1<!-- @(#) $Id: syslog_rules.xml,v 1.22 2010/11/25 17:06:17 ddp Exp $
2  -  Official Generic Syslog rules for OSSEC.
3  -
4  -  Copyright (C) 2009 Trend Micro Inc.
5  -  All rights reserved.
6  -
7  -  This program is a free software; you can redistribute it
8  -  and/or modify it under the terms of the GNU General Public
9  -  License (version 2) as published by the FSF - Free Software
10  -  Foundation.
11  -
12  -  License details: http://www.ossec.net/en/licensing.html
13  -->
14
15
16<!-- Default variables for the SYSLOG rules. -->
17
18<!-- Bad words matching. Any log containing these messages
19  -  will be triggered.
20  -->
21<var name="BAD_WORDS">core_dumped|failure|error|attack| bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
22
23
24<!-- Syslog errors. -->
25<group name="syslog,errors,">
26  <rule id="1001" level="2">
27    <pcre2>^Couldn't open /etc/securetty</pcre2>
28    <description>File missing. Root access unrestricted.</description>
29  </rule>
30
31  <rule id="1002" level="2">
32    <pcre2>$BAD_WORDS</pcre2>
33    <options>alert_by_email</options>
34    <description>Unknown problem somewhere in the system.</description>
35  </rule>
36
37  <rule id="1003" level="13" maxsize="1025">
38    <description>Non standard syslog message (size too large).</description>
39  </rule>
40
41  <rule id="1004" level="5">
42    <pcre2>^exiting on signal</pcre2>
43    <description>Syslogd exiting (logging stopped).</description>
44  </rule>
45
46  <rule id="1005" level="5">
47    <program_name_pcre2>syslogd</program_name_pcre2>
48    <pcre2>^restart</pcre2>
49    <description>Syslogd restarted.</description>
50  </rule>
51
52  <rule id="1006" level="5">
53    <pcre2>^syslogd \S+ restart</pcre2>
54    <description>Syslogd restarted.</description>
55  </rule>
56
57  <rule id="1007" level="7">
58    <pcre2>file system full|No space left on device</pcre2>
59    <description>File system full.</description>
60    <group>low_diskspace,</group>
61  </rule>
62
63  <rule id="1008" level="5">
64    <pcre2>killed by SIGTERM</pcre2>
65    <description>Process exiting (killed).</description>
66    <group>service_availability,</group>
67  </rule>
68
69  <rule id="1009" level="0">
70    <if_sid>1002</if_sid>
71    <pcre2>terminated without error|can't verify hostname: getaddrinfo|</pcre2>
72    <pcre2>PPM exceeds tolerance</pcre2>
73    <description>Ignoring known false positives on rule 1002..</description>
74  </rule>
75
76  <rule id="1010" level="5">
77    <pcre2>segfault at </pcre2>
78    <description>Process segfaulted.</description>
79    <group>service_availability,</group>
80  </rule>
81</group> <!-- SYSLOG,ERRORS -->
82
83
84
85<!-- NFS messages -->
86<group name="syslog,nfs,">
87  <!-- XXX All These NFS rules need to be fixed. -->
88  <rule id="2100" level="0" noalert="1">
89    <program_name_pcre2>^automount|^mount</program_name_pcre2>
90    <description>NFS rules grouped.</description>
91  </rule>
92
93  <rule id="2101" level="4">
94    <if_sid>2100</if_sid>
95    <pcre2>nfs: mount failure</pcre2>
96    <description>Unable to mount the NFS share.</description>
97  </rule>
98
99  <rule id="2102" level="4">
100    <if_sid>2100</if_sid>
101    <pcre2>reason given by server: Permission denied</pcre2>
102    <description>Unable to mount the NFS directory.</description>
103  </rule>
104
105  <rule id="2103" level="4">
106    <pcre2>^rpc\.mountd: refused mount request from</pcre2>
107    <description>Unable to mount the NFS directory.</description>
108  </rule>
109
110  <rule id="2104" level="2">
111    <if_sid>2100</if_sid>
112    <pcre2>lookup for \S+ failed</pcre2>
113    <description>Automount informative message</description>
114  </rule>
115</group> <!-- SYSLOG,NFS -->
116
117
118
119<!-- xinetd messages -->
120<group name="syslog,xinetd,">
121  <rule id="2301" level="10">
122    <pcre2>^Deactivating service </pcre2>
123    <description>Excessive number connections to a service.</description>
124  </rule>
125</group> <!-- SYSLOG,XINETD -->
126
127
128
129<!-- Access control messages -->
130<group name="syslog,access_control,">
131  <rule id="2501" level="5">
132    <pcre2>FAILED LOGIN |authentication failure|</pcre2>
133    <pcre2>Authentication failed for|invalid password for|</pcre2>
134    <pcre2>LOGIN FAILURE|auth failure: |authentication error|</pcre2>
135    <pcre2>authinternal failed|Failed to authorize|</pcre2>
136    <pcre2>Wrong password given for|login failed|Auth: Login incorrect|</pcre2>
137    <pcre2>Failed to authenticate user</pcre2>
138    <group>authentication_failed,</group>
139    <description>User authentication failure.</description>
140  </rule>
141
142  <rule id="2502" level="10">
143    <pcre2>more authentication failures;|REPEATED login failures</pcre2>
144    <description>User missed the password more than one time</description>
145    <group>authentication_failed,</group>
146  </rule>
147
148  <rule id="2503" level="5">
149    <pcre2>^refused connect from|</pcre2>
150    <pcre2>^libwrap refused connection|</pcre2>
151    <pcre2>Connection from \S+ denied</pcre2>
152    <description>Connection blocked by Tcp Wrappers.</description>
153    <group>access_denied,</group>
154  </rule>
155
156  <rule id="2504" level="9">
157    <pcre2>ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED</pcre2>
158    <description>Illegal root login. </description>
159    <group>invalid_login,</group>
160  </rule>
161
162  <rule id="2505" level="3">
163    <pcre2>^ROOT LOGIN  on</pcre2>
164    <description>Physical root login.</description>
165  </rule>
166
167  <rule id="2506" level="3">
168    <pcre2>^Authentication passed</pcre2>
169    <description>Pop3 Authentication passed.</description>
170  </rule>
171
172  <rule id="2507" level="0">
173    <decoded_as>openldap</decoded_as>
174    <description>OpenLDAP group.</description>
175  </rule>
176
177  <rule id="2508" level="3">
178    <if_sid>2507</if_sid>
179    <pcre2>ACCEPT from</pcre2>
180    <description>OpenLDAP connection open.</description>
181  </rule>
182
183  <rule id="2509" level="5" timeframe="10" frequency="0">
184    <if_sid>2507</if_sid>
185    <if_matched_sid>2508</if_matched_sid>
186    <same_id />
187    <pcre2>RESULT tag=97 err=49</pcre2>
188    <description>OpenLDAP authentication failed.</description>
189  </rule>
190
191</group> <!-- SYSLOG,ACESSCONTROL -->
192
193
194
195<!-- rshd -->
196<group name="syslog,access_control,">
197  <rule id="2550" level="0" noalert="1">
198    <decoded_as>rshd</decoded_as>
199    <description>rshd messages grouped.</description>
200  </rule>
201
202  <rule id="2551" level="10">
203    <if_sid>2550</if_sid>
204    <pcre2>^Connection from \S+ on illegal port$</pcre2>
205    <description>Connection to rshd from unprivileged port. Possible network scan.</description>
206    <group>connection_attempt,</group>
207  </rule>
208</group>
209
210
211
212<!-- Mail/Procmail messages -->
213<group name="syslog,mail,">
214  <rule id="2701" level="0">
215    <program_name_pcre2>^procmail</program_name_pcre2>
216    <description>Ignoring procmail messages.</description>
217  </rule>
218</group> <!-- SYSLOG,SENDMAIL -->
219
220
221
222<!-- Smartd messages -->
223<group name="syslog,smartd,">
224  <rule id="2800" level="0" noalert="1">
225    <program_name_pcre2>^smart</program_name_pcre2>
226    <description>Pre-match rule for smartd.</description>
227  </rule>
228
229  <rule id="2801" level="0">
230    <if_sid>2800</if_sid>
231    <pcre2>No configuration file /etc/smartd\.conf found</pcre2>
232    <description>Smartd Started but not configured</description>
233  </rule>
234
235  <rule id="2802" level="0">
236    <if_sid>2800</if_sid>
237    <pcre2>Unable to register ATA device</pcre2>
238    <description>Smartd configuration problem</description>
239  </rule>
240
241  <rule id="2803" level="0">
242    <if_sid>2800</if_sid>
243    <pcre2>No such device or address</pcre2>
244    <description>Device configured but not available to Smartd</description>
245  </rule>
246</group> <!-- SYSLOG,SMARTD -->
247
248
249
250<!-- Linux Kernel messages -->
251<group name="syslog,linuxkernel,">
252  <rule id="5100" level="0" noalert="1">
253    <program_name_pcre2>^kernel</program_name_pcre2>
254    <description>Pre-match rule for kernel messages</description>
255  </rule>
256
257  <rule id="5101" level="0">
258    <if_sid>5100</if_sid>
259    <pcre2>PCI: if you experience problems, try using option</pcre2>
260    <description>Informative message from the kernel.</description>
261  </rule>
262
263  <rule id="5102" level="0">
264    <if_sid>5100</if_sid>
265    <pcre2>modprobe: Can't locate module sound</pcre2>
266    <description>Informative message from the kernel</description>
267  </rule>
268
269  <rule id="5103" level="9">
270    <if_sid>5100</if_sid>
271    <pcre2>Oversized packet received from</pcre2>
272    <description>Error message from the kernel. </description>
273    <description>Ping of death attack.</description>
274  </rule>
275
276  <rule id="5104" level="8">
277    <if_sid>5100</if_sid>
278    <pcre2>Promiscuous mode enabled|</pcre2>
279    <pcre2>device \S+ entered promiscuous mode</pcre2>
280    <description>Interface entered in promiscuous(sniffing) mode.</description>
281    <group>promisc,</group>
282  </rule>
283
284  <rule id="5105" level="0">
285    <if_sid>5100</if_sid>
286    <pcre2>end_request: I/O error, dev fd0, sector 0|</pcre2>
287    <pcre2>Buffer I/O error on device fd0, logical block 0</pcre2>
288    <description>Invalid request to /dev/fd0 (bug on the kernel).</description>
289  </rule>
290
291  <rule id="5106" level="0">
292    <if_sid>5100</if_sid>
293    <pcre2>svc: unknown program 100227 \(me 100003\)</pcre2>
294    <description>NFS incompatibility between Linux and Solaris.</description>
295  </rule>
296
297  <rule id="5107" level="0">
298    <if_sid>5100</if_sid>
299    <pcre2>svc: bad direction </pcre2>
300    <description>NFS incompatibility between Linux and Solaris.</description>
301  </rule>
302
303  <rule id="5108" level="12">
304    <if_sid>5100</if_sid>
305    <pcre2>Out of Memory: </pcre2>
306    <description>System running out of memory. </description>
307    <description>Availability of the system is in risk.</description>
308    <group>service_availability,</group>
309  </rule>
310
311  <rule id="5109" level="4">
312    <if_sid>5100</if_sid>
313    <pcre2>I/O error: dev |end_request: I/O error, dev</pcre2>
314    <description>Kernel Input/Output error</description>
315  </rule>
316
317  <rule id="5110" level="4">
318    <if_sid>5100</if_sid>
319    <pcre2>Forged DCC command from</pcre2>
320    <description>IRC misconfiguration</description>
321  </rule>
322
323  <rule id="5111" level="0">
324    <if_sid>5100</if_sid>
325    <pcre2>ipw2200: Firmware error detected\.| ACPI Error</pcre2>
326    <description>Kernel device error.</description>
327  </rule>
328
329  <rule id="5112" level="0">
330    <if_sid>5100</if_sid>
331    <pcre2>usbhid: probe of</pcre2>
332    <description>Kernel usbhid probe error (ignored).</description>
333  </rule>
334
335  <rule id="5113" level="7">
336    <if_sid>5100</if_sid>
337    <pcre2>Kernel log daemon terminating</pcre2>
338    <group>system_shutdown,</group>
339    <description>System is shutting down.</description>
340  </rule>
341
342  <rule id="5130" level="7">
343    <if_sid>5100</if_sid>
344    <pcre2>ADSL line is down</pcre2>
345    <description>Monitor ADSL line is down.</description>
346  </rule>
347
348  <rule id="5131" level="3">
349    <if_sid>5100</if_sid>
350    <pcre2>ADSL line is up</pcre2>
351    <description>Monitor ADSL line is up.</description>
352  </rule>
353
354  <rule id="5200" level="0">
355    <pcre2>^hpiod: unable to ParDevice</pcre2>
356    <description>Ignoring hpiod for producing useless logs.</description>
357  </rule>
358</group> <!-- SYSLOG,LINUXKERNEL -->
359
360
361
362<!-- Cron messages -->
363<group name="syslog,cron,">
364  <rule id="2830" level="0">
365    <program_name_pcre2>crond|crontab</program_name_pcre2>
366    <description>Crontab rule group.</description>
367  </rule>
368
369  <rule id="2831" level="0">
370    <if_sid>2830</if_sid>
371    <pcre2>^unable to exec</pcre2>
372    <description>Wrong crond configuration</description>
373  </rule>
374
375  <rule id="2834" level="5">
376    <if_sid>2830</if_sid>
377    <pcre2>BEGIN EDIT</pcre2>
378    <description>Crontab opened for editing.</description>
379  </rule>
380
381  <rule id="2832" level="5">
382    <if_sid>2830</if_sid>
383    <pcre2>REPLACE</pcre2>
384    <description>Crontab entry changed.</description>
385  </rule>
386
387  <rule id="2833" level="8">
388    <if_sid>2832</if_sid>
389    <pcre2>^\(root\)</pcre2>
390    <description>Root's crontab entry changed.</description>
391  </rule>
392
393</group> <!-- SYSLOG,CRON -->
394
395
396
397<!-- Su messages -->
398<group name="syslog, su,">
399  <rule id="5300" level="0" noalert="1">
400    <decoded_as>su</decoded_as>
401    <description>Initial grouping for su messages.</description>
402  </rule>
403
404  <rule id="5301" level="5">
405   <if_sid>5300</if_sid>
406   <pcre2>authentication failure; |failed|BAD su|^-</pcre2>
407   <description>User missed the password to change UID (user id).</description>
408   <group>authentication_failed,</group>
409  </rule>
410
411  <rule id="5302" level="9">
412    <if_sid>5301</if_sid>
413    <user_pcre2>^root</user_pcre2>
414    <description>User missed the password to change UID to root.</description>
415    <group>authentication_failed,</group>
416  </rule>
417
418  <rule id="5303" level="3">
419    <if_sid>5300</if_sid>
420    <pcre2>session opened for user root|^'su root'|</pcre2>
421    <pcre2>^\+ \S+ \S+[()*+,.:;\<=>?\[\]!"'#%&$|{}-]root$|^\S+ to root on|^SU \S+ \S+ \+ \S+ \S+-root$</pcre2>
422    <description>User successfully changed UID to root.</description>
423    <group>authentication_success,</group>
424  </rule>
425
426  <rule id="5304" level="3">
427    <if_sid>5300</if_sid>
428    <pcre2>session opened for user|succeeded for|</pcre2>
429    <pcre2>^\+|^\S+ to |^SU \S+ \S+ \+ </pcre2>
430    <description>User successfully changed UID.</description>
431    <group>authentication_success,</group>
432  </rule>
433
434  <rule id="5305" level="4">
435    <if_sid>5303, 5304</if_sid>
436    <if_fts></if_fts>
437    <options>alert_by_email</options>
438    <description>First time (su) is executed by user.</description>
439  </rule>
440
441  <rule id="5306" level="0">
442    <if_sid>5300</if_sid>
443    <pcre2>unknown class</pcre2>
444    <info>OpenBSD uses login classes, and an inappropriate login class was used.</info>
445    <description>A user has attempted to su to an unknown class.</description>
446  </rule>
447
448</group> <!-- SYSLOG,SU -->
449
450
451
452<!-- Tripwire messages -->
453<group name="syslog,tripwire,">
454  <rule id="7101" level="8">
455    <pcre2>Integrity Check failed: File could not</pcre2>
456    <description>Problems with the tripwire checking</description>
457  </rule>
458</group> <!-- SYSLOG,TRIPWIRE -->
459
460
461
462<!-- Adduser messages -->
463<group name="syslog,adduser">
464  <rule id="5901" level="8">
465    <pcre2>^new group</pcre2>
466    <description>New group added to the system</description>
467  </rule>
468
469  <rule id="5902" level="8">
470    <pcre2>^new user|^new account added</pcre2>
471    <description>New user added to the system</description>
472  </rule>
473
474  <rule id="5903" level="2">
475    <pcre2>^delete user|^account deleted|^remove group</pcre2>
476    <description>Group (or user) deleted from the system</description>
477  </rule>
478
479  <rule id="5904" level="8">
480    <pcre2>^changed user</pcre2>
481    <description>Information from the user was changed</description>
482  </rule>
483
484  <rule id="5905" level="0">
485    <program_name_pcre2>useradd</program_name_pcre2>
486    <pcre2>failed adding user </pcre2>
487    <description>useradd failed.</description>
488  </rule>
489
490</group> <!-- SYSLOG,ADDUSER -->
491
492
493
494<!-- Sudo messages -->
495<group name="syslog,sudo">
496  <rule id="5400" level="0" noalert="1">
497    <decoded_as>sudo</decoded_as>
498    <description>Initial group for sudo messages</description>
499  </rule>
500
501  <rule id="5401" level="5">
502    <if_sid>5400</if_sid>
503    <pcre2>incorrect password attempt</pcre2>
504    <description>Failed attempt to run sudo</description>
505  </rule>
506
507  <rule id="5402" level="3">
508    <if_sid>5400</if_sid>
509    <pcre2> ; USER=root ; COMMAND=| ; USER=root ; TSID=\S+ ; COMMAND=</pcre2>
510    <description>Successful sudo to ROOT executed</description>
511  </rule>
512
513  <rule id="5403" level="4">
514    <if_sid>5400</if_sid>
515    <options>alert_by_email</options>
516    <if_fts></if_fts>
517    <description>First time user executed sudo.</description>
518  </rule>
519
520  <rule id="5404" level="10">
521    <if_sid>5401</if_sid>
522    <pcre2>3 incorrect password attempts</pcre2>
523    <description>Three failed attempts to run sudo</description>
524  </rule>
525
526  <rule id="5405" level="5">
527    <if_sid>5400</if_sid>
528    <pcre2>user NOT in sudoers</pcre2>
529    <description>Unauthorized user attempted to use sudo.</description>
530  </rule>
531
532</group> <!-- SYSLOG, SUDO -->
533
534
535<!-- PPTP messages -->
536<group name="syslog,pptp">
537  <rule id="9100" level="0" noalert="1">
538    <program_name_pcre2>^pptpd</program_name_pcre2>
539    <description>PPTPD messages grouped</description>
540  </rule>
541
542  <rule id="9101" level="0">
543    <if_sid>9100</if_sid>
544    <pcre2>^GRE: \S+ from \S+ failed: status = -1 </pcre2>
545    <description>PPTPD failed message (communication error)</description>
546    <info type="link">http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml</info>
547  </rule>
548
549  <rule id="9102" level="0">
550    <if_sid>9100</if_sid>
551    <pcre2>^tcflush failed: Bad file descriptor</pcre2>
552    <description>PPTPD communication error</description>
553  </rule>
554</group>
555
556
557
558<!-- Syslog FTS -->
559<group name="syslog,fts,">
560  <rule id="10100" level="4">
561    <if_group>authentication_success</if_group>
562    <options>alert_by_email</options>
563    <if_fts></if_fts>
564    <group>authentication_success</group>
565    <description>First time user logged in.</description>
566  </rule>
567</group>
568
569
570<group name="syslog,squid,">
571  <rule id="9200" level="0" noalert="1">
572    <program_name_pcre2>^squid</program_name_pcre2>
573    <description>Squid syslog messages grouped</description>
574  </rule>
575
576  <rule id="9201" level="0">
577    <if_sid>9200</if_sid>
578    <pcre2>^ctx: enter level|^sslRead|^urlParse: Illegal |</pcre2>
579    <pcre2>^httpReadReply: Request not yet |^httpReadReply: Excess data</pcre2>
580    <description>Squid debug message</description>
581  </rule>
582</group>
583
584
585<group name="syslog,dpkg,">
586  <rule id="2900" level="0">
587    <decoded_as>windows-date-format</decoded_as>
588    <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} startup |</pcre2>
589    <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} status |</pcre2>
590    <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} remove |</pcre2>
591    <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} configure |</pcre2>
592    <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} install |</pcre2>
593    <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} purge |</pcre2>
594    <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} trigproc |</pcre2>
595    <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} conffile |</pcre2>
596    <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} upgrade </pcre2>
597    <description>Dpkg (Debian Package) log.</description>
598  </rule>
599
600  <rule id="2901" level="3">
601    <if_sid>2900</if_sid>
602    <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} install</pcre2>
603    <description>New dpkg (Debian Package) requested to install.</description>
604  </rule>
605
606 <rule id="2902" level="7">
607    <if_sid>2900</if_sid>
608    <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} status installed</pcre2>
609    <description>New dpkg (Debian Package) installed.</description>
610    <group>config_changed,</group>
611  </rule>
612
613  <rule id="2903" level="7">
614    <if_sid>2900</if_sid>
615    <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} remove|</pcre2>
616    <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} purge</pcre2>
617    <description>Dpkg (Debian Package) removed.</description>
618    <group>config_changed,</group>
619  </rule>
620</group>
621
622
623<group name="syslog,yum,">
624  <rule id="2930" level="0">
625    <program_name_pcre2>^yum</program_name_pcre2>
626    <description>Yum logs.</description>
627  </rule>
628
629  <rule id="2931" level="0">
630    <hostname_pcre2>yum\.log$</hostname_pcre2>
631    <pcre2>^Installed|^Updated|^Erased</pcre2>
632    <description>Yum logs.</description>
633  </rule>
634
635  <rule id="2932" level="7">
636    <if_sid>2930,2931</if_sid>
637    <pcre2>^Installed</pcre2>
638    <group>config_changed,</group>
639    <description>New Yum package installed.</description>
640  </rule>
641
642  <rule id="2933" level="7">
643    <if_sid>2930,2931</if_sid>
644    <pcre2>^Updated</pcre2>
645    <group>config_changed,</group>
646    <description>Yum package updated.</description>
647  </rule>
648
649  <rule id="2934" level="7">
650    <if_sid>2930,2931</if_sid>
651    <pcre2>^Erased</pcre2>
652    <group>config_changed,</group>
653    <description>Yum package deleted.</description>
654  </rule>
655
656  <!-- SCSI CONTROLLER -->
657  <rule id="2935" level="0" noalert="1">
658    <if_sid>5100</if_sid>
659    <id_pcre2>mptscsih</id_pcre2>
660    <description>Grouping for the mptscrih rules.</description>
661  </rule>
662
663  <rule id="2936" level="0" noalert="1">
664    <if_sid>5100</if_sid>
665    <id_pcre2>mptbase</id_pcre2>
666    <description>Grouping for the mptbase rules.</description>
667  </rule>
668
669  <rule id="2937" level="12">
670    <if_sid>2935</if_sid>
671    <status_pcre2>FAILED</status_pcre2>
672    <description>Possible Disk failure. SCSI controller error.</description>
673  </rule>
674
675  <rule id="2938" level="12">
676    <if_sid>2936</if_sid>
677    <action>failed</action>
678    <description>SCSI RAID ARRAY ERROR, drive failed.</description>
679  </rule>
680
681  <rule id="2939" level="12">
682    <if_sid>2936</if_sid>
683    <action>degraded</action>
684    <description>SCSI RAID is now in a degraded status.</description>
685  </rule>
686
687  <rule id="2940" level="0">
688    <program_name_pcre2>^NetworkManager</program_name_pcre2>
689    <description>NetworkManager grouping.</description>
690  </rule>
691
692  <rule id="2941" level="3">
693    <if_sid>2940</if_sid>
694    <pcre2> No chain/target/match by that name\.$</pcre2>
695    <description>Incorrect chain/target/match.</description>
696  </rule>
697
698  <rule id="2942" level="0">
699    <if_sid>1002</if_sid>
700    <pcre2>g_slice_set_config: assertion `sys_page_size == 0' failed</pcre2>
701    <description>Uninteresting gnome error.</description>
702  </rule>
703
704  <rule id="2943" level="0">
705    <pcre2>^nouveau </pcre2>
706    <description>nouveau driver grouping</description>
707  </rule>
708
709  <rule id="2944" level="1">
710    <if_sid>2943</if_sid>
711    <pcre2> DATA_ERROR BEGIN_END_ACTIVE$| DATA_ERROR$</pcre2>
712    <description>Uninteresting nouveau error.</description>
713  </rule>
714
715  <rule id="2945" level="4">
716    <program_name_pcre2>^rsyslogd</program_name_pcre2>
717    <pcre2>^imuxsock begins to drop messages </pcre2>
718    <info>https://isc.sans.edu/diary/Are+you+losing+system+logging+information+%28and+don%27t+know+it%29%3F/15106</info>
719    <description>rsyslog may be dropping messages due to rate-limiting.</description>
720  </rule>
721
722</group>
723
724
725<!-- EOF -->
726