/rules/50_sonicwall_rules.xml
https://bitbucket.org/oscarschneider/ossec-rules · XML · 92 lines · 63 code · 14 blank · 15 comment · 0 complexity · 377b89a9722f6f7a3925cc3adee24e13 MD5 · raw file
- <!-- @(#) $Id: sonicwall_rules.xml,v 1.4 2010/03/04 20:12:33 dcid Exp $
- - Official SonicWall rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
- <!-- SonicWall Log messages -->
- <group name="syslog,sonicwall,">
- <rule id="4800" level="0">
- <decoded_as>sonicwall</decoded_as>
- <description>SonicWall messages grouped.</description>
- </rule>
- <rule id="4801" level="8">
- <if_sid>4800</if_sid>
- <status>^1</status>
- <description>SonicWall critical message.</description>
- </rule>
-
- <rule id="4802" level="8">
- <if_sid>4800</if_sid>
- <status>^2</status>
- <description>SonicWall critical message.</description>
- </rule>
-
- <rule id="4803" level="4">
- <if_sid>4800</if_sid>
- <status>^3</status>
- <description>SonicWall error message.</description>
- </rule>
- <rule id="4804" level="3">
- <if_sid>4800</if_sid>
- <status>^4</status>
- <description>SonicWall warning message.</description>
- </rule>
- <rule id="4805" level="0">
- <if_sid>4800</if_sid>
- <status>^5</status>
- <description>SonicWall notice message.</description>
- </rule>
-
- <rule id="4806" level="0">
- <if_sid>4800</if_sid>
- <status>^6</status>
- <description>SonicWall informational message.</description>
- </rule>
-
- <rule id="4807" level="0">
- <if_sid>4800</if_sid>
- <status>^7</status>
- <description>SonicWall debug message.</description>
- </rule>
-
- <rule id="4810" level="3">
- <if_sid>4806</if_sid>
- <id>^236$</id>
- <description>Firewall administrator login.</description>
- <group>authentication_success,</group>
- </rule>
- <rule id="4811" level="9">
- <if_sid>4801</if_sid>
- <id>^30$|^32$</id>
- <description>Firewall authentication failure.</description>
- <group>authentication_failed,</group>
- </rule>
- <rule id="4850" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>4804</if_matched_sid>
- <description>Multiple firewall warning messages.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="4851" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>4803</if_matched_sid>
- <description>Multiple firewall error messages.</description>
- <group>service_availability,</group>
- </rule>
- </group> <!-- SonicWall -->
- <!-- EOF -->