Merge branch 'master' of https://github.com/ossec/ossec-hids into rul…

…e_ids_update
JPWKU · Jul 15, 2014 · 994b97a · 994b97a
2 parents 21c1cb7 + 6dea529
commit 994b97a
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 0 deletions.
diff --git a/contrib/ossec-testing/tests/pam.ini b/contrib/ossec-testing/tests/pam.ini
@@ -0,0 +1,35 @@
+[User login failed.]
+log 1 pass = Nov 11 22:46:29 localhost su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost=  user=osaudit
+
+rule = 5503
+alert = 5
+decoder = pam
+
+[Attempt to login with an invalid user.]
+log 1 pass = Nov 11 22:46:29 localhost vsftpd(pam_unix)[25073]: check pass; user unknown
+
+rule = 5504
+alert = 5
+decoder = pam
+
+[Login session opened.]
+log 1 pass = Nov 11 22:46:29 localhost su(pam_unix)[14592]: session opened for user news by (uid=0)
+
+rule = 5501
+alert = 3
+decoder = pam
+
+[Login session closed.]
+log 1 pass = Nov 11 22:46:29 localhost su(pam_unix)[14592]: session closed for user news
+
+rule = 5502
+alert = 3
+decoder = pam
+
+[User missed the password more than one time]
+log 1 pass = Nov 11 22:46:29 localhost sshd(pam_unix)[15794]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.3.1  user=root
+
+rule = 2502
+alert = 10
+decoder = pam
+
diff --git a/etc/decoder.xml b/etc/decoder.xml
@@ -76,6 +76,19 @@
   <order>srcip, user</order>
 </decoder>
 
+<decoder name="pam-ruser">
+  <parent>pam</parent>
+  <prematch> ruser</prematch>
+  <regex offset="after_prematch">^=(\S+) </regex>
+  <order>user</order>
+</decoder>
+
+<decoder name="pam-ruser">
+  <parent>pam</parent>
+  <regex> rhost=(\S+)$</regex>
+  <order>srcip</order>
+</decoder>
+
 <decoder name="pam-host">
   <parent>pam</parent>
   <prematch> rhost</prematch>

diff --git a/etc/rules/openbsd_rules.xml b/etc/rules/openbsd_rules.xml
@@ -210,6 +210,33 @@
     <description>Bad ntp peer.</description>
   </rule>
 
+  <rule id="51533" level="1">
+    <program_name>^dhclient$</program_name>
+    <if_sid>1002</if_sid>
+    <match>receive_packet failed on </match>
+    <description>dhclient receive_packet failed.</description>
+  </rule>
+
+  <rule id="51534" level="1">
+    <if_sid>51533</if_sid>
+    <match>Input/output error$</match>
+    <description>dhclient receive_packet failed due to I/O error.</description>
+  </rule>
+
+  <rule id="51535" level="1">
+    <program_name>^dhclient$</program_name>
+    <if_sid>1002</if_sid>
+    <match>SIOCDIFADDR failed </match>
+    <description>SIOCDIFADDR failed</description>
+  </rule>
+
+  <rule id="51536" level="1">
+    <if_sid>51535</if_sid>
+    <match> Device not configured$</match>
+    <description>dhclient: device not configured.</description>
+  </rule>
+
+
 
 </group> <!-- SYSLOG,LOCAL -->