1<!-- @(#) $Id: ./etc/rules/zeus_rules.xml, 2011/09/08 dcid Exp $ 2 3 - 4 - Official Zeus rules for OSSEC. 5 - 6 - Copyright (C) 2009 Trend Micro Inc. 7 - All rights reserved. 8 - 9 - This program is a free software; you can redistribute it 10 - and/or modify it under the terms of the GNU General Public 11 - License (version 2) as published by the FSF - Free Software 12 - Foundation. 13 - 14 - License details: http://www.ossec.net/en/licensing.html 15 - 16 - Contributed by: Chris Buckley <chris at cjbuckley.net> 17 --> 18 19 20<!-- For more info: 21 - http://www.ossec.net/wiki/index.php/Log_Samples_Zeus 22 --> 23 24 25<group name="zeus,"> 26 <rule id="31200" level="0"> 27 <decoded_as>zeus</decoded_as> 28 <description>Grouping of Zeus rules.</description> 29 </rule> 30 31 <rule id="31201" level="0"> 32 <if_sid>31200</if_sid> 33 <pcre2>^\[\S+ \S+\] INFO:|^\[\S+ \S+\] SSL:</pcre2> 34 <description>Grouping of Zeus informational logs.</description> 35 </rule> 36 37 <rule id="31202" level="4"> 38 <if_sid>31200</if_sid> 39 <pcre2>^\[\S+ \S+\] WARN:</pcre2> 40 <description>Zeus warning log.</description> 41 </rule> 42 43 <rule id="31203" level="9"> 44 <if_sid>31200</if_sid> 45 <pcre2>^\[\S+ \S+\] SERIOUS:</pcre2> 46 <description>Zeus serious log.</description> 47 </rule> 48 49 <rule id="31204" level="12"> 50 <if_sid>31200</if_sid> 51 <pcre2>^\[\S+ \S+\] FATAL:</pcre2> 52 <description>Zeus fatal log.</description> 53 </rule> 54 55 <rule id="31205" level="8"> 56 <if_sid>31202</if_sid> 57 <pcre2>admin:Authentication failure</pcre2> 58 <description>Admin authentication failed.</description> 59 <group>authentication_failed,</group> 60 </rule> 61 62 <rule id="31206" level="0"> 63 <if_sid>31202</if_sid> 64 <pcre2>Unknown directive</pcre2> 65 <description>Configuration warning (ignored).</description> 66 </rule> 67 68 <rule id="31251" level="10" frequency="6" timeframe="120"> 69 <if_matched_sid>31202</if_matched_sid> 70 <description>Multiple Zeus warnings.</description> 71 </rule> 72</group> <!-- zeus, --> 73 74 75<!-- EOF --> 76