group name="syslog,sonicwall,">
    18. 

  18.   <rule id="4800" level="0">
    19. 

  19.     <decoded_as>sonicwall</decoded_as>
    20. 

  20.     <description>SonicWall messages grouped.</description>
    21. 

  21.   </rule>
    22. 

  22. 

  23.   <rule id="4801" level="8">
    24. 

  24.     <if_sid>4800</if_sid>
    25. 

  25.     <status>^1</status>
    26. 

  26.     <description>SonicWall critical message.</description>
    27. 

  27.   </rule>
    28. 

  28.   
    29. 

  29.   <rule id="4802" level="8">
    30. 

  30.     <if_sid>4800</if_sid>
    31. 

  31.     <status>^2</status>
    32. 

  32.     <description>SonicWall critical message.</description>
    33. 

  33.   </rule>
    34. 

  34.   
    35. 

  35.  <rule id="4803" level="4">
    36. 

  36.     <if_sid>4800</if_sid>
    37. 

  37.     <status>^3</status>
    38. 

  38.     <description>SonicWall error message.</description>
    39. 

  39.   </rule>
    40. 

  40. 

  41.   <rule id="4804" level="3">
    42. 

  42.     <if_sid>4800</if_sid>
    43. 

  43.     <status>^4</status>
    44. 

  44.     <description>SonicWall warning message.</description>
    45. 

  45.   </rule>
    46. 

  46. 

  47.   <rule id="4805" level="0">
    48. 

  48.     <if_sid>4800</if_sid>
    49. 

  49.     <status>^5</status>
    50. 

  50.     <description>SonicWall notice message.</description>
    51. 

  51.   </rule>
    52. 

  52.   
    53. 

  53.   <rule id="4806" level="0">
    54. 

  54.     <if_sid>4800</if_sid>
    55. 

  55.     <status>^6</status>
    56. 

  56.     <description>SonicWall informational message.</description>
    57. 

  57.   </rule>
    58. 

  58.   
    59. 

  59.   <rule id="4807" level="0">
    60. 

  60.     <if_sid>4800</if_sid>
    61. 

  61.     <status>^7</status>
    62. 

  62.     <description>SonicWall debug message.</description>
    63. 

  63.   </rule>
    64. 

  64.   
    65. 

  65.   <rule id="4810" level="3">
    66. 

  66.     <if_sid>4806</if_sid>
    67. 

  67.     <id>^236$</id>
    68. 

  68.     <description>Firewall administrator login.</description>
    69. 

  69.     <group>authentication_success,</group>
    70. 

  70.   </rule>
    71. 

  71. 

  72.   <rule id="4811" level="9">
    73. 

  73.     <if_sid>4801</if_sid>
    74. 

  74.     <id>^30$|^32$</id>
    75. 

  75.     <description>Firewall authentication failure.</description>
    76. 

  76.     <group>authentication_failed,</group>
    77. 

  77.   </rule>
    78. 

  78. 

  79.   <rule id="4850" level="10" frequency="6" timeframe="120" ignore="60">
    80. 

  80.     <if_matched_sid>4804</if_matched_sid>
    81. 

  81.     <description>Multiple firewall warning messages.</description>
    82. 

  82.     <group>service_availability,</group>
    83. 

  83.   </rule>
    84. 

  84.   
    85. 

  85.   <rule id="4851" level="10" frequency="6" timeframe="120" ignore="60">
    86. 

  86.     <if_matched_sid>4803</if_matched_sid>
    87. 

  87.     <description>Multiple firewall error messages.</description>
    88. 

  88.     <group>service_availability,</group>
    89. 

  89.   </rule>
    90. 

  90. </group> <!-- SonicWall -->
    91. 

  91. 

  92. <!-- EOF -->
    93.