# # Rule format : # # For information about the fields and their meanings, please have a look at # the IDMEF Draft located at : # # http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-16.txt # # CREATING AND CONTRIBUTING RULES: # Rulesets that you contribute to the Prelude-LML maintainer should follow # these guidelines: # - Avoid using .+ or .* in regex entries unless actually neccessary. Doing so # will make your rule CPU-costly to implement. # - Avoid capturing variables which you don't use. This causes unneccessary # memory consumption. # - At a minimum, include regex, classification().text, # assessment.impact.severity, assessment.impact.type, # assessment.impact.description. # - If it's correct for this application, include last. # - Put only a single field on each line of your rules. # - Include a sample log entry with each rule. # - Gather as many pieces of data, and fill as many IDMEF fields as possible # from the log entry. # - If a similar rule exists in another ruleset (same function, different # software), use the classification().text from the other rule. # - Use only the actual log message, none of the syslog headers (this generally # includes timestamp, originating node, originating process, and pid). # - Submit new rulesets to the prelude-devel mailing list for consideration. # # See the existing rulesets for examples. # # LML-specific fields: # # - regex: # A perl regex instruction to the rule on the correct way to parse the log # entry concerned. # # - id: # A unique number identifying this rule in the Prelude-LML ruleset. Rulesets # are assigned IDs in blocks of 100, so if the first rule in a ruleset is # 2300, all of the rules in that ruleset will be 23xx. # # - revision: # The current revision of the rule. Higher numbers indicate more recent # versions. # # - last: # Indicates to LML that if this rule is triggered, stop checking for further # regex matches. # Prevent LML from matching its own output and creating a logging loop in case # of odd syslog configurations regex=no appropriate format defined for log entry; \ silent; \ last regex=EMU; include = apc-emu.rules; regex=(anomaly|since|firstSeen); include = arbor.rules; regex=arpwatch; include = arpwatch.rules; regex=chan_sip.c; include = asterisk.rules; regex=CactiTholdLog; include = cacti-thold.rules; regex=product:; include = checkpoint.rules; regex=%\S+-\d+-\S+; include = cisco-asa.rules; \ include = cisco-common.rules; \ include = cisco-router.rules; regex=(IPV4|SSHD|NETMAN)-\d+; include = cisco-css.rules; regex=snmptrapd; include = cisco-ips.rules; regex=SEV=; include = cisco-vpn.rules; # Using this regex rather than simpler clamd to handle events from clamav # logging format regex=(FOUND|virus); include = clamav.rules; regex=server administrator; include = dell-om.rules regex=(kernel|grsec); include = grsecurity.rules; regex=(bigconf|kernel); include = f5-bigip.rules; regex=(honeyd|icmp|tcp|udp); include = honeyd.rules; regex=\[([0-9-]+) ([0-9:]+)\]; include = honeytrap.rules regex=\[(SSHChannel|SSHService); include = kojoney.rules # Using this somewhat complex regex instead of the simpler httpd due to the # fact that we might be directly monitoring httpd logs instead of httpd syslog # entries (in which case we won't have the process name to match against) regex=(\[error\]|Pass|httpd); include = httpd.rules; \ include = modsecurity.rules; regex=kernel; include = ipchains.rules; \ include = netfilter.rules; \ include = bonding.rules; regex=ipfw; include = ipfw.rules; regex=[Ww]ireless; include = linksys-wap11.rules; regex=clussvc; include = ms-cluster.rules; regex=mssql; include = ms-sql.rules; regex=nagios; include = nagios.rules; regex=norton; include = navce.rules; regex=\[[^:]*:[^\]]*\]:; include = netapp-ontap.rules; regex=system-(emergency|alert)-; include = netscreen.rules; regex=security\[; include = ntsyslog.rules; regex=[Pp][Aa][Mm]_; include = pam.rules; regex=pcanywhere; include = pcanywhere.rules; regex=portsentry; include = portsentry.rules; regex=postfix/; include = postfix.rules; regex=proftpd; include = proftpd.rules; regex=popper; include = qpopper.rules; regex=INFO\s+srcIP; include = rishi.rules; regex=avc:; include = selinux.rules; regex=sendmail; include = sendmail.rules; regex=(user|group)(mod|add); include = shadow-utils.rules; regex=id=firewall; include = sonicwall.rules; regex=spamd; include = spamassassin.rules; # More complex regex to handle data coming directly from Squid log files regex=(Acceptin|Squid|Disabled|DENIED); include = squid.rules; regex=sshd; include = ssh.rules; regex=sudo; include = sudo.rules; regex=tripwire; include = tripwire.rules; regex=[wl]an @Group:; include = vigor.rules; regex=vpopmail; include = vpopmail.rules; regex=webmin; include = webmin.rules; regex=ftpd; include = wu-ftp.rules; # Openhostapd.rules doesn't have specific stuff we can match: regex=(removed node|\(rate:\s(\d+)\/(\d+)\ssec\)|sent ADD notification|attached Host AP interface); include = openhostapd.rules; # All rules that are standalone/not part of a ruleset go into single.rules include = single.rules;