1<!-- @(#) $Id: ./etc/rules/ids_rules.xml, 2011/09/08 dcid Exp $
2
3  -  Official IDS rules for OSSEC.
4  -
5  -  Copyright (C) 2009 Trend Micro Inc.
6  -  All rights reserved.
7  -
8  -  This program is a free software; you can redistribute it
9  -  and/or modify it under the terms of the GNU General Public
10  -  License (version 2) as published by the FSF - Free Software
11  -  Foundation.
12  -
13  -  License details: http://www.ossec.net/en/licensing.html
14  -->
15
16
17<var name="IDS_FREQ">8</var>
18
19<group name="ids,">
20  <rule id="20100" level="8">
21    <category>ids</category>
22    <if_fts></if_fts>
23    <description>First time this IDS alert is generated.</description>
24    <group>fts,</group>
25  </rule>
26
27  <rule id="20101" level="6">
28    <category>ids</category>
29    <check_if_ignored>srcip, id</check_if_ignored>
30    <description>IDS event.</description>
31  </rule>
32
33  <!-- This rule ignores some Ids that cause too much
34    -  false positives. Snort specific.
35    -->
36  <rule id="20102" level="0">
37    <if_sid>20100, 20101</if_sid>
38    <decoded_as>snort</decoded_as>
39    <!-- 1:1852 -> robots.txt access
40       - 1:368 - ICMP ping.
41       - 1:384 - ICMP ping.
42       - 1:366 - ICMP ping.
43       - 1:399 - ICMP host unreachable
44       - 1:402 - ICMP port unreachable
45       - 1:408 - ICMP reply
46       - 1:480 - ICMP ping speedera.
47       - 1:1365 - RM commant attempt (too many false positives)
48       - 1:2925 - web bug 0x0 gif attempt
49       -->
50    <id_pcre2>^1:1852:|^1:368:|^1:384:|^1:366:|^1:402:|^1:408:|^1:1365:|</id_pcre2>
51    <id_pcre2>^1:480:|^1:399:|^1:2925:</id_pcre2>
52    <description>Ignored snort ids.</description>
53  </rule>
54
55  <!-- Ignored Dragon ids -->
56  <rule id="20103" level="0">
57    <if_sid>20100, 20101</if_sid>
58    <decoded_as>dragon-nids</decoded_as>
59    <!-- EOL -> end of line
60       - SOF -> start of file
61       - HEARTBEAT -> Heartbeat
62       - DYNAMIC-TCP -> ?
63       - DYNAMIC-UDP -> ?
64       -->
65    <id_pcre2>^EOL$|^SOF$|^HEARTBEAT$|^DYNAMIC-TCP$|^DYNAMIC-UDP$</id_pcre2>
66    <description>Ignored snort ids.</description>
67  </rule>
68
69  <rule id="20152" level="10" frequency="$IDS_FREQ" timeframe="120" ignore="90">
70    <if_matched_sid>20101</if_matched_sid>
71    <same_id />
72    <check_if_ignored>id</check_if_ignored>
73    <description>Multiple IDS alerts for same id.</description>
74  </rule>
75
76  <rule id="20151" level="10" frequency="$IDS_FREQ" timeframe="120" ignore="90">
77    <if_matched_sid>20101</if_matched_sid>
78    <same_source_ip />
79    <check_if_ignored>srcip, id</check_if_ignored>
80    <description>Multiple IDS events from same source ip.</description>
81  </rule>
82
83
84  <!-- This rule is to detect bad configured IDSs alerting on
85     - the same thing all the time. We will skip those events
86     - since they became just noise.
87     -->
88  <rule id="20161" level="11" frequency="3" timeframe="3800">
89    <if_matched_sid>20151</if_matched_sid>
90    <same_source_ip />
91    <same_id />
92    <ignore>srcip, id</ignore>
93    <description>Multiple IDS events from same source ip </description>
94    <description>(ignoring now this srcip and id).</description>
95  </rule>
96
97  <rule id="20162" level="11" frequency="3" timeframe="3800">
98    <if_matched_sid>20152</if_matched_sid>
99    <same_id />
100    <ignore>id</ignore>
101    <description>Multiple IDS alerts for same id </description>
102    <description>(ignoring now this id).</description>
103  </rule>
104</group>
105