1<!-- @(#) $Id: ./etc/rules/ids_rules.xml, 2011/09/08 dcid Exp $ 2 3 - Official IDS rules for OSSEC. 4 - 5 - Copyright (C) 2009 Trend Micro Inc. 6 - All rights reserved. 7 - 8 - This program is a free software; you can redistribute it 9 - and/or modify it under the terms of the GNU General Public 10 - License (version 2) as published by the FSF - Free Software 11 - Foundation. 12 - 13 - License details: http://www.ossec.net/en/licensing.html 14 --> 15 16 17<var name="IDS_FREQ">8</var> 18 19<group name="ids,"> 20 <rule id="20100" level="8"> 21 <category>ids</category> 22 <if_fts></if_fts> 23 <description>First time this IDS alert is generated.</description> 24 <group>fts,</group> 25 </rule> 26 27 <rule id="20101" level="6"> 28 <category>ids</category> 29 <check_if_ignored>srcip, id</check_if_ignored> 30 <description>IDS event.</description> 31 </rule> 32 33 <!-- This rule ignores some Ids that cause too much 34 - false positives. Snort specific. 35 --> 36 <rule id="20102" level="0"> 37 <if_sid>20100, 20101</if_sid> 38 <decoded_as>snort</decoded_as> 39 <!-- 1:1852 -> robots.txt access 40 - 1:368 - ICMP ping. 41 - 1:384 - ICMP ping. 42 - 1:366 - ICMP ping. 43 - 1:399 - ICMP host unreachable 44 - 1:402 - ICMP port unreachable 45 - 1:408 - ICMP reply 46 - 1:480 - ICMP ping speedera. 47 - 1:1365 - RM commant attempt (too many false positives) 48 - 1:2925 - web bug 0x0 gif attempt 49 --> 50 <id_pcre2>^1:1852:|^1:368:|^1:384:|^1:366:|^1:402:|^1:408:|^1:1365:|</id_pcre2> 51 <id_pcre2>^1:480:|^1:399:|^1:2925:</id_pcre2> 52 <description>Ignored snort ids.</description> 53 </rule> 54 55 <!-- Ignored Dragon ids --> 56 <rule id="20103" level="0"> 57 <if_sid>20100, 20101</if_sid> 58 <decoded_as>dragon-nids</decoded_as> 59 <!-- EOL -> end of line 60 - SOF -> start of file 61 - HEARTBEAT -> Heartbeat 62 - DYNAMIC-TCP -> ? 63 - DYNAMIC-UDP -> ? 64 --> 65 <id_pcre2>^EOL$|^SOF$|^HEARTBEAT$|^DYNAMIC-TCP$|^DYNAMIC-UDP$</id_pcre2> 66 <description>Ignored snort ids.</description> 67 </rule> 68 69 <rule id="20152" level="10" frequency="$IDS_FREQ" timeframe="120" ignore="90"> 70 <if_matched_sid>20101</if_matched_sid> 71 <same_id /> 72 <check_if_ignored>id</check_if_ignored> 73 <description>Multiple IDS alerts for same id.</description> 74 </rule> 75 76 <rule id="20151" level="10" frequency="$IDS_FREQ" timeframe="120" ignore="90"> 77 <if_matched_sid>20101</if_matched_sid> 78 <same_source_ip /> 79 <check_if_ignored>srcip, id</check_if_ignored> 80 <description>Multiple IDS events from same source ip.</description> 81 </rule> 82 83 84 <!-- This rule is to detect bad configured IDSs alerting on 85 - the same thing all the time. We will skip those events 86 - since they became just noise. 87 --> 88 <rule id="20161" level="11" frequency="3" timeframe="3800"> 89 <if_matched_sid>20151</if_matched_sid> 90 <same_source_ip /> 91 <same_id /> 92 <ignore>srcip, id</ignore> 93 <description>Multiple IDS events from same source ip </description> 94 <description>(ignoring now this srcip and id).</description> 95 </rule> 96 97 <rule id="20162" level="11" frequency="3" timeframe="3800"> 98 <if_matched_sid>20152</if_matched_sid> 99 <same_id /> 100 <ignore>id</ignore> 101 <description>Multiple IDS alerts for same id </description> 102 <description>(ignoring now this id).</description> 103 </rule> 104</group> 105