/rules/50_sonicwall_rules.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 92 lines · 63 code · 14 blank · 15 comment · 0 complexity · 377b89a9722f6f7a3925cc3adee24e13 MD5 · raw file

  1. <!-- @(#) $Id: sonicwall_rules.xml,v 1.4 2010/03/04 20:12:33 dcid Exp $
  2. - Official SonicWall rules for OSSEC.
  3. -
  4. - Copyright (C) 2009 Trend Micro Inc.
  5. - All rights reserved.
  6. -
  7. - This program is a free software; you can redistribute it
  8. - and/or modify it under the terms of the GNU General Public
  9. - License (version 2) as published by the FSF - Free Software
  10. - Foundation.
  11. -
  12. - License details: http://www.ossec.net/en/licensing.html
  13. -->
  14. <!-- SonicWall Log messages -->
  15. <group name="syslog,sonicwall,">
  16. <rule id="4800" level="0">
  17. <decoded_as>sonicwall</decoded_as>
  18. <description>SonicWall messages grouped.</description>
  19. </rule>
  20. <rule id="4801" level="8">
  21. <if_sid>4800</if_sid>
  22. <status>^1</status>
  23. <description>SonicWall critical message.</description>
  24. </rule>
  25. <rule id="4802" level="8">
  26. <if_sid>4800</if_sid>
  27. <status>^2</status>
  28. <description>SonicWall critical message.</description>
  29. </rule>
  30. <rule id="4803" level="4">
  31. <if_sid>4800</if_sid>
  32. <status>^3</status>
  33. <description>SonicWall error message.</description>
  34. </rule>
  35. <rule id="4804" level="3">
  36. <if_sid>4800</if_sid>
  37. <status>^4</status>
  38. <description>SonicWall warning message.</description>
  39. </rule>
  40. <rule id="4805" level="0">
  41. <if_sid>4800</if_sid>
  42. <status>^5</status>
  43. <description>SonicWall notice message.</description>
  44. </rule>
  45. <rule id="4806" level="0">
  46. <if_sid>4800</if_sid>
  47. <status>^6</status>
  48. <description>SonicWall informational message.</description>
  49. </rule>
  50. <rule id="4807" level="0">
  51. <if_sid>4800</if_sid>
  52. <status>^7</status>
  53. <description>SonicWall debug message.</description>
  54. </rule>
  55. <rule id="4810" level="3">
  56. <if_sid>4806</if_sid>
  57. <id>^236$</id>
  58. <description>Firewall administrator login.</description>
  59. <group>authentication_success,</group>
  60. </rule>
  61. <rule id="4811" level="9">
  62. <if_sid>4801</if_sid>
  63. <id>^30$|^32$</id>
  64. <description>Firewall authentication failure.</description>
  65. <group>authentication_failed,</group>
  66. </rule>
  67. <rule id="4850" level="10" frequency="6" timeframe="120" ignore="60">
  68. <if_matched_sid>4804</if_matched_sid>
  69. <description>Multiple firewall warning messages.</description>
  70. <group>service_availability,</group>
  71. </rule>
  72. <rule id="4851" level="10" frequency="6" timeframe="120" ignore="60">
  73. <if_matched_sid>4803</if_matched_sid>
  74. <description>Multiple firewall error messages.</description>
  75. <group>service_availability,</group>
  76. </rule>
  77. </group> <!-- SonicWall -->
  78. <!-- EOF -->