diff --git a/tools/rules-testing/tests/cisco_ios.ini b/tools/rules-testing/tests/cisco_ios.ini index e4a7a1e04..af7cb5332 100644 --- a/tools/rules-testing/tests/cisco_ios.ini +++ b/tools/rules-testing/tests/cisco_ios.ini @@ -3,7 +3,6 @@ log 1 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev: log 2 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:60797 -> 10.10.10.10:80] log 3 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:5123 Subsig:2 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:60797 -> 10.10.10.10:80] - rule = 20100 alert = 8 decoder = cisco-ios @@ -12,10 +11,56 @@ decoder = cisco-ios [cisco ios: acl ] log 1 pass = Sep 1 10:25:29 10.10.10.1 %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.6.56(3067) -> 172.36.4.7(139), 1 packet log 2 pass = Sep 1 10:25:29 10.10.10.1 %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1477) -> 10.0.127.20(445), 1 packet - - rule = 4100 alert = 0 decoder = cisco-ios +[Cisco IOS error message - UPDOWN] +log 1 pass = 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up +rule = 4713 +alert = 4 +decoder = cisco-ios + + +[Cisco IOS: Router configuration changed I] +log 1 pass = 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) +log 2 pass = *Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) +log 3 pass = Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) +log 4 pass = Mar 1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) +log 5 pass = *Mar 1 18:48:50 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) +log 6 pass = Mar 1 18:48:50 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) +log 7 pass = *Mar 1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) +log 8 pass = *Mar 1 18:46:11.444: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) +log 9 pass = Mar 1 18:46:11.444: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) +rule = 4721 +alert = 3 +decoder = cisco-ios + + +[Cisco IOS: Router configuration changed II] +log 1 pass = 1348: HOSTNAME: .Jun 12 18:22:22: %SYS-5-CONFIG_I: +log 2 pass = 1348: HOSTNAME: Jun 12 18:22:22: %SYS-5-CONFIG_I: +log 3 pass = 1348: HOSTNAME: .Jun 12 18:22:22.555: %SYS-5-CONFIG_I: +log 4 pass = 1348: HOSTNAME: Jun 12 18:22:22.555: %SYS-5-CONFIG_I: +log 5 pass = 1348: HOSTNAME: .Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I: +log 6 pass = 1348: HOSTNAME: Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I: +log 7 pass = 1348: HOSTNAME: .Jun 12 18:22:22.555 UTC: %SYS-5-CONFIG_I: +log 8 pass = 1348: HOSTNAME: Jun 12 18:22:22.555 UTC: %SYS-5-CONFIG_I: +rule = 4721 +alert = 3 +decoder = cisco-ios + + +[Cisco IOS: Router configuration changed III] +log 1 pass = 1348: .Jun 12 18:22:22: %SYS-5-CONFIG_I: +log 2 pass = 1348: Jun 12 18:22:22: %SYS-5-CONFIG_I: +log 3 pass = 1348: .Jun 12 18:22:22.555: %SYS-5-CONFIG_I: +log 4 pass = 1348: Jun 12 18:22:22.555: %SYS-5-CONFIG_I: +log 5 pass = 1348: .Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I: +log 6 pass = 1348: Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I: +log 7 pass = 1348: .Jun 12 18:22:22.555 UTC: %SYS-5-CONFIG_I: +log 8 pass = 1348: Jun 12 18:22:22.555 UTC: %SYS-5-CONFIG_I: +rule = 4721 +alert = 3 +decoder = cisco-ios \ No newline at end of file diff --git a/tools/rules-testing/tests/nginx.ini b/tools/rules-testing/tests/nginx.ini index 364f245a9..e44aeb3b5 100644 --- a/tools/rules-testing/tests/nginx.ini +++ b/tools/rules-testing/tests/nginx.ini @@ -1,28 +1,24 @@ ; YYYY/MM/DD HH:MM:SS [LEVEL] PID:TID yadda yadda [Nginx messages grouped.] log 1 pass = 2014/12/30 06:07:37 [yadda] 80:2 yadda yadda - rule = 31300 alert = 0 decoder = nginx-errorlog [Nginx error message.] log 1 pass = 2014/12/30 06:07:37 [error] 80:2 yadda yadda - rule = 31301 alert = 3 decoder = nginx-errorlog [Nginx warning message.] log 1 pass = 2014/12/30 06:07:37 [warn] 80:2 yadda yadda - rule = 31302 alert = 3 decoder = nginx-errorlog [Nginx critical message.] log 1 pass = 2014/12/30 06:07:37 [crit] 80:2 - rule = 31303 alert = 5 decoder = nginx-errorlog @@ -30,21 +26,18 @@ decoder = nginx-errorlog [Server returned 404 (reported in the access.log).] log 1 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah failed (2: No such file or directory) log 2 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah is not found (2: No such file or directory) - rule = 31310 alert = 0 decoder = nginx-errorlog [Incomplete client request.] log 1 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah accept() failed (53: Software caused connection abort) - rule = 31311 alert = 0 decoder = nginx-errorlog [Initial 401 authentication request.] log 1 pass = 2015/01/08 11:31:23 [error] 80:2 no user/password was provided for basic authentication - rule = 31312 alert = 0 decoder = nginx-errorlog @@ -52,28 +45,30 @@ decoder = nginx-errorlog [Web authentication failed.] log 1 pass = 2015/01/08 11:31:23 [error] 80:2 yadda password mismatch, client yadda log 2 pass = 2015/01/08 11:31:23 [error] 80:2 yadda was not found in yadda - rule = 31315 alert = 5 decoder = nginx-errorlog # Can't yet test frequency ;[Multiple web authentication failures.] -; ;rule = 31316 ;alert = 10 ;decoder = nginx-errorlog [Common cache error when files were removed.] log 1 pass = 2015/01/08 11:31:23 [crit] 80:2 yadda yadda failed (2: No such file or directory - rule = 31317 alert = 0 decoder = nginx-errorlog [Invalid URI, file name too long.] log 1 pass = 2015/01/08 11:31:23 [error] 80:2 yadda yadda failed (36: File name too long) - rule = 31320 alert = 10 decoder = nginx-errorlog + +[NAXSI warning] +log 1 pass = 2013/11/10 07:36:19 [error] 8278#0: *5932 NAXSI_FMT: ip=X.X.X.X&server=Y.Y.Y.Y&uri=/phpMyAdmin-2.8.2/scripts/setup.php&learning=0&vers=0.52&total_processed=472&total_blocked=204&block=0&cscore0=$UWA&score0=8&zone0=HEADERS&id0=42000227&var_name0=user-agent, client: X.X.X.X, server: blog.memze.ro, request: "GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1", host: "X.X.X.X" +rule = 31334 +alert = 3 +decoder = nginx-errorlog diff --git a/tools/rules-testing/tests/perdition.ini b/tools/rules-testing/tests/perdition.ini new file mode 100644 index 000000000..46739fdea --- /dev/null +++ b/tools/rules-testing/tests/perdition.ini @@ -0,0 +1,21 @@ +[Perdition custom app group] +log 1 pass = Jun 10 08:40:26 agent perdition.pop3s[21154]: Fatal error establishing SSL context for listening +log 2 pass = Jun 10 08:40:26 agent perdition.pop3[21150]: Starting perdition version=2.2 protocol=POP3 +rule = 100100 +alert = 0 +decoder = perdition + +[perdition; New connection] +log 1 pass = Jun 10 08:40:26 agent perdition.imaps[21162]: Connect: 10.10.10.10 [inetd_pid=1234] +rule = 100101 +alert = 3 +decoder = perdition + +[perdition: Multiple connection attempts from same source.] +log 1 pass = Jun 10 08:40:26 agent perdition.imaps[21162]: Connect: 10.10.10.10 [inetd_pid=1234] +log 1 pass = Jun 10 08:40:26 agent perdition.imaps[21162]: Connect: 10.10.10.10 [inetd_pid=1234] +log 1 pass = Jun 10 08:40:26 agent perdition.imaps[21162]: Connect: 10.10.10.10 [inetd_pid=1234] +log 1 pass = Jun 10 08:40:26 agent perdition.imaps[21162]: Connect: 10.10.10.10 [inetd_pid=1234] +rule = 100102 +alert = 10 +decoder = perdition diff --git a/tools/rules-testing/tests/postfix.ini b/tools/rules-testing/tests/postfix.ini index ca29a1e4a..80d3647ed 100644 --- a/tools/rules-testing/tests/postfix.ini +++ b/tools/rules-testing/tests/postfix.ini @@ -1,13 +1,211 @@ -[reject rcpt] +[Grouping of the postfix reject rules.] log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 9999 text ... - +log 2 pass = May 28 13:04:38 email2 postfix/smtpd[1433]: NOQUEUE: reject: RCPT from : 554 5.7.1 >: Recipient address rejected: Invalid HELO/EHLO; Must be a FQDN or an address literal, not 'xxx'; from= to= proto=ESMTP helo= rule = 3300 alert = 0 decoder = postfix-reject -[reject rcpt2] +[Postfix: IP Address black-listed by anti-spam (blocked).] log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable; client [157.122.148.242] blocked using bl.spamcop.net; f$ - rule = 3306 alert = 6 decoder = postfix-reject + +[Postfix: Attempt to use mail server as relay ] +log 1 pass = May 8 08:26:55 mail postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 554 : Relay access denied; from= to= proto=SMTP helo= +rule = 3301 +alert = 6 +decoder = postfix-reject + +[Postfix: Rejected by access list (Requested action not taken).] +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable... +log 2 pass = Apr 16 20:06:26 mail postfix/smtpd[1107]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 550 5.1.1 : Recipient address rejected: User unknown; from= to= proto=ESMTP helo= +rule = 3302 +alert = 6 +decoder = postfix-reject + +[Postfix: Sender domain is not found ] +log 1 pass = May 14 15:33:19 mailserver postfix/smtpd[1688]: NOQUEUE: reject: RCPT from unknown[209.85.160.44]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo= +rule = 3303 +alert = 5 +decoder = postfix-reject + +[Postfix: Improper use of SMTP command pipelining ] +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 503 Bad sequence of commands 30 3 +rule = 3304 +alert = 5 +decoder = postfix-reject + +[Postfix: Recipient address must contain FQDN ] +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 504 Command parameter not implemented +rule = 3305 +alert = 5 +decoder = postfix-reject + +[Grouping of the postfix rules.] +log 1 pass = May 10 09:21:32 vm-debian10 postfix/smtp[5901]: connect to smtp.gmail.com[2a00:1450:400c:c00::6d]:587: Network is unreachable +log 2 pass = May 10 09:13:28 vm-debian10 postfix/master[5692]: reload -- version 3.4.5, configuration /etc/postfix +log 3 pass = May 10 09:13:28 vm-debian10 postfix/postfix-script[5851]: refreshing the Postfix mail system +log 4 pass = May 10 08:41:57 vm-debian10 postfix/postfix-script[5690]: starting the Postfix mail system +rule = 3320 +alert = 0 +decoder = postfix + +[Postfix process error.] +log 1 pass = May 13 09:20:38 vm-debian10 postfix/smtp[5901]: fatal: the Postfix mail system is not running +rule = 3330 +alert = 10 +decoder = postfix + +[Postfix SASL authentication failure.] +log 1 pass = May 10 09:14:24 vm-debian10 postfix/smtp[5866]: 54D813FAFE: to=, relay=smtp.gmail.com[X.X.X.X]:587, delay=0.61, delays=0.02/0.02/0.56/0, dsn=4.7.8, status=deferred (SASL authentication failed; server smtp.gmail.com[X.X.X.X] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8 https://urg_google_bad_credentials.com a125vx8233297wmc.47 - gsmtp) +rule = 3332 +alert = 5 +decoder = postfix + +[Postfix insufficient disk space error.] +log 1 pass = May 8 08:26:55 mail postfix/smtpd[27712]: NOQUEUE: reject: MAIL from localhost[127.0.0.1]: 452 Insufficient system storage +rule = 3331 +alert = 10 +decoder = postfix-reject + +[Postfix started.] +log 1 pass = May 10 10:33:55 vm-debian10 postfix/master[6284]: daemon started -- version 3.4.5, configuration /etc/postfix +rule = 3334 +alert = 3 +decoder = postfix + +[Postfix: too many errors after RCPT from unkown] +log 1 pass = May 8 08:26:55 mail postfix/smtpd[32655]: too many errors after RCPT from unknown[157.122.148.252] +log 2 pass = May 28 14:05:00 hostname postfix/smtpd[30818]: too many errors after RCPT from example.com[192.168.0.1] +rule = 3335 +alert = 6 +decoder = postfix + +[Postfix stopped.] +log 1 pass = May 13 09:37:36 vm-debian10 postfix/master[2291]: terminating on signal 15 +rule = 3333 +alert = 7 +decoder = postfix + +[Postfix: Multiple relaying attempts of spam.] +log 1 pass = May 8 08:26:55 mail postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 554 : Relay access denied; from= to= proto=SMTP helo= +log 1 pass = May 8 08:26:55 mail postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 554 : Relay access denied; from= to= proto=SMTP helo= +log 1 pass = May 8 08:26:55 mail postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 554 : Relay access denied; from= to= proto=SMTP helo= +log 1 pass = May 8 08:26:55 mail postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 554 : Relay access denied; from= to= proto=SMTP helo= +log 1 pass = May 8 08:26:55 mail postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 554 : Relay access denied; from= to= proto=SMTP helo= +log 1 pass = May 8 08:26:55 mail postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 554 : Relay access denied; from= to= proto=SMTP helo= +log 1 pass = May 8 08:26:55 mail postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 554 : Relay access denied; from= to= proto=SMTP helo= +log 1 pass = May 8 08:26:55 mail postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 554 : Relay access denied; from= to= proto=SMTP helo= +rule = 3351 +alert = 6 +decoder = postfix-reject + +[Postfix: Multiple attempts to send e-mail from a ] +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable... +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable... +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable... +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable... +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable... +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable... +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable... +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable... +rule = 3352 +alert = 6 +decoder = postfix-reject + +[Postfix: Multiple attempts to send e-mail from] +log 1 pass = May 14 15:33:19 mailserver postfix/smtpd[1688]: NOQUEUE: reject: RCPT from unknown[209.85.160.44]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo= +log 1 pass = May 14 15:33:19 mailserver postfix/smtpd[1688]: NOQUEUE: reject: RCPT from unknown[209.85.160.44]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo= +log 1 pass = May 14 15:33:19 mailserver postfix/smtpd[1688]: NOQUEUE: reject: RCPT from unknown[209.85.160.44]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo= +log 1 pass = May 14 15:33:19 mailserver postfix/smtpd[1688]: NOQUEUE: reject: RCPT from unknown[209.85.160.44]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo= +log 1 pass = May 14 15:33:19 mailserver postfix/smtpd[1688]: NOQUEUE: reject: RCPT from unknown[209.85.160.44]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo= +log 1 pass = May 14 15:33:19 mailserver postfix/smtpd[1688]: NOQUEUE: reject: RCPT from unknown[209.85.160.44]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo= +log 1 pass = May 14 15:33:19 mailserver postfix/smtpd[1688]: NOQUEUE: reject: RCPT from unknown[209.85.160.44]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo= +log 1 pass = May 14 15:33:19 mailserver postfix/smtpd[1688]: NOQUEUE: reject: RCPT from unknown[209.85.160.44]: 450 4.1.8 : Sender address rejected: Domain not found; from= to= proto=ESMTP helo= +rule = 3353 +alert = 10 +decoder = postfix-reject + +[Postfix: Multiple misuse of SMTP service ] +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 503 Bad sequence of commands 30 3 +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 503 Bad sequence of commands 30 3 +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 503 Bad sequence of commands 30 3 +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 503 Bad sequence of commands 30 3 +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 503 Bad sequence of commands 30 3 +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 503 Bad sequence of commands 30 3 +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 503 Bad sequence of commands 30 3 +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 503 Bad sequence of commands 30 3 +rule = 3354 +alert = 12 +decoder = postfix-reject + +[Postfix: Multiple attempts to send e-mail to ] +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 504 Command parameter not implemented +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 504 Command parameter not implemented +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 504 Command parameter not implemented +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 504 Command parameter not implemented +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 504 Command parameter not implemented +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 504 Command parameter not implemented +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 504 Command parameter not implemented +log 1 pass = May 13 11:52:15 ubuntu1710 postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 504 Command parameter not implemented +rule = 3355 +alert = 10 +decoder = postfix-reject + +[Postfix: Multiple attempts to send e-mail from ] +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable; client [157.122.148.242] blocked using bl.spamcop.net; f$ +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable; client [157.122.148.242] blocked using bl.spamcop.net; f$ +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable; client [157.122.148.242] blocked using bl.spamcop.net; f$ +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable; client [157.122.148.242] blocked using bl.spamcop.net; f$ +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable; client [157.122.148.242] blocked using bl.spamcop.net; f$ +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable; client [157.122.148.242] blocked using bl.spamcop.net; f$ +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable; client [157.122.148.242] blocked using bl.spamcop.net; f$ +log 1 pass = May 8 08:26:55 mail postfix/postscreen[22055]: NOQUEUE: reject: RCPT from [157.122.148.242]:47407: 550 5.7.1 Service unavailable; client [157.122.148.242] blocked using bl.spamcop.net; f$ +rule = 3356 +alert = 10 +decoder = postfix-reject + +[Postfix: Multiple SASL authentication failures.] +log 1 pass = Mar 1 19:43:44 toxie postfix/smtpd[3658]: warning: ip-89-176-96-114.net.upcbroadband.cz[89.176.96.114]: SASL LOGIN authentication failed: authentication failure +log 1 pass = Mar 1 19:43:44 toxie postfix/smtpd[3658]: warning: ip-89-176-96-114.net.upcbroadband.cz[89.176.96.114]: SASL LOGIN authentication failed: authentication failure +log 1 pass = Mar 1 19:43:44 toxie postfix/smtpd[3658]: warning: ip-89-176-96-114.net.upcbroadband.cz[89.176.96.114]: SASL LOGIN authentication failed: authentication failure +log 1 pass = Mar 1 19:43:44 toxie postfix/smtpd[3658]: warning: ip-89-176-96-114.net.upcbroadband.cz[89.176.96.114]: SASL LOGIN authentication failed: authentication failure +log 1 pass = Mar 1 19:43:44 toxie postfix/smtpd[3658]: warning: ip-89-176-96-114.net.upcbroadband.cz[89.176.96.114]: SASL LOGIN authentication failed: authentication failure +log 1 pass = Mar 1 19:43:44 toxie postfix/smtpd[3658]: warning: ip-89-176-96-114.net.upcbroadband.cz[89.176.96.114]: SASL LOGIN authentication failed: authentication failure +log 1 pass = Mar 1 19:43:44 toxie postfix/smtpd[3658]: warning: ip-89-176-96-114.net.upcbroadband.cz[89.176.96.114]: SASL LOGIN authentication failed: authentication failure +log 1 pass = Mar 1 19:43:44 toxie postfix/smtpd[3658]: warning: ip-89-176-96-114.net.upcbroadband.cz[89.176.96.114]: SASL LOGIN authentication failed: authentication failure +rule = 3357 +alert = 10 +decoder = postfix + +[Grouping of the postfix warning rules.] +log 1 pass = May 8 08:26:55 mail postfix/master[1741]: warning: process /usr/libexec/postfix/cleanup pid 27541 exit status 1 +log 2 pass = May 10 09:22:21 vm-debian10 postfix/showq[5905]: warning: /etc/postfix/main.cf, line 51: overriding earlier entry: relayhost= +rule = 3395 +alert = 0 +decoder = postfix-warning + +[Postfix: hostname verification failed] +log 1 pass = May 8 08:26:55 mail postfix/smtpd[5268]: warning: 89.248.162.178: hostname no-reverse-dns-configured.com verification failed: Name or service not known +rule = 3396 +alert = 6 +decoder = postfix-warning + +[Postfix: RBL lookup error: Host or domain name not found] +log 1 pass = May 8 08:26:55 mail postfix/smtpd[472]: warning: 199.249.24.179.list.dsbl.org: RBL lookup error: Host or domain name not found. Name service error for name=199.249.24.179.list.dsbl.org type=A: Host not found, try again +rule = 3397 +alert = 6 +decoder = postfix-warning + +[Postfix: Illegal address from unknown sender] +log 1 pass = May 8 08:26:55 mail postfix/smtpd[32655]: warning: Illegal address syntax from unknown[157.122.148.252] in MAIL command: +rule = 3398 +alert = 6 +decoder = postfix-warning + +[Postfix: Ignore permission warning] +log 1 pass = Jan 21 00:00:01 host postfix/postdrop[12345]: warning: mail_queue_enter: create file maildrop/123456.12345: Read-only file system +rule = 3399 +alert = 0 +decoder = postfix-warning diff --git a/tools/rules-testing/tests/syslog.ini b/tools/rules-testing/tests/syslog.ini index 2646da30c..ba5c5203f 100644 --- a/tools/rules-testing/tests/syslog.ini +++ b/tools/rules-testing/tests/syslog.ini @@ -1,13 +1,11 @@ [Uninteresting nouveau error.] log 1 fail = Jul 18 09:21:57 localhost kernel: nouveau E[ PGRAPH][0000:0f:00.0] DATA_ERROR BEGIN_END_ACTIVE - rule = 2944 alert = 1 decoder = [Uninteresting nouveau error.] log 1 fail = Jul 18 09:21:57 localhost kernel: nouveau E[ PGRAPH][0000:0f:00.0] DATA_ERROR - rule = 2944 alert = 1 decoder = @@ -15,28 +13,140 @@ decoder = [Incorrect chain/target/match.] log 3 fail = Jul 18 10:51:43 localhost NetworkManager[1366]: (enp1s0) firewall zone remove failed: (32) COMMAND_FAILED: '/sbin/iptables -D INPUT_ZONES -t filter -i enp1s0 -g IN_public' failed: ipta bles: No chain/target/match by that name. - rule = 2941 alert = 3 decoder = NetworkManager [rsyslog may be dropping messages due to rate-limiting.] log 1 fail = Feb 5 13:07:52 plugh rsyslogd-2177: imuxsock begins to drop messages from pid 12105 due to rate-limiting - rule = 2945 alert = 4 decoder = [Non-standard syslog-ng format with year.] log 1 fail = 2015 Nov 13 13:40:01 ether rsyslogd-2177: imuxsock begins to drop messages from pid 17840 due to rate-limiting - rule = 2945 alert = 4 decoder = [useradd failed] log 1 fail = May 4 18:21:10 collectd useradd[15178]: failed adding user 'ansible', data deleted - rule = 5905 alert = 0 decoder = + +[Dpkg (Debian Package) half configured.] +log 1 pass = 2019-04-25 10:40:08 status half-configured tzdata:all 2018i-0ubuntu0.18.10 +log 2 pass = 2016-01-14 13:20:51 status half-configured gconf2:amd64 3.2.6-0ubuntu2 +rule = 2904 +alert = 7 +decoder = dpkg-decoder + +[New dpkg (Debian Package) installed.] +log 1 pass = 2019-04-25 10:40:08 status installed tzdata:all 2019a-0ubuntu0.18.10 +rule = 2902 +alert = 7 +decoder = dpkg-decoder + +[First time (su) is executed by user.] +log 1 pass = Apr 25 11:08:51 vm-ubuntu18 su[3261]: + /dev/pts/0 root:root +log 2 pass = Apr 22 17:51:51 enigma su: dcid to root on /dev/ttyp1 +rule = 5305 +alert = 4 +decoder = su + +[First time user executed sudo.] +log 1 pass = Apr 25 10:39:59 vm-ubuntu18 sudo: vagrant : TTY=unknown ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/bash -l +log 2 pass = Jun 25 15:48:21 precise32 sudo: mike : TTY=pts/0 ; PWD=/home/vagrant ; USER=root ; COMMAND=/bin/su - +log 3 pass = Dec 30 19:36:11 rheltest sudo: cplummer : TTY=pts/2 ; PWD=/home/cplummer1 ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash +rule = 5403 +alert = 4 +decoder = sudo + +[Unknown problem somewhere in the system.] +log 1 pass = Jun 2 09:54:28 valhalla telnetd[19723]: [ID 485252 daemon.info] ttloop: peer died: Error 0 +rule = 1002 +alert = 2 +decoder = telnetd + +[Connection to rshd from unprivileged port. Possible network scan.] +log 1 pass = Dec 17 10:49:23 hostname rshd[347339]: Connection from 10.217.223.31 on illegal port +log 2 fail = Dec 17 10:49:23 hostname rhsd[347339]: Connection from 10.217.223.31 on illegal port +rule = 2551 +alert = 10 +decoder = rshd + +[User missed the password to change UID (user id).] +log 1 pass = Apr 27 15:22:23 niban su[234]: BAD SU ger to fwmaster on /dev/ttyp0 +rule = 5301 +alert = 5 +decoder = su + +[User missed the password to change UID to root.] +log 1 pass = Apr 27 15:22:23 niban su[2921936]: failed: ttyq4 changing from ldap to root +rule = 5302 +alert = 9 +decoder = su + +[User successfully changed UID to root.] +log 1 pass = Apr 22 17:51:51 enigma su: dcid to root on /dev/ttyp1 +rule = 5305 +alert = 4 +decoder = su + +[Failed attempt to run sudo] +log 1 pass = Jun 25 15:51:13 precise32 sudo: mike : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls +rule = 5401 +alert = 5 +decoder = sudo + + +[Three failed attempts to run sudo] +log 1 pass = Jun 25 16:15:45 precise32 sudo: mike : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/ls +rule = 5404 +alert = 10 +decoder = sudo + +[Unauthorized user attempted to use sudo.] +log 1 pass = Apr 13 08:36:31 ix sudo: ddp2 : user NOT in sudoers ; TTY=ttypZ ; PWD=/home/ddp2 ; USER=root ; COMMAND=/bin/ls +rule = 5405 +alert = 5 +decoder = sudo + +[Dpkg (Debian Package) log.] +log 1 pass = 2015-10-08 17:21:56 remove libsmokebase3v5:amd64 4:4.14.3-1 +log 1 pass = 2016-01-14 13:20:51 trigproc gconf2:amd64 3.2.6-0ubuntu2 +rule = 2900 +alert = 0 +decoder = dpkg-decoder + +[Unsigned kernel module was loaded] +log 1 pass = Jun 4 08:18:01 lopezziur-S551LN kernel: [ 5.425160] mt7630e: module verification failed: signature and/or required key missing - tainting kernel +rule = 5132 +alert = 11 +decoder = kernel + +[Signed but untrusted kernel module was loaded.] +log 1 pass = Jun 4 08:18:01 lopezziur-S551LN kernel: [ +0.000002] PKCS#7 signature not signed with a trusted key +rule = 5133 +alert = 11 +decoder = kernel + +[RAID disk failure.] +log 1 pass = Oct 19 19:24:33 r5452 kernel: md/raid1:md2: Disk failure on sdb3, disabling device.#012md/raid1:md2: Operation continuing on 1 devices. +rule = 5135 +alert = 7 +decoder = kernel + +[General device failure] +log 1 pass = Jun 4 08:18:01 lopezziur-S551LN kernel: sd 0:0:1:0: Device not ready: <6>: Current: sense key: Not Ready +rule = 5139 +alert = 7 +decoder = kernel + +[General SATA disk failure] +log 1 pass = Sep 30 08:13:56 oak kernel: [ 123.559134] ata2.00: failed command: READ FPDMA QUEUED +log 2 pass = Jun 4 08:18:01 lopezziur-S551LN kernel: [ 3624.763777] ata1.00: failed command: WRITE FPDMA QUEUED +rule = 5138 +alert = 7 +decoder = kernel diff --git a/tools/rules-testing/tests/systemd.ini b/tools/rules-testing/tests/systemd.ini index 73b9f5052..a996bcf33 100644 --- a/tools/rules-testing/tests/systemd.ini +++ b/tools/rules-testing/tests/systemd.ini @@ -1,7 +1,25 @@ [Stale file handle.] log 3 fail = Jul 19 07:28:02 localhost systemd: Failed to mark scope session-1024.scope as abandoned : Stale file handle - rule = 40701 alert = 0 decoder = +[First time user executed sudo.] +log 1 pass = 2017-12-28T10:37:47.968126+00:00 lognode-01.local sudo: vagrant : TTY=pts/0 \; PWD=/home/vagrant ; USER=ossec ; COMMAND=/bin/id +rule = 5403 +alert = 4 +decoder = sudo + +[Successful sudo executed] +log 1 pass = 2017-12-28T10:37:47.968126+00:00 lognode-01.local sudo: vagrant : TTY=pts/0 \; PWD=/home/vagrant ; USER=ossec ; COMMAND=/bin/id +log 1 pass = 2017-12-28T10:37:47.968126+00:00 lognode-01.local sudo: vagrant : TTY=pts/0 \; PWD=/home/vagrant ; USER=ossec ; COMMAND=/bin/id +rule = 5407 +alert = 3 +decoder = sudo + +[Successful sudo to ROOT executed] +log 1 pass = Jun 26 17:21:43 manager sudo: manager : TTY=pts/0 \; PWD=/home/manager ; USER=root ; COMMAND=/bin/su" +log 1 pass = Jun 26 17:21:43 manager sudo: manager : TTY=pts/0 \; PWD=/home/manager ; USER=root ; COMMAND=/bin/su" +rule = 5402 +alert = 3 +decoder = sudo diff --git a/tools/rules-testing/tests/web_rules.ini b/tools/rules-testing/tests/web_rules.ini index fe0de082b..66f33d6eb 100644 --- a/tools/rules-testing/tests/web_rules.ini +++ b/tools/rules-testing/tests/web_rules.ini @@ -26,4 +26,16 @@ decoder = web-accesslog-iis-default log 1 pass = 2015-03-11 22:01:59 1.2.3.4 GET /CFIDE/adminapi/customtags/l10n.cfm attributes.id=test&attributes.file=../../administrator/mail/download.cfm&filename=../lib/password.properties&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=test 443 - 31.3.3.7 - - 404 0 2 0 rule = 31104 alert = 6 -decoder = web-accesslog-iis-default \ No newline at end of file +decoder = web-accesslog-iis-default + +[Ignored URLs (simple queries)] +log 1 pass = 2015-07-28 15:07:26 1.2.3.4 GET /QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N 80 - 31.3.3.7 OpenSystems/1.0;+product-family="85";+product-version="123ER123" 302 0 0 624 +rule = 31108 +alert = 0 +decoder = web-accesslog-iis-default + +[Shellshock attack attempt] +log 1 pass = 192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 404 292 "-" "() { :;};/usr/bin/perl ..." +rule = 31166 +alert = 15 +decoder = web-accesslog \ No newline at end of file