File: ossec-mi.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (1178 lines) | stat: -rw-r--r-- 198,000 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
##
## OSSEC SAGAN RULES (autogenerated)
##
## Sagan is:
## Copyright (c) 2009-2017, Quadrant Information Security
## All rights reserved.
##
## Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
##
##*************************************************************
##  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
##  following conditions are met:
##
##  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
##    disclaimer.
##  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
##    following disclaimer in the documentation and/or other materials provided with the distribution.
##  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
##    from this software without specific prior written permission.
##
##  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
##  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
##  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
##  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
##  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
##  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
##  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
##
##*************************************************************
##  These rules were autogenerated from ossec rules using the ossec-sagan.pl script.
##  OSSEC and its supplied rules are:  
##
##  Copyright (C) 2009 Trend Micro Inc.
##  All rights reserved.
##
##  This program is a free software; you can redistribute it
##  and/or modify it under the terms of the GNU General Public
##  License (version 2) as published by the FSF - Free Software
##  Foundation.
##
##  License details: http://www.ossec.net/en/licensing.html
##


## Rule group: attack_rules.xml:syslog,attacks
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple authentication failures. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40111 "; classtype: exploit-attempt; program: ossec; sid: 6040111; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - Buffer overflow attack on rpc.statd (attack_rules.xml:syslog,attacks)"; content: "Rule: 40102 "; classtype: exploit-attempt; program: ossec; sid: 6040102; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - System user successfully logged to the system. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40101 "; classtype: exploit-attempt; program: ossec; sid: 6040101; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple viruses detected - Possible outbreak. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40113 "; classtype: exploit-attempt; program: ossec; sid: 6040113; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Stack overflow attempt or program exiting with SEGV (Solaris). (attack_rules.xml:syslog,attacks)"; content: "Rule: 40109 "; classtype: exploit-attempt; program: ossec; sid: 6040109; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 13 - Possible buffer overflow attempt. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40104 "; classtype: exploit-attempt; program: ossec; sid: 6040104; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple authentication failures followed by a success. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40112 "; classtype: exploit-attempt; program: ossec; sid: 6040112; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - "Null" user changed some information. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40105 "; classtype: exploit-attempt; program: ossec; sid: 6040105; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - Buffer overflow on WU-FTPD versions prior to 2.6 (attack_rules.xml:syslog,attacks)"; content: "Rule: 40103 "; classtype: exploit-attempt; program: ossec; sid: 6040103; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Buffer overflow attempt (probably on yppasswd). (attack_rules.xml:syslog,attacks)"; content: "Rule: 40106 "; classtype: exploit-attempt; program: ossec; sid: 6040106; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - Heap overflow in the Solaris cachefsd service. (attack_rules.xml:syslog,attacks)"; content: "Rule: 40107 "; classtype: exploit-attempt; program: ossec; sid: 6040107; rev:1;)


## Rule group: apache_rules.xml:apache
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User authentication failed. (apache_rules.xml:apache)"; content: "Rule: 30110 "; classtype: system-event; program: ossec; sid: 6030110; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Modsecurity alert. (apache_rules.xml:apache)"; content: "Rule: 30200 "; classtype: system-event; program: ossec; sid: 6030200; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Attempt to login using a non-existent user. (apache_rules.xml:apache)"; content: "Rule: 30109 "; classtype: system-event; program: ossec; sid: 6030109; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Apache messages grouped. (apache_rules.xml:apache)"; content: "Rule: 30100 "; classtype: tcp-connection; program: ossec; sid: 6030100; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts blocked by Mod Security. (apache_rules.xml:apache)"; content: "Rule: 30202 "; classtype: exploit-attempt; program: ossec; sid: 6030202; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Apache warn messages grouped. (apache_rules.xml:apache)"; content: "Rule: 30102 "; classtype: tcp-connection; program: ossec; sid: 6030102; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Invalid URI (bad client request). (apache_rules.xml:apache)"; content: "Rule: 30115 "; classtype: system-event; program: ossec; sid: 6030115; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Apache without resources to run. (apache_rules.xml:apache)"; content: "Rule: 30120 "; classtype: exploit-attempt; program: ossec; sid: 6030120; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Access attempt blocked by Mod Security. (apache_rules.xml:apache)"; content: "Rule: 30118 "; classtype: system-event; program: ossec; sid: 6030118; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Apache segmentation fault. (apache_rules.xml:apache)"; content: "Rule: 30104 "; classtype: exploit-attempt; program: ossec; sid: 6030104; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User authentication failed. (apache_rules.xml:apache)"; content: "Rule: 30108 "; classtype: system-event; program: ossec; sid: 6030108; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple attempts blocked by Mod Security. (apache_rules.xml:apache)"; content: "Rule: 30119 "; classtype: exploit-attempt; program: ossec; sid: 6030119; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to access forbidden file or directory. (apache_rules.xml:apache)"; content: "Rule: 30105 "; classtype: system-event; program: ossec; sid: 6030105; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to access forbidden directory index. (apache_rules.xml:apache)"; content: "Rule: 30106 "; classtype: system-event; program: ossec; sid: 6030106; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Modsecurity access denied. (apache_rules.xml:apache)"; content: "Rule: 30201 "; classtype: system-event; program: ossec; sid: 6030201; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Apache notice messages grouped. (apache_rules.xml:apache)"; content: "Rule: 30103 "; classtype: tcp-connection; program: ossec; sid: 6030103; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Attempt to access an non-existent file (those are reported on the access.log). (apache_rules.xml:apache)"; content: "Rule: 30112 "; classtype: tcp-connection; program: ossec; sid: 6030112; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Invalid URI requests from same source. (apache_rules.xml:apache)"; content: "Rule: 30116 "; classtype: exploit-attempt; program: ossec; sid: 6030116; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Code Red attack. (apache_rules.xml:apache)"; content: "Rule: 30107 "; classtype: system-event; program: ossec; sid: 6030107; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Apache error messages grouped. (apache_rules.xml:apache)"; content: "Rule: 30101 "; classtype: tcp-connection; program: ossec; sid: 6030101; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Invalid URI, file name too long. (apache_rules.xml:apache)"; content: "Rule: 30117 "; classtype: exploit-attempt; program: ossec; sid: 6030117; rev:1;)


## Rule group: rules_config.xml:squid
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all web proxy rules. (rules_config.xml:squid)"; content: "Rule: 05 "; classtype: tcp-connection; program: ossec; sid: 6000005; rev:1;)


## Rule group: web_rules.xml:web,accesslog
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple SQL injection attempts from same souce ip. (web_rules.xml:web,accesslog)"; content: "Rule: 31152 "; classtype: exploit-attempt; program: ossec; sid: 6031152; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple web server 501 error code (Not Implemented). (web_rules.xml:web,accesslog)"; content: "Rule: 31161 "; classtype: exploit-attempt; program: ossec; sid: 6031161; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - SQL injection attempt. (web_rules.xml:web,accesslog)"; content: "Rule: 31103 "; classtype: system-event; program: ossec; sid: 6031103; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Web server 500 error code (server error). (web_rules.xml:web,accesslog)"; content: "Rule: 31120 "; classtype: system-event; program: ossec; sid: 6031120; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored URLs for the web attacks (web_rules.xml:web,accesslog)"; content: "Rule: 31107 "; classtype: tcp-connection; program: ossec; sid: 6031107; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - A web attack returned code 200 (success). (web_rules.xml:web,accesslog)"; content: "Rule: 31106 "; classtype: system-event; program: ossec; sid: 6031106; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Mutiple web server 400 error codes from same source ip. (web_rules.xml:web,accesslog)"; content: "Rule: 31151 "; classtype: exploit-attempt; program: ossec; sid: 6031151; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Web server 500 error code (Internal Error). (web_rules.xml:web,accesslog)"; content: "Rule: 31122 "; classtype: system-event; program: ossec; sid: 6031122; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 13 - URL too long. Higher than allowed on most browsers. Possible attack. (web_rules.xml:web,accesslog)"; content: "Rule: 31115 "; classtype: exploit-attempt; program: ossec; sid: 6031115; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple web server 500 error code (Internal Error). (web_rules.xml:web,accesslog)"; content: "Rule: 31162 "; classtype: exploit-attempt; program: ossec; sid: 6031162; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Web server 400 error code. (web_rules.xml:web,accesslog)"; content: "Rule: 31101 "; classtype: system-event; program: ossec; sid: 6031101; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple common web attacks from same souce ip. (web_rules.xml:web,accesslog)"; content: "Rule: 31153 "; classtype: exploit-attempt; program: ossec; sid: 6031153; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored URLs (simple queries). (web_rules.xml:web,accesslog)"; content: "Rule: 31108 "; classtype: tcp-connection; program: ossec; sid: 6031108; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Web server 503 error code (Service unavailable). (web_rules.xml:web,accesslog)"; content: "Rule: 31123 "; classtype: not-suspicious; program: ossec; sid: 6031123; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - XSS (Cross Site Scripting) attempt. (web_rules.xml:web,accesslog)"; content: "Rule: 31105 "; classtype: system-event; program: ossec; sid: 6031105; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Access log messages grouped. (web_rules.xml:web,accesslog)"; content: "Rule: 31100 "; classtype: tcp-connection; program: ossec; sid: 6031100; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple XSS (Cross Site Scripting) attempts from same souce ip. (web_rules.xml:web,accesslog)"; content: "Rule: 31154 "; classtype: exploit-attempt; program: ossec; sid: 6031154; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Common web attack. (web_rules.xml:web,accesslog)"; content: "Rule: 31104 "; classtype: system-event; program: ossec; sid: 6031104; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Web server 501 error code (Not Implemented). (web_rules.xml:web,accesslog)"; content: "Rule: 31121 "; classtype: not-suspicious; program: ossec; sid: 6031121; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple web server 503 error code (Service unavailable). (web_rules.xml:web,accesslog)"; content: "Rule: 31163 "; classtype: exploit-attempt; program: ossec; sid: 6031163; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring google/msn/yahoo bots. (web_rules.xml:web,accesslog)"; content: "Rule: 31140 "; classtype: tcp-connection; program: ossec; sid: 6031140; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored extensions on 400 error codes. (web_rules.xml:web,accesslog)"; content: "Rule: 31102 "; classtype: tcp-connection; program: ossec; sid: 6031102; rev:1;)


## Rule group: named_rules.xml:syslog,named
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Serial number from master is lower than stored. (named_rules.xml:syslog,named)"; content: "Rule: 12110 "; classtype: system-event; program: ossec; sid: 6012110; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Invalid DNS packet. Possibility of attack. (named_rules.xml:syslog,named)"; content: "Rule: 12101 "; classtype: exploit-attempt; program: ossec; sid: 6012101; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the named rules (named_rules.xml:syslog,named)"; content: "Rule: 12100 "; classtype: tcp-connection; program: ossec; sid: 6012100; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - DNS update denied. Generally mis-configuration. (named_rules.xml:syslog,named)"; content: "Rule: 12103 "; classtype: not-suspicious; program: ossec; sid: 6012103; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Log permission misconfiguration in Named. (named_rules.xml:syslog,named)"; content: "Rule: 12104 "; classtype: not-suspicious; program: ossec; sid: 6012104; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Unable to perform zone transfer. (named_rules.xml:syslog,named)"; content: "Rule: 12111 "; classtype: system-event; program: ossec; sid: 6012111; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Named fatal error. DNS service going down. (named_rules.xml:syslog,named)"; content: "Rule: 12109 "; classtype: exploit-attempt; program: ossec; sid: 6012109; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Query cache denied (maybe config error). (named_rules.xml:syslog,named)"; content: "Rule: 12108 "; classtype: not-suspicious; program: ossec; sid: 6012108; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unexpected error while resolving domain. (named_rules.xml:syslog,named)"; content: "Rule: 12105 "; classtype: not-suspicious; program: ossec; sid: 6012105; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Zone transfer error. (named_rules.xml:syslog,named)"; content: "Rule: 12112 "; classtype: not-suspicious; program: ossec; sid: 6012112; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - DNS update using RFC2136 Dynamic protocol. (named_rules.xml:syslog,named)"; content: "Rule: 12107 "; classtype: tcp-connection; program: ossec; sid: 6012107; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Failed attempt to perform a zone transfer. (named_rules.xml:syslog,named)"; content: "Rule: 12102 "; classtype: system-event; program: ossec; sid: 6012102; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - DNS configuration error. (named_rules.xml:syslog,named)"; content: "Rule: 12106 "; classtype: not-suspicious; program: ossec; sid: 6012106; rev:1;)


## Rule group: mailscanner_rules.xml:syslog,mailscanner
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of mailscanner rules. (mailscanner_rules.xml:syslog,mailscanner)"; content: "Rule: 3700 "; classtype: tcp-connection; program: ossec; sid: 6003700; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Non spam message. Ignored. (mailscanner_rules.xml:syslog,mailscanner)"; content: "Rule: 3701 "; classtype: tcp-connection; program: ossec; sid: 6003701; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple attempts of spam. (mailscanner_rules.xml:syslog,mailscanner)"; content: "Rule: 3751 "; classtype: system-event; program: ossec; sid: 6003751; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Mail Scanner spam detected. (mailscanner_rules.xml:syslog,mailscanner)"; content: "Rule: 3702 "; classtype: system-event; program: ossec; sid: 6003702; rev:1;)


## Rule group: syslog_rules.xml:syslog,squid
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Squid debug message (syslog_rules.xml:syslog,squid)"; content: "Rule: 9201 "; classtype: tcp-connection; program: ossec; sid: 6009201; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Squid syslog messages grouped (syslog_rules.xml:syslog,squid)"; content: "Rule: 9200 "; classtype: tcp-connection; program: ossec; sid: 6009200; rev:1;)


## Rule group: solaris_bsm_rules.xml:syslog,solaris_bsm
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login session failed. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6104 "; classtype: system-event; program: ossec; sid: 6006104; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Auditing session succeeded. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6102 "; classtype: tcp-connection; program: ossec; sid: 6006102; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Auditing session failed. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6101 "; classtype: system-event; program: ossec; sid: 6006101; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User successfully changed UID. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6105 "; classtype: not-suspicious; program: ossec; sid: 6006105; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Login session succeeded. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6103 "; classtype: not-suspicious; program: ossec; sid: 6006103; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User failed to change UID (user id). (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6106 "; classtype: system-event; program: ossec; sid: 6006106; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Solaris BSM Auditing messages grouped. (solaris_bsm_rules.xml:syslog,solaris_bsm)"; content: "Rule: 6100 "; classtype: tcp-connection; program: ossec; sid: 6006100; rev:1;)


## Rule group: syslog_rules.xml:syslog,adduser
##
#(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Group (or user) deleted from the system (syslog_rules.xml:syslog,adduser)"; content: "Rule: 5903 "; classtype: not-suspicious; program: ossec; sid: 6005903; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - New group added to the system (syslog_rules.xml:syslog,adduser)"; content: "Rule: 5901 "; classtype: system-event; program: ossec; sid: 6005901; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Information from the user was changed (syslog_rules.xml:syslog,adduser)"; content: "Rule: 5904 "; classtype: system-event; program: ossec; sid: 6005904; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - New user added to the system (syslog_rules.xml:syslog,adduser)"; content: "Rule: 5902 "; classtype: system-event; program: ossec; sid: 6005902; rev:1;)


## Rule group: nginx_rules.xml:apache
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Invalid URI, file name too long. (nginx_rules.xml:apache)"; content: "Rule: 31320 "; classtype: exploit-attempt; program: ossec; sid: 6031320; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Initial 401 authentication request. (nginx_rules.xml:apache)"; content: "Rule: 31312 "; classtype: tcp-connection; program: ossec; sid: 6031312; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Nginx error message. (nginx_rules.xml:apache)"; content: "Rule: 31301 "; classtype: not-suspicious; program: ossec; sid: 6031301; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple web authentication failures. (nginx_rules.xml:apache)"; content: "Rule: 31316 "; classtype: exploit-attempt; program: ossec; sid: 6031316; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Nginx messages grouped. (nginx_rules.xml:apache)"; content: "Rule: 31300 "; classtype: tcp-connection; program: ossec; sid: 6031300; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Incomplete client request. (nginx_rules.xml:apache)"; content: "Rule: 31311 "; classtype: tcp-connection; program: ossec; sid: 6031311; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Nginx critical message. (nginx_rules.xml:apache)"; content: "Rule: 31303 "; classtype: system-event; program: ossec; sid: 6031303; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Server returned 404 (reported in the access.log). (nginx_rules.xml:apache)"; content: "Rule: 31310 "; classtype: tcp-connection; program: ossec; sid: 6031310; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Nginx warning message. (nginx_rules.xml:apache)"; content: "Rule: 31302 "; classtype: not-suspicious; program: ossec; sid: 6031302; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Web authentication failed. (nginx_rules.xml:apache)"; content: "Rule: 31315 "; classtype: system-event; program: ossec; sid: 6031315; rev:1;)


## Rule group: postgresql_rules.xml:postgresql_log
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Database shutdown messge. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50521 "; classtype: exploit-attempt; program: ossec; sid: 6050521; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PostgreSQL informational message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50502 "; classtype: tcp-connection; program: ossec; sid: 6050502; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Database authentication failure. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50512 "; classtype: system-event; program: ossec; sid: 6050512; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PostgreSQL debug message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50505 "; classtype: tcp-connection; program: ossec; sid: 6050505; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Database shutdown messge. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50520 "; classtype: exploit-attempt; program: ossec; sid: 6050520; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PostgreSQL log message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50501 "; classtype: tcp-connection; program: ossec; sid: 6050501; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PostgreSQL messages grouped. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50500 "; classtype: tcp-connection; program: ossec; sid: 6050500; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - PostgreSQL error message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50503 "; classtype: not-suspicious; program: ossec; sid: 6050503; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple database errors. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50581 "; classtype: exploit-attempt; program: ossec; sid: 6050581; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Database authentication success. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50511 "; classtype: not-suspicious; program: ossec; sid: 6050511; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PostgreSQL error message. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50504 "; classtype: system-event; program: ossec; sid: 6050504; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Database query. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50510 "; classtype: tcp-connection; program: ossec; sid: 6050510; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple database errors. (postgresql_rules.xml:postgresql_log)"; content: "Rule: 50580 "; classtype: exploit-attempt; program: ossec; sid: 6050580; rev:1;)


## Rule group: rules_config.xml:windows
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all windows rules. (rules_config.xml:windows)"; content: "Rule: 06 "; classtype: tcp-connection; program: ossec; sid: 6000006; rev:1;)


## Rule group: symantec-av_rules.xml:symantec
##
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Virus scan updated,started or stopped. (symantec-av_rules.xml:symantec)"; content: "Rule: 7320 "; classtype: not-suspicious; program: ossec; sid: 6007320; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Symantec AV rules from eventlog. (symantec-av_rules.xml:symantec)"; content: "Rule: 7301 "; classtype: tcp-connection; program: ossec; sid: 6007301; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Symantec AV rules. (symantec-av_rules.xml:symantec)"; content: "Rule: 7300 "; classtype: tcp-connection; program: ossec; sid: 6007300; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Virus detected. (symantec-av_rules.xml:symantec)"; content: "Rule: 7310 "; classtype: system-event; program: ossec; sid: 6007310; rev:1;)


## Rule group: syslog_rules.xml:syslog, su
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - User missed the password to change UID to root. (syslog_rules.xml:syslog, su)"; content: "Rule: 5302 "; classtype: system-event; program: ossec; sid: 6005302; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User successfully changed UID to root. (syslog_rules.xml:syslog, su)"; content: "Rule: 5303 "; classtype: not-suspicious; program: ossec; sid: 6005303; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - First time (su) is executed by user. (syslog_rules.xml:syslog, su)"; content: "Rule: 5305 "; classtype: not-suspicious; program: ossec; sid: 6005305; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Initial grouping for su messages. (syslog_rules.xml:syslog, su)"; content: "Rule: 5300 "; classtype: tcp-connection; program: ossec; sid: 6005300; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User successfully changed UID. (syslog_rules.xml:syslog, su)"; content: "Rule: 5304 "; classtype: not-suspicious; program: ossec; sid: 6005304; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User missed the password to change UID (user id). (syslog_rules.xml:syslog, su)"; content: "Rule: 5301 "; classtype: system-event; program: ossec; sid: 6005301; rev:1;)


## Rule group: syslog_rules.xml:syslog,smartd
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Device configured but not available to Smartd (syslog_rules.xml:syslog,smartd)"; content: "Rule: 2803 "; classtype: tcp-connection; program: ossec; sid: 6002803; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Smartd Started but not configured (syslog_rules.xml:syslog,smartd)"; content: "Rule: 2801 "; classtype: tcp-connection; program: ossec; sid: 6002801; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Pre-match rule for smartd. (syslog_rules.xml:syslog,smartd)"; content: "Rule: 2800 "; classtype: tcp-connection; program: ossec; sid: 6002800; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Smartd configuration problem (syslog_rules.xml:syslog,smartd)"; content: "Rule: 2802 "; classtype: tcp-connection; program: ossec; sid: 6002802; rev:1;)


## Rule group: msauth_rules.xml:windows
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Group Account Changed (msauth_rules.xml:windows)"; content: "Rule: 18114 "; classtype: system-event; program: ossec; sid: 6018114; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Print Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18238 "; classtype: system-event; program: ossec; sid: 6018238; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Event Log Readers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18255 "; classtype: exploit-attempt; program: ossec; sid: 6018255; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Windows Logon Failure. (msauth_rules.xml:windows)"; content: "Rule: 18106 "; classtype: system-event; program: ossec; sid: 6018106; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Enterprise Read-only Domain Controllers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18250 "; classtype: exploit-attempt; program: ossec; sid: 6018250; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Windows Authorization Access Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18247 "; classtype: system-event; program: ossec; sid: 6018247; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18233 "; classtype: system-event; program: ossec; sid: 6018233; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Group account added/changed/deleted. (msauth_rules.xml:windows)"; content: "Rule: 18128 "; classtype: system-event; program: ossec; sid: 6018128; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Denied RODC Password Replication Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18254 "; classtype: exploit-attempt; program: ossec; sid: 6018254; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Group of windows rules. (msauth_rules.xml:windows)"; content: "Rule: 18100 "; classtype: tcp-connection; program: ossec; sid: 6018100; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Windows User Logoff. (msauth_rules.xml:windows)"; content: "Rule: 18149 "; classtype: not-suspicious; program: ossec; sid: 6018149; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Enterprise Domain Controllers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18219 "; classtype: exploit-attempt; program: ossec; sid: 6018219; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - MS SQL Server Logon Success. (msauth_rules.xml:windows)"; content: "Rule: 18181 "; classtype: not-suspicious; program: ossec; sid: 6018181; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Domain Guests Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18225 "; classtype: exploit-attempt; program: ossec; sid: 6018225; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Domain Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18223 "; classtype: system-event; program: ossec; sid: 6018223; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Member Removed (msauth_rules.xml:windows)"; content: "Rule: 18204 "; classtype: system-event; program: ossec; sid: 6018204; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - RAS and IAS Servers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18232 "; classtype: exploit-attempt; program: ossec; sid: 6018232; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Incoming Forest Trust Builders Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18244 "; classtype: exploit-attempt; program: ossec; sid: 6018244; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Windows error event. (msauth_rules.xml:windows)"; content: "Rule: 18103 "; classtype: system-event; program: ossec; sid: 6018103; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Account's password expired. (msauth_rules.xml:windows)"; content: "Rule: 18136 "; classtype: system-event; program: ossec; sid: 6018136; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Group Policy Creator Owners Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18231 "; classtype: exploit-attempt; program: ossec; sid: 6018231; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Member Added (msauth_rules.xml:windows)"; content: "Rule: 18203 "; classtype: system-event; program: ossec; sid: 6018203; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Windows DC - Clock skew too great. (msauth_rules.xml:windows)"; content: "Rule: 18172 "; classtype: system-event; program: ossec; sid: 6018172; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Computer account changed/deleted. (msauth_rules.xml:windows)"; content: "Rule: 18127 "; classtype: system-event; program: ossec; sid: 6018127; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Administrators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18217 "; classtype: exploit-attempt; program: ossec; sid: 6018217; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18210 "; classtype: system-event; program: ossec; sid: 6018210; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Application Uninstalled. (msauth_rules.xml:windows)"; content: "Rule: 18146 "; classtype: system-event; program: ossec; sid: 6018146; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - General account database changed. (msauth_rules.xml:windows)"; content: "Rule: 18115 "; classtype: system-event; program: ossec; sid: 6018115; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Distributed COM Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18249 "; classtype: system-event; program: ossec; sid: 6018249; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows audit success event. (msauth_rules.xml:windows)"; content: "Rule: 18104 "; classtype: tcp-connection; program: ossec; sid: 6018104; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - User not granted logon type. (msauth_rules.xml:windows)"; content: "Rule: 18135 "; classtype: system-event; program: ossec; sid: 6018135; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - User account enabled or created. (msauth_rules.xml:windows)"; content: "Rule: 18110 "; classtype: system-event; program: ossec; sid: 6018110; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Read-only Domain Controllers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18251 "; classtype: exploit-attempt; program: ossec; sid: 6018251; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - User account locked out (multiple login errors). (msauth_rules.xml:windows)"; content: "Rule: 18116 "; classtype: system-event; program: ossec; sid: 6018116; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Performance Monitor Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18245 "; classtype: system-event; program: ossec; sid: 6018245; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Remote access login failure. (msauth_rules.xml:windows)"; content: "Rule: 18125 "; classtype: system-event; program: ossec; sid: 6018125; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Remote Desktop Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18242 "; classtype: exploit-attempt; program: ossec; sid: 6018242; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Windows audit failure event. (msauth_rules.xml:windows)"; content: "Rule: 18105 "; classtype: not-suspicious; program: ossec; sid: 6018105; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Windows DC Logon Failure. (msauth_rules.xml:windows)"; content: "Rule: 18139 "; classtype: system-event; program: ossec; sid: 6018139; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Windows Logon Success. (msauth_rules.xml:windows)"; content: "Rule: 18107 "; classtype: not-suspicious; program: ossec; sid: 6018107; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Service startup type was changed. (msauth_rules.xml:windows)"; content: "Rule: 18145 "; classtype: not-suspicious; program: ossec; sid: 6018145; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Domain Computers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18226 "; classtype: system-event; program: ossec; sid: 6018226; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote access login success. (msauth_rules.xml:windows)"; content: "Rule: 18126 "; classtype: not-suspicious; program: ossec; sid: 6018126; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Pre-Windows 2000 Compatible Access Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18241 "; classtype: system-event; program: ossec; sid: 6018241; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Logon Failure - Account locked out. (msauth_rules.xml:windows)"; content: "Rule: 18138 "; classtype: system-event; program: ossec; sid: 6018138; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Network Configuration Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18243 "; classtype: exploit-attempt; program: ossec; sid: 6018243; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Replicators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18240 "; classtype: exploit-attempt; program: ossec; sid: 6018240; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Logon Failure - User not allowed to login at this computer. (msauth_rules.xml:windows)"; content: "Rule: 18134 "; classtype: system-event; program: ossec; sid: 6018134; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Power Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18235 "; classtype: exploit-attempt; program: ossec; sid: 6018235; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Domain Admins Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18222 "; classtype: exploit-attempt; program: ossec; sid: 6018222; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Windows file system full. (msauth_rules.xml:windows)"; content: "Rule: 18129 "; classtype: system-event; program: ossec; sid: 6018129; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - First time this user logged in this system. (msauth_rules.xml:windows)"; content: "Rule: 18119 "; classtype: not-suspicious; program: ossec; sid: 6018119; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows warning event. (msauth_rules.xml:windows)"; content: "Rule: 18102 "; classtype: tcp-connection; program: ossec; sid: 6018102; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Backup Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18239 "; classtype: exploit-attempt; program: ossec; sid: 6018239; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Windows is starting up. (msauth_rules.xml:windows)"; content: "Rule: 18148 "; classtype: not-suspicious; program: ossec; sid: 6018148; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Windows is shutting down. (msauth_rules.xml:windows)"; content: "Rule: 18117 "; classtype: system-event; program: ossec; sid: 6018117; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Windows DC - Possible replay attack. (msauth_rules.xml:windows)"; content: "Rule: 18171 "; classtype: exploit-attempt; program: ossec; sid: 6018171; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Terminal Server Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18221 "; classtype: system-event; program: ossec; sid: 6018221; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Created (msauth_rules.xml:windows)"; content: "Rule: 18206 "; classtype: system-event; program: ossec; sid: 6018206; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Failed attempt to perform a privileged operation. (msauth_rules.xml:windows)"; content: "Rule: 18108 "; classtype: not-suspicious; program: ossec; sid: 6018108; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Windows audit failure events. (msauth_rules.xml:windows)"; content: "Rule: 18153 "; classtype: exploit-attempt; program: ossec; sid: 6018153; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Security enabled group deleted. (msauth_rules.xml:windows)"; content: "Rule: 18144 "; classtype: system-event; program: ossec; sid: 6018144; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Cryptographic Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18252 "; classtype: exploit-attempt; program: ossec; sid: 6018252; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Terminal Server License Servers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18248 "; classtype: system-event; program: ossec; sid: 6018248; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User account unlocked. (msauth_rules.xml:windows)"; content: "Rule: 18142 "; classtype: system-event; program: ossec; sid: 6018142; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Schema Admins Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18229 "; classtype: exploit-attempt; program: ossec; sid: 6018229; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Windows Audit Policy changed. (msauth_rules.xml:windows)"; content: "Rule: 18113 "; classtype: system-event; program: ossec; sid: 6018113; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Deleted (msauth_rules.xml:windows)"; content: "Rule: 18216 "; classtype: system-event; program: ossec; sid: 6018216; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - MS SQL Server Logon Failure. (msauth_rules.xml:windows)"; content: "Rule: 18180 "; classtype: system-event; program: ossec; sid: 6018180; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Group Account Deleted (msauth_rules.xml:windows)"; content: "Rule: 18201 "; classtype: system-event; program: ossec; sid: 6018201; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Windows Logon Failures. (msauth_rules.xml:windows)"; content: "Rule: 18152 "; classtype: exploit-attempt; program: ossec; sid: 6018152; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Windows audit log was cleared. (msauth_rules.xml:windows)"; content: "Rule: 18118 "; classtype: system-event; program: ossec; sid: 6018118; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Guests Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18234 "; classtype: exploit-attempt; program: ossec; sid: 6018234; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Specified account expired. (msauth_rules.xml:windows)"; content: "Rule: 18133 "; classtype: system-event; program: ossec; sid: 6018133; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18211 "; classtype: system-event; program: ossec; sid: 6018211; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - User account disabled or deleted. (msauth_rules.xml:windows)"; content: "Rule: 18112 "; classtype: system-event; program: ossec; sid: 6018112; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Authenticated Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18220 "; classtype: system-event; program: ossec; sid: 6018220; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Certificate Service DCOM Access Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18256 "; classtype: exploit-attempt; program: ossec; sid: 6018256; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Allowed RODC Password Replication Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18253 "; classtype: exploit-attempt; program: ossec; sid: 6018253; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - User account changed. (msauth_rules.xml:windows)"; content: "Rule: 18111 "; classtype: system-event; program: ossec; sid: 6018111; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Session reconnected/disconnected to winstation. (msauth_rules.xml:windows)"; content: "Rule: 18109 "; classtype: not-suspicious; program: ossec; sid: 6018109; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Member Removed (msauth_rules.xml:windows)"; content: "Rule: 18208 "; classtype: system-event; program: ossec; sid: 6018208; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed attempts to perform a privileged operation by the same user. (msauth_rules.xml:windows)"; content: "Rule: 18151 "; classtype: exploit-attempt; program: ossec; sid: 6018151; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - System time changed. (msauth_rules.xml:windows)"; content: "Rule: 18140 "; classtype: system-event; program: ossec; sid: 6018140; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Member Removed (msauth_rules.xml:windows)"; content: "Rule: 18215 "; classtype: system-event; program: ossec; sid: 6018215; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Windows error events. (msauth_rules.xml:windows)"; content: "Rule: 18154 "; classtype: exploit-attempt; program: ossec; sid: 6018154; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Domain Controllers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18227 "; classtype: exploit-attempt; program: ossec; sid: 6018227; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Created (msauth_rules.xml:windows)"; content: "Rule: 18212 "; classtype: system-event; program: ossec; sid: 6018212; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Member Added (msauth_rules.xml:windows)"; content: "Rule: 18207 "; classtype: system-event; program: ossec; sid: 6018207; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows informational event. (msauth_rules.xml:windows)"; content: "Rule: 18101 "; classtype: tcp-connection; program: ossec; sid: 6018101; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Internal error. (msauth_rules.xml:windows)"; content: "Rule: 18137 "; classtype: system-event; program: ossec; sid: 6018137; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Performance Log Users Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18246 "; classtype: system-event; program: ossec; sid: 6018246; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Windows warning events. (msauth_rules.xml:windows)"; content: "Rule: 18155 "; classtype: exploit-attempt; program: ossec; sid: 6018155; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Group Account Created (msauth_rules.xml:windows)"; content: "Rule: 18200 "; classtype: system-event; program: ossec; sid: 6018200; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Local Group Deleted (msauth_rules.xml:windows)"; content: "Rule: 18209 "; classtype: system-event; program: ossec; sid: 6018209; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Windows DC integrity check on decrypted field failed. (msauth_rules.xml:windows)"; content: "Rule: 18170 "; classtype: exploit-attempt; program: ossec; sid: 6018170; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Account currently disabled. (msauth_rules.xml:windows)"; content: "Rule: 18132 "; classtype: system-event; program: ossec; sid: 6018132; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Enterprise Admins Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18230 "; classtype: exploit-attempt; program: ossec; sid: 6018230; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Account Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18236 "; classtype: exploit-attempt; program: ossec; sid: 6018236; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Security enabled group created. (msauth_rules.xml:windows)"; content: "Rule: 18143 "; classtype: system-event; program: ossec; sid: 6018143; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows login attempt (ignored). Duplicated. (msauth_rules.xml:windows)"; content: "Rule: 18120 "; classtype: tcp-connection; program: ossec; sid: 6018120; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Everyone Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18218 "; classtype: system-event; program: ossec; sid: 6018218; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Application Installed. (msauth_rules.xml:windows)"; content: "Rule: 18147 "; classtype: system-event; program: ossec; sid: 6018147; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Account logon time restriction violation. (msauth_rules.xml:windows)"; content: "Rule: 18131 "; classtype: system-event; program: ossec; sid: 6018131; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Created (msauth_rules.xml:windows)"; content: "Rule: 18202 "; classtype: system-event; program: ossec; sid: 6018202; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Global Group Deleted (msauth_rules.xml:windows)"; content: "Rule: 18205 "; classtype: system-event; program: ossec; sid: 6018205; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Member Added (msauth_rules.xml:windows)"; content: "Rule: 18214 "; classtype: system-event; program: ossec; sid: 6018214; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple remote access login failures. (msauth_rules.xml:windows)"; content: "Rule: 18156 "; classtype: exploit-attempt; program: ossec; sid: 6018156; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Cert Publishers Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18228 "; classtype: exploit-attempt; program: ossec; sid: 6018228; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Unexpected Windows shutdown. (msauth_rules.xml:windows)"; content: "Rule: 18141 "; classtype: system-event; program: ossec; sid: 6018141; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Server Operators Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18237 "; classtype: exploit-attempt; program: ossec; sid: 6018237; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Logon Failure - Unknown user or bad password. (msauth_rules.xml:windows)"; content: "Rule: 18130 "; classtype: system-event; program: ossec; sid: 6018130; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Security Enabled Universal Group Changed (msauth_rules.xml:windows)"; content: "Rule: 18213 "; classtype: system-event; program: ossec; sid: 6018213; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Local User Group NONE (msauth_rules.xml:windows)"; content: "Rule: 18224 "; classtype: tcp-connection; program: ossec; sid: 6018224; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Windows Logon Success (ignored). (msauth_rules.xml:windows)"; content: "Rule: 18121 "; classtype: tcp-connection; program: ossec; sid: 6018121; rev:1;)


## Rule group: rules_config.xml:ids
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all ids rules. (rules_config.xml:ids)"; content: "Rule: 03 "; classtype: tcp-connection; program: ossec; sid: 6000003; rev:1;)


## Rule group: vpn_concentrator_rules.xml:syslog,cisco_vpn
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Cisco VPN concentrator rules (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14200 "; classtype: tcp-connection; program: ossec; sid: 6014200; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - VPN Admin authentication successful. (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14203 "; classtype: not-suspicious; program: ossec; sid: 6014203; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VPN authentication failures. (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14251 "; classtype: exploit-attempt; program: ossec; sid: 6014251; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VPN authentication successful. (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14201 "; classtype: not-suspicious; program: ossec; sid: 6014201; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - VPN authentication failed. (vpn_concentrator_rules.xml:syslog,cisco_vpn)"; content: "Rule: 14202 "; classtype: system-event; program: ossec; sid: 6014202; rev:1;)


## Rule group: spamd_rules.xml:syslog,spamd
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Spamd debug event (reading message). (spamd_rules.xml:syslog,spamd)"; content: "Rule: 3502 "; classtype: tcp-connection; program: ossec; sid: 6003502; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SPAMD result message (not very usefull here). (spamd_rules.xml:syslog,spamd)"; content: "Rule: 3501 "; classtype: tcp-connection; program: ossec; sid: 6003501; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the spamd rules (spamd_rules.xml:syslog,spamd)"; content: "Rule: 3500 "; classtype: tcp-connection; program: ossec; sid: 6003500; rev:1;)


## Rule group: proftpd_rules.xml:syslog,proftpd
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Connection refused by TCP Wrappers. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11207 "; classtype: system-event; program: ossec; sid: 6011207; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11252 "; classtype: exploit-attempt; program: ossec; sid: 6011252; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unable to bind to adress. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11220 "; classtype: not-suspicious; program: ossec; sid: 6011220; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - FTP session closed. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11202 "; classtype: tcp-connection; program: ossec; sid: 6011202; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple timed out logins from same source. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11253 "; classtype: exploit-attempt; program: ossec; sid: 6011253; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host connected to FTP server. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11213 "; classtype: not-suspicious; program: ossec; sid: 6011213; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Mismatch in server's hostname. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11211 "; classtype: not-suspicious; program: ossec; sid: 6011211; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - FTP process crashed. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11218 "; classtype: exploit-attempt; program: ossec; sid: 6011218; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Data transfer stalled. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11217 "; classtype: not-suspicious; program: ossec; sid: 6011217; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host disconnected due to inactivity. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11214 "; classtype: not-suspicious; program: ossec; sid: 6011214; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - Attempt to bypass firewall that can't adequately keep state of FTP traffic. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11209 "; classtype: exploit-attempt; program: ossec; sid: 6011209; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Reverse lookup error (bad ISP config). (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11212 "; classtype: system-event; program: ossec; sid: 6011212; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Small PassivePorts range in config file. Server misconfiguration. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11208 "; classtype: not-suspicious; program: ossec; sid: 6011208; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed login attempts. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11210 "; classtype: exploit-attempt; program: ossec; sid: 6011210; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - FTP server Buffer overflow attempt. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11219 "; classtype: exploit-attempt; program: ossec; sid: 6011219; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Connection denied by ProFTPD configuration. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11206 "; classtype: system-event; program: ossec; sid: 6011206; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP session opened. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11201 "; classtype: not-suspicious; program: ossec; sid: 6011201; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login using a non-existent user. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11203 "; classtype: system-event; program: ossec; sid: 6011203; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - IPv6 error and mod-delay info (ignored). (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11221 "; classtype: tcp-connection; program: ossec; sid: 6011221; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - FTP brute force (multiple failed logins). (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11251 "; classtype: exploit-attempt; program: ossec; sid: 6011251; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed accessing the FTP server (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11204 "; classtype: system-event; program: ossec; sid: 6011204; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the proftpd rules. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11200 "; classtype: tcp-connection; program: ossec; sid: 6011200; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP Authentication success. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11205 "; classtype: not-suspicious; program: ossec; sid: 6011205; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host disconnected due to login time out. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11215 "; classtype: not-suspicious; program: ossec; sid: 6011215; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host disconnected due to time out. (proftpd_rules.xml:syslog,proftpd)"; content: "Rule: 11216 "; classtype: not-suspicious; program: ossec; sid: 6011216; rev:1;)


## Rule group: courier_rules.xml:syslog,courier
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Courier brute force (multiple failed logins). (courier_rules.xml:syslog,courier)"; content: "Rule: 3910 "; classtype: exploit-attempt; program: ossec; sid: 6003910; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Courier (imap/pop3) authentication success. (courier_rules.xml:syslog,courier)"; content: "Rule: 3904 "; classtype: not-suspicious; program: ossec; sid: 6003904; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Courier (imap/pop3) authentication failed. (courier_rules.xml:syslog,courier)"; content: "Rule: 3902 "; classtype: system-event; program: ossec; sid: 6003902; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Courier logout/timeout. (courier_rules.xml:syslog,courier)"; content: "Rule: 3903 "; classtype: tcp-connection; program: ossec; sid: 6003903; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source. (courier_rules.xml:syslog,courier)"; content: "Rule: 3911 "; classtype: exploit-attempt; program: ossec; sid: 6003911; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New courier (imap/pop3) connection. (courier_rules.xml:syslog,courier)"; content: "Rule: 3901 "; classtype: not-suspicious; program: ossec; sid: 6003901; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the courier rules. (courier_rules.xml:syslog,courier)"; content: "Rule: 3900 "; classtype: tcp-connection; program: ossec; sid: 6003900; rev:1;)


## Rule group: mysql_rules.xml:mysql_log
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Database authentication failure. (mysql_rules.xml:mysql_log)"; content: "Rule: 50106 "; classtype: system-event; program: ossec; sid: 6050106; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Database error. (mysql_rules.xml:mysql_log)"; content: "Rule: 50125 "; classtype: system-event; program: ossec; sid: 6050125; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Database query. (mysql_rules.xml:mysql_log)"; content: "Rule: 50107 "; classtype: tcp-connection; program: ossec; sid: 6050107; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Database startup message. (mysql_rules.xml:mysql_log)"; content: "Rule: 50121 "; classtype: not-suspicious; program: ossec; sid: 6050121; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple database errors. (mysql_rules.xml:mysql_log)"; content: "Rule: 50180 "; classtype: exploit-attempt; program: ossec; sid: 6050180; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Database fatal error. (mysql_rules.xml:mysql_log)"; content: "Rule: 50126 "; classtype: exploit-attempt; program: ossec; sid: 6050126; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - MySQL messages grouped. (mysql_rules.xml:mysql_log)"; content: "Rule: 50100 "; classtype: tcp-connection; program: ossec; sid: 6050100; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Database shutdown messge. (mysql_rules.xml:mysql_log)"; content: "Rule: 50120 "; classtype: exploit-attempt; program: ossec; sid: 6050120; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Database authentication success. (mysql_rules.xml:mysql_log)"; content: "Rule: 50105 "; classtype: not-suspicious; program: ossec; sid: 6050105; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User disconnected from database. (mysql_rules.xml:mysql_log)"; content: "Rule: 50108 "; classtype: not-suspicious; program: ossec; sid: 6050108; rev:1;)


## Rule group: ossec_rules.xml:ossec
##
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - System Audit event. (ossec_rules.xml:ossec)"; content: "Rule: 516 "; classtype: not-suspicious; program: ossec; sid: 6000516; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Ossec agent started. (ossec_rules.xml:ossec)"; content: "Rule: 503 "; classtype: not-suspicious; program: ossec; sid: 6000503; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - File added to the system. (ossec_rules.xml:ossec)"; content: "Rule: 554 "; classtype: tcp-connection; program: ossec; sid: 6000554; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Microsoft Event log cleared. (ossec_rules.xml:ossec)"; content: "Rule: 593 "; classtype: system-event; program: ossec; sid: 6000593; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Ossec server started. (ossec_rules.xml:ossec)"; content: "Rule: 502 "; classtype: not-suspicious; program: ossec; sid: 6000502; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Integrity checksum changed again (3rd time). (ossec_rules.xml:ossec)"; content: "Rule: 552 "; classtype: system-event; program: ossec; sid: 6000552; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored common NTFS ADS entries. (ossec_rules.xml:ossec)"; content: "Rule: 511 "; classtype: tcp-connection; program: ossec; sid: 6000511; rev:1;)
#(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Windows application monitor event. (ossec_rules.xml:ossec)"; content: "Rule: 514 "; classtype: not-suspicious; program: ossec; sid: 6000514; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Host information changed. (ossec_rules.xml:ossec)"; content: "Rule: 580 "; classtype: system-event; program: ossec; sid: 6000580; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring external medias. (ossec_rules.xml:ossec)"; content: "Rule: 532 "; classtype: tcp-connection; program: ossec; sid: 6000532; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of ossec rules. (ossec_rules.xml:ossec)"; content: "Rule: 500 "; classtype: tcp-connection; program: ossec; sid: 6000500; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring rootcheck/syscheck scan messages. (ossec_rules.xml:ossec)"; content: "Rule: 515 "; classtype: tcp-connection; program: ossec; sid: 6000515; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Windows malware detected. (ossec_rules.xml:ossec)"; content: "Rule: 513 "; classtype: system-event; program: ossec; sid: 6000513; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Log file size reduced. (ossec_rules.xml:ossec)"; content: "Rule: 592 "; classtype: system-event; program: ossec; sid: 6000592; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - File deleted. Unable to retrieve checksum. (ossec_rules.xml:ossec)"; content: "Rule: 553 "; classtype: system-event; program: ossec; sid: 6000553; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Windows Audit event. (ossec_rules.xml:ossec)"; content: "Rule: 512 "; classtype: not-suspicious; program: ossec; sid: 6000512; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Windows Adware/Spyware application found. (ossec_rules.xml:ossec)"; content: "Rule: 518 "; classtype: system-event; program: ossec; sid: 6000518; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Rootcheck event. (ossec_rules.xml:ossec)"; content: "Rule: 509 "; classtype: tcp-connection; program: ossec; sid: 6000509; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Integrity checksum for agentless device changed. (ossec_rules.xml:ossec)"; content: "Rule: 555 "; classtype: system-event; program: ossec; sid: 6000555; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Partition usage reached 100% (disk space monitor). (ossec_rules.xml:ossec)"; content: "Rule: 531 "; classtype: system-event; program: ossec; sid: 6000531; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Host information added. (ossec_rules.xml:ossec)"; content: "Rule: 581 "; classtype: system-event; program: ossec; sid: 6000581; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Log file rotated. (ossec_rules.xml:ossec)"; content: "Rule: 591 "; classtype: not-suspicious; program: ossec; sid: 6000591; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New ossec agent connected. (ossec_rules.xml:ossec)"; content: "Rule: 501 "; classtype: not-suspicious; program: ossec; sid: 6000501; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Host-based anomaly detection event (rootcheck). (ossec_rules.xml:ossec)"; content: "Rule: 510 "; classtype: system-event; program: ossec; sid: 6000510; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Integrity checksum changed again (2nd time). (ossec_rules.xml:ossec)"; content: "Rule: 551 "; classtype: system-event; program: ossec; sid: 6000551; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - OSSEC process monitoring rules. (ossec_rules.xml:ossec)"; content: "Rule: 530 "; classtype: tcp-connection; program: ossec; sid: 6000530; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Integrity checksum changed. (ossec_rules.xml:ossec)"; content: "Rule: 550 "; classtype: system-event; program: ossec; sid: 6000550; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Ossec agent disconnected. (ossec_rules.xml:ossec)"; content: "Rule: 504 "; classtype: not-suspicious; program: ossec; sid: 6000504; rev:1;)


## Rule group: racoon_rules.xml:syslog,racoon
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Roadwarrior configuration (ignored error). (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14121 "; classtype: tcp-connection; program: ossec; sid: 6014121; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - VPN authentication failed. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14101 "; classtype: system-event; program: ossec; sid: 6014101; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Racoon error message. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14111 "; classtype: not-suspicious; program: ossec; sid: 6014111; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Racoon informational message. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14110 "; classtype: tcp-connection; program: ossec; sid: 6014110; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of racoon rules. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14100 "; classtype: tcp-connection; program: ossec; sid: 6014100; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Racoon warning message. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14112 "; classtype: not-suspicious; program: ossec; sid: 6014112; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Invalid configuration settings (ignored error). (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14123 "; classtype: tcp-connection; program: ossec; sid: 6014123; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VPN established. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14120 "; classtype: not-suspicious; program: ossec; sid: 6014120; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Roadwarrior configuration (ignored warning). (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14122 "; classtype: tcp-connection; program: ossec; sid: 6014122; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Multiple failed VPN logins. (racoon_rules.xml:syslog,racoon)"; content: "Rule: 14151 "; classtype: system-event; program: ossec; sid: 6014151; rev:1;)


## Rule group: arpwatch_rules.xml:syslog,arpwatch
##
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Arpwatch exiting. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7203 "; classtype: not-suspicious; program: ossec; sid: 6007203; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the arpwatch rules. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7200 "; classtype: tcp-connection; program: ossec; sid: 6007200; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Arpwatch detected bad address len (ignored). (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7206 "; classtype: tcp-connection; program: ossec; sid: 6007206; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Arpwatch startup/exiting messages. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7205 "; classtype: tcp-connection; program: ossec; sid: 6007205; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Arpwatch new host detected. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7201 "; classtype: not-suspicious; program: ossec; sid: 6007201; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Changed network interface for ip address. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7204 "; classtype: system-event; program: ossec; sid: 6007204; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Arpwatch "flip flop" message. IP address/MAC relation changing too often. (arpwatch_rules.xml:syslog,arpwatch)"; content: "Rule: 7202 "; classtype: system-event; program: ossec; sid: 6007202; rev:1;)


## Rule group: ftpd_rules.xml:syslog,ftpd
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - File created via FTP (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11102 "; classtype: tcp-connection; program: ossec; sid: 6011102; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Attempt to login with disabled account. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11111 "; classtype: system-event; program: ossec; sid: 6011111; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - User uploaded a file to server. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11104 "; classtype: tcp-connection; program: ossec; sid: 6011104; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP authentication failure. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11113 "; classtype: system-event; program: ossec; sid: 6011113; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Reverse lookup error (bad ISP config). (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11108 "; classtype: system-event; program: ossec; sid: 6011108; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Connection blocked by Tcp Wrappers. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11107 "; classtype: system-event; program: ossec; sid: 6011107; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP connection refused. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11101 "; classtype: system-event; program: ossec; sid: 6011101; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host connected to FTP server. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11106 "; classtype: not-suspicious; program: ossec; sid: 6011106; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple FTP failed login attempts. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11109 "; classtype: exploit-attempt; program: ossec; sid: 6011109; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the ftpd rules. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11100 "; classtype: tcp-connection; program: ossec; sid: 6011100; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - User downloaded a file to server. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11105 "; classtype: tcp-connection; program: ossec; sid: 6011105; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - User disconnected due to time out. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11110 "; classtype: not-suspicious; program: ossec; sid: 6011110; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP authentication failure. (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11112 "; classtype: system-event; program: ossec; sid: 6011112; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - File deleted via FTP (ftpd_rules.xml:syslog,ftpd)"; content: "Rule: 11103 "; classtype: tcp-connection; program: ossec; sid: 6011103; rev:1;)


## Rule group: cisco-ios_rules.xml:syslog,cisco_ios
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Cisco IOS debug message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4717 "; classtype: tcp-connection; program: ossec; sid: 6004717; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Cisco IOS critical message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4712 "; classtype: system-event; program: ossec; sid: 6004712; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Cisco IOS router configuration changed. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4721 "; classtype: not-suspicious; program: ossec; sid: 6004721; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Cisco IOS emergency message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4710 "; classtype: system-event; program: ossec; sid: 6004710; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Cisco IOS warning message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4714 "; classtype: not-suspicious; program: ossec; sid: 6004714; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Cisco IOS alert message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4711 "; classtype: system-event; program: ossec; sid: 6004711; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Successful login to the router. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4722 "; classtype: not-suspicious; program: ossec; sid: 6004722; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Cisco IOS notification message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4715 "; classtype: tcp-connection; program: ossec; sid: 6004715; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Cisco IOS rules. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4700 "; classtype: tcp-connection; program: ossec; sid: 6004700; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Cisco IOS error message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4713 "; classtype: not-suspicious; program: ossec; sid: 6004713; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Cisco IOS informational message. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4716 "; classtype: tcp-connection; program: ossec; sid: 6004716; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Failed login to the router. (cisco-ios_rules.xml:syslog,cisco_ios)"; content: "Rule: 4724 "; classtype: system-event; program: ossec; sid: 6004724; rev:1;)


## Rule group: asterisk_rules.xml:syslog,asterisk
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Extension enumeration. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6252 "; classtype: exploit-attempt; program: ossec; sid: 6006252; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Asterisk warning message. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6202 "; classtype: not-suspicious; program: ossec; sid: 6006202; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login session failed. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6210 "; classtype: system-event; program: ossec; sid: 6006210; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Asterisk notice messages grouped. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6201 "; classtype: tcp-connection; program: ossec; sid: 6006201; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login session failed (invalid extension). (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6212 "; classtype: system-event; program: ossec; sid: 6006212; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Asterisk messages grouped. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6200 "; classtype: tcp-connection; program: ossec; sid: 6006200; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed logins. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6251 "; classtype: exploit-attempt; program: ossec; sid: 6006251; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login session failed (invalid user). (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6211 "; classtype: system-event; program: ossec; sid: 6006211; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Asterisk error message. (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6203 "; classtype: not-suspicious; program: ossec; sid: 6006203; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed logins (user enumeration in process). (asterisk_rules.xml:syslog,asterisk)"; content: "Rule: 6250 "; classtype: exploit-attempt; program: ossec; sid: 6006250; rev:1;)


## Rule group: syslog_rules.xml:syslog,yum
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - New Yum package installed. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2932 "; classtype: system-event; program: ossec; sid: 6002932; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Yum package deleted. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2934 "; classtype: system-event; program: ossec; sid: 6002934; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Yum logs. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2931 "; classtype: tcp-connection; program: ossec; sid: 6002931; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Yum logs. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2930 "; classtype: tcp-connection; program: ossec; sid: 6002930; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Yum package updated. (syslog_rules.xml:syslog,yum)"; content: "Rule: 2933 "; classtype: system-event; program: ossec; sid: 6002933; rev:1;)


## Rule group: local_rules.xml:local,syslog
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Example of rule that will ignore sshd failed logins for user XYZABC. (local_rules.xml:local,syslog)"; content: "Rule: 100020 "; classtype: tcp-connection; program: ossec; sid: 6100020; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Example of rule that will ignore sshd failed logins from IP 1.1.1.1. (local_rules.xml:local,syslog)"; content: "Rule: 100001 "; classtype: tcp-connection; program: ossec; sid: 6100001; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - List of rules to be ignored. (local_rules.xml:local,syslog)"; content: "Rule: 100030 "; classtype: tcp-connection; program: ossec; sid: 6100030; rev:1;)


## Rule group: trend-osce_rules.xml:trend_micro,ocse
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Virus detected and cleaned/quarantined/remved (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7610 "; classtype: system-event; program: ossec; sid: 6007610; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Trend OSCE rules. (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7600 "; classtype: tcp-connection; program: ossec; sid: 6007600; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Virus detected and unable to clean up. (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7611 "; classtype: system-event; program: ossec; sid: 6007611; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Virus scan completed with no errors detected. (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7612 "; classtype: not-suspicious; program: ossec; sid: 6007612; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Virus scan passed by found potential security risk. (trend-osce_rules.xml:trend_micro,ocse)"; content: "Rule: 7613 "; classtype: system-event; program: ossec; sid: 6007613; rev:1;)


## Rule group: telnetd_rules.xml:syslog,telnetd
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Remote host invalid connection. (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5603 "; classtype: system-event; program: ossec; sid: 6005603; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the telnetd rules (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5600 "; classtype: tcp-connection; program: ossec; sid: 6005600; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Remote host established a telnet connection. (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5602 "; classtype: not-suspicious; program: ossec; sid: 6005602; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source (possible scan). (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5631 "; classtype: exploit-attempt; program: ossec; sid: 6005631; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Connection refused by TCP Wrappers. (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5601 "; classtype: system-event; program: ossec; sid: 6005601; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Reverse lookup error (bad hostname config). (telnetd_rules.xml:syslog,telnetd)"; content: "Rule: 5604 "; classtype: system-event; program: ossec; sid: 6005604; rev:1;)


## Rule group: syslog_rules.xml:syslog,nfs
##
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unable to mount the NFS directory. (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2103 "; classtype: not-suspicious; program: ossec; sid: 6002103; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unable to mount the NFS share. (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2101 "; classtype: not-suspicious; program: ossec; sid: 6002101; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - NFS rules grouped. (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2100 "; classtype: tcp-connection; program: ossec; sid: 6002100; rev:1;)
#(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Automount informative message (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2104 "; classtype: not-suspicious; program: ossec; sid: 6002104; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Unable to mount the NFS directory. (syslog_rules.xml:syslog,nfs)"; content: "Rule: 2102 "; classtype: not-suspicious; program: ossec; sid: 6002102; rev:1;)


## Rule group: syslog_rules.xml:syslog,pptp
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PPTPD messages grouped (syslog_rules.xml:syslog,pptp)"; content: "Rule: 9100 "; classtype: tcp-connection; program: ossec; sid: 6009100; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PPTPD communication error (syslog_rules.xml:syslog,pptp)"; content: "Rule: 9102 "; classtype: tcp-connection; program: ossec; sid: 6009102; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PPTPD failed message (communication error) (syslog_rules.xml:syslog,pptp)"; content: "Rule: 9101 "; classtype: tcp-connection; program: ossec; sid: 6009101; rev:1;)


## Rule group: attack_rules.xml:syslog,elevation_of_privilege
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 15 - Attacks followed by the addition of an user. (attack_rules.xml:syslog,elevation_of_privilege)"; content: "Rule: 40501 "; classtype: exploit-attempt; program: ossec; sid: 6040501; rev:1;)


## Rule group: ms-exchange_rules.xml:ms,exchange
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Exchange rules. (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3800 "; classtype: tcp-connection; program: ossec; sid: 6003800; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Multiple e-mail 500 error code (spam). (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3852 "; classtype: system-event; program: ossec; sid: 6003852; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - E-mail rcpt is not valid (invalid account). (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3801 "; classtype: not-suspicious; program: ossec; sid: 6003801; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Multiple e-mail attempts to an invalid account. (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3851 "; classtype: system-event; program: ossec; sid: 6003851; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - E-mail 500 error code. (ms-exchange_rules.xml:ms,exchange)"; content: "Rule: 3802 "; classtype: not-suspicious; program: ossec; sid: 6003802; rev:1;)


## Rule group: attack_rules.xml:syslog,recon
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Network scan from same source ip. (attack_rules.xml:syslog,recon)"; content: "Rule: 40601 "; classtype: exploit-attempt; program: ossec; sid: 6040601; rev:1;)


## Rule group: rules_config.xml:ossec
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all ossec rules. (rules_config.xml:ossec)"; content: "Rule: 07 "; classtype: tcp-connection; program: ossec; sid: 6000007; rev:1;)


## Rule group: syslog_rules.xml:syslog,linuxkernel
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Kernel usbhid probe error (ignored). (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5112 "; classtype: tcp-connection; program: ossec; sid: 6005112; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Monitor ADSL line is up. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5131 "; classtype: not-suspicious; program: ossec; sid: 6005131; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Kernel Input/Output error (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5109 "; classtype: not-suspicious; program: ossec; sid: 6005109; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - IRC misconfiguration (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5110 "; classtype: not-suspicious; program: ossec; sid: 6005110; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring hpiod for producing useless logs. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5200 "; classtype: tcp-connection; program: ossec; sid: 6005200; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Informative message from the kernel (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5102 "; classtype: tcp-connection; program: ossec; sid: 6005102; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - NFS incompability between Linux and Solaris. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5107 "; classtype: tcp-connection; program: ossec; sid: 6005107; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Interface entered in promiscuous(sniffing) mode. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5104 "; classtype: system-event; program: ossec; sid: 6005104; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Pre-match rule for kernel messages (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5100 "; classtype: tcp-connection; program: ossec; sid: 6005100; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - System running out of memory. Availability of the system is in risk. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5108 "; classtype: exploit-attempt; program: ossec; sid: 6005108; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Kernel device error. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5111 "; classtype: tcp-connection; program: ossec; sid: 6005111; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Invalid request to /dev/fd0 (bug on the kernel). (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5105 "; classtype: tcp-connection; program: ossec; sid: 6005105; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Error message from the kernel. Ping of death attack. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5103 "; classtype: system-event; program: ossec; sid: 6005103; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - NFS incompability between Linux and Solaris. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5106 "; classtype: tcp-connection; program: ossec; sid: 6005106; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Informative message from the kernel. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5101 "; classtype: tcp-connection; program: ossec; sid: 6005101; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Monitor ADSL line is down. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5130 "; classtype: system-event; program: ossec; sid: 6005130; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - System is shutting down. (syslog_rules.xml:syslog,linuxkernel)"; content: "Rule: 5113 "; classtype: system-event; program: ossec; sid: 6005113; rev:1;)


## Rule group: dovecot_rules.xml:dovecot
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Dovecot Authentication Failed. (dovecot_rules.xml:dovecot)"; content: "Rule: 9702 "; classtype: system-event; program: ossec; sid: 6009702; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Dovecot Multiple Authentication Failures. (dovecot_rules.xml:dovecot)"; content: "Rule: 9750 "; classtype: exploit-attempt; program: ossec; sid: 6009750; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Dovecot is Starting Up. (dovecot_rules.xml:dovecot)"; content: "Rule: 9703 "; classtype: not-suspicious; program: ossec; sid: 6009703; rev:1;)
#(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Dovecot Fatal Failure. (dovecot_rules.xml:dovecot)"; content: "Rule: 9704 "; classtype: not-suspicious; program: ossec; sid: 6009704; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Dovecot Invalid User Login Attempt. (dovecot_rules.xml:dovecot)"; content: "Rule: 9705 "; classtype: system-event; program: ossec; sid: 6009705; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Dovecot Aborted Login. (dovecot_rules.xml:dovecot)"; content: "Rule: 9707 "; classtype: system-event; program: ossec; sid: 6009707; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Dovecot Authentication Success. (dovecot_rules.xml:dovecot)"; content: "Rule: 9701 "; classtype: not-suspicious; program: ossec; sid: 6009701; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Dovecot Messages Grouped. (dovecot_rules.xml:dovecot)"; content: "Rule: 9700 "; classtype: tcp-connection; program: ossec; sid: 6009700; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Dovecot Session Disconnected. (dovecot_rules.xml:dovecot)"; content: "Rule: 9706 "; classtype: not-suspicious; program: ossec; sid: 6009706; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Dovecot brute force attack (multiple auth failures). (dovecot_rules.xml:dovecot)"; content: "Rule: 9751 "; classtype: exploit-attempt; program: ossec; sid: 6009751; rev:1;)


## Rule group: symantec-ws_rules.xml:symantec
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Symantec Web Security rules. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7400 "; classtype: tcp-connection; program: ossec; sid: 6007400; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Web access message. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7425 "; classtype: not-suspicious; program: ossec; sid: 6007425; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Admin Login success to the web proxy. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7420 "; classtype: not-suspicious; program: ossec; sid: 6007420; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Login success accessing the web proxy. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7415 "; classtype: not-suspicious; program: ossec; sid: 6007415; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed accessing the web proxy. (symantec-ws_rules.xml:symantec)"; content: "Rule: 7410 "; classtype: system-event; program: ossec; sid: 6007410; rev:1;)


## Rule group: php_rules.xml:apache
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PHP Parse error. (php_rules.xml:apache)"; content: "Rule: 31430 "; classtype: system-event; program: ossec; sid: 6031430; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - PHP Warning message. (php_rules.xml:apache)"; content: "Rule: 31410 "; classtype: not-suspicious; program: ossec; sid: 6031410; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Warning message. (php_rules.xml:apache)"; content: "Rule: 31404 "; classtype: tcp-connection; program: ossec; sid: 6031404; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PHP internal error (missing file or function). (php_rules.xml:apache)"; content: "Rule: 31421 "; classtype: system-event; program: ossec; sid: 6031421; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Parse error. (php_rules.xml:apache)"; content: "Rule: 31403 "; classtype: tcp-connection; program: ossec; sid: 6031403; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - PHP web attack. (php_rules.xml:apache)"; content: "Rule: 31411 "; classtype: system-event; program: ossec; sid: 6031411; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PHP internal error (missing file). (php_rules.xml:apache)"; content: "Rule: 31412 "; classtype: system-event; program: ossec; sid: 6031412; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PHP Fatal error. (php_rules.xml:apache)"; content: "Rule: 31420 "; classtype: system-event; program: ossec; sid: 6031420; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Fatal error. (php_rules.xml:apache)"; content: "Rule: 31405 "; classtype: tcp-connection; program: ossec; sid: 6031405; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Parse error. (php_rules.xml:apache)"; content: "Rule: 31406 "; classtype: tcp-connection; program: ossec; sid: 6031406; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Warning message. (php_rules.xml:apache)"; content: "Rule: 31401 "; classtype: tcp-connection; program: ossec; sid: 6031401; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PHP Fatal error. (php_rules.xml:apache)"; content: "Rule: 31402 "; classtype: tcp-connection; program: ossec; sid: 6031402; rev:1;)


## Rule group: postfix_rules.xml:syslog,postfix
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple relaying attempts of spam. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3351 "; classtype: system-event; program: ossec; sid: 6003351; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple misuse of SMTP service (bad sequence of commands). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3354 "; classtype: exploit-attempt; program: ossec; sid: 6003354; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Postfix SASL authentication failure. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3332 "; classtype: system-event; program: ossec; sid: 6003332; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the postfix reject rules. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3300 "; classtype: tcp-connection; program: ossec; sid: 6003300; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender domain. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3353 "; classtype: exploit-attempt; program: ossec; sid: 6003353; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Attempt to use mail server as relay (client host rejected). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3301 "; classtype: system-event; program: ossec; sid: 6003301; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail to invalid recipient or from unknown sender domain. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3355 "; classtype: exploit-attempt; program: ossec; sid: 6003355; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Sender domain is not found (450: Requested mail action not taken). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3303 "; classtype: system-event; program: ossec; sid: 6003303; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Postfix stopped. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3333 "; classtype: system-event; program: ossec; sid: 6003333; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Postfix started. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3334 "; classtype: not-suspicious; program: ossec; sid: 6003334; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Rejected by access list (Requested action not taken). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3302 "; classtype: system-event; program: ossec; sid: 6003302; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple attempts to send e-mail from a rejected sender IP (access). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3352 "; classtype: system-event; program: ossec; sid: 6003352; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Postfix insufficient disk space error. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3331 "; classtype: exploit-attempt; program: ossec; sid: 6003331; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Improper use of SMTP command pipelining (503: Bad sequence of commands). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3304 "; classtype: system-event; program: ossec; sid: 6003304; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Receipent address must contain FQDN (504: Command parameter not implemented). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3305 "; classtype: system-event; program: ossec; sid: 6003305; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the clamsmtpd rules. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3390 "; classtype: tcp-connection; program: ossec; sid: 6003390; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple SASL authentication failures. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3357 "; classtype: exploit-attempt; program: ossec; sid: 6003357; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the postfix rules. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3320 "; classtype: tcp-connection; program: ossec; sid: 6003320; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail from black-listed IP address (blocked). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3356 "; classtype: exploit-attempt; program: ossec; sid: 6003356; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - IP Address black-listed by anti-spam (blocked). (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3306 "; classtype: system-event; program: ossec; sid: 6003306; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Postfix process error. (postfix_rules.xml:syslog,postfix)"; content: "Rule: 3330 "; classtype: exploit-attempt; program: ossec; sid: 6003330; rev:1;)


## Rule group: ms_ftpd_rules.xml:syslog,msftp
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple FTP errors from same source. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11512 "; classtype: exploit-attempt; program: ossec; sid: 6011512; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - FTP brute force (multiple failed logins). (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11510 "; classtype: exploit-attempt; program: ossec; sid: 6011510; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New FTP connection. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11501 "; classtype: not-suspicious; program: ossec; sid: 6011501; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP Authentication success. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11503 "; classtype: not-suspicious; program: ossec; sid: 6011503; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the Microsoft ftp rules. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11500 "; classtype: tcp-connection; program: ossec; sid: 6011500; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11511 "; classtype: exploit-attempt; program: ossec; sid: 6011511; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP Authentication failed. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11502 "; classtype: system-event; program: ossec; sid: 6011502; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - FTP client request failed. (ms_ftpd_rules.xml:syslog,msftp)"; content: "Rule: 11504 "; classtype: not-suspicious; program: ossec; sid: 6011504; rev:1;)


## Rule group: imapd_rules.xml:syslog,imapd
##
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Imapd user login. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3602 "; classtype: not-suspicious; program: ossec; sid: 6003602; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Imapd user logout. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3603 "; classtype: tcp-connection; program: ossec; sid: 6003603; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed logins from same source ip. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3651 "; classtype: exploit-attempt; program: ossec; sid: 6003651; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Imapd user login failed. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3601 "; classtype: system-event; program: ossec; sid: 6003601; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the imapd rules. (imapd_rules.xml:syslog,imapd)"; content: "Rule: 3600 "; classtype: tcp-connection; program: ossec; sid: 6003600; rev:1;)


## Rule group: ids_rules.xml:ids
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored snort ids. (ids_rules.xml:ids)"; content: "Rule: 20103 "; classtype: tcp-connection; program: ossec; sid: 6020103; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored snort ids. (ids_rules.xml:ids)"; content: "Rule: 20102 "; classtype: tcp-connection; program: ossec; sid: 6020102; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple IDS events from same source ip. (ids_rules.xml:ids)"; content: "Rule: 20151 "; classtype: exploit-attempt; program: ossec; sid: 6020151; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - First time this IDS alert is generated. (ids_rules.xml:ids)"; content: "Rule: 20100 "; classtype: system-event; program: ossec; sid: 6020100; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 11 - Multiple IDS alerts for same id (ignoring now this id). (ids_rules.xml:ids)"; content: "Rule: 20162 "; classtype: exploit-attempt; program: ossec; sid: 6020162; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple IDS alerts for same id. (ids_rules.xml:ids)"; content: "Rule: 20152 "; classtype: exploit-attempt; program: ossec; sid: 6020152; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 11 - Multiple IDS events from same source ip (ignoring now this srcip and id). (ids_rules.xml:ids)"; content: "Rule: 20161 "; classtype: exploit-attempt; program: ossec; sid: 6020161; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - IDS event. (ids_rules.xml:ids)"; content: "Rule: 20101 "; classtype: system-event; program: ossec; sid: 6020101; rev:1;)


## Rule group: policy_rules.xml:policy_violation
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Successful login during weekend. (policy_rules.xml:policy_violation)"; content: "Rule: 17102 "; classtype: system-event; program: ossec; sid: 6017102; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Successful login during non-business hours. (policy_rules.xml:policy_violation)"; content: "Rule: 17101 "; classtype: system-event; program: ossec; sid: 6017101; rev:1;)


## Rule group: ms_dhcp_rules.xml:windows,dhcp
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Packet dropped due to NAP policy. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6323 "; classtype: exploit-attempt; program: ossec; sid: 6006323; rev:1;)
#(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - The log was started. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6301 "; classtype: not-suspicious; program: ossec; sid: 6006301; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Scope Full. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6360 "; classtype: exploit-attempt; program: ossec; sid: 6006360; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - DNS record not deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6368 "; classtype: tcp-connection; program: ossec; sid: 6006368; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Audit log paused. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6363 "; classtype: exploit-attempt; program: ossec; sid: 6006363; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Service has not determined if it is authorized in AD. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6376 "; classtype: exploit-attempt; program: ossec; sid: 6006376; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A BOOTP IP address was deleted after checking to see it was not in use. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6315 "; classtype: tcp-connection; program: ossec; sid: 6006315; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A BOOTP address was leased to a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6312 "; classtype: tcp-connection; program: ossec; sid: 6006312; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - DNS update failed. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6319 "; classtype: system-event; program: ossec; sid: 6006319; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Started. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6361 "; classtype: not-suspicious; program: ossec; sid: 6006361; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the MS-DHCP rules. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6350 "; classtype: tcp-connection; program: ossec; sid: 6006350; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Advertise. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6352 "; classtype: tcp-connection; program: ossec; sid: 6006352; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was renewed by a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6305 "; classtype: tcp-connection; program: ossec; sid: 6006305; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A new IP address was leased to a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6304 "; classtype: tcp-connection; program: ossec; sid: 6006304; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was expired and DNS records were deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6322 "; classtype: tcp-connection; program: ossec; sid: 6006322; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Expired. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6369 "; classtype: tcp-connection; program: ossec; sid: 6006369; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - An IP address was found to be in use on the network. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6307 "; classtype: tcp-connection; program: ossec; sid: 6006307; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Renew. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6355 "; classtype: tcp-connection; program: ossec; sid: 6006355; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was expired and DNS records for an expired leases have not been deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6311 "; classtype: tcp-connection; program: ossec; sid: 6006311; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Solicit. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6351 "; classtype: tcp-connection; program: ossec; sid: 6006351; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - IP address cleanup operation has began. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6316 "; classtype: not-suspicious; program: ossec; sid: 6006316; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Client deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6367 "; classtype: tcp-connection; program: ossec; sid: 6006367; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Address is already in use. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6366 "; classtype: not-suspicious; program: ossec; sid: 6006366; rev:1;)
#(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Database cleanup begin. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6371 "; classtype: not-suspicious; program: ossec; sid: 6006371; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - A lease request could not be satisfied because the scope's address pool was exhausted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6308 "; classtype: exploit-attempt; program: ossec; sid: 6006308; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - A lease was denied. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6309 "; classtype: system-event; program: ossec; sid: 6006309; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Confirm. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6354 "; classtype: tcp-connection; program: ossec; sid: 6006354; rev:1;)
#(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - IP address cleanup statistics. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6317 "; classtype: not-suspicious; program: ossec; sid: 6006317; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - DNS update successful. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6320 "; classtype: tcp-connection; program: ossec; sid: 6006320; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Information Request. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6359 "; classtype: tcp-connection; program: ossec; sid: 6006359; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - DHCP Log File. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6364 "; classtype: system-event; program: ossec; sid: 6006364; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was released by a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6306 "; classtype: tcp-connection; program: ossec; sid: 6006306; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - The log was stopped. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6302 "; classtype: not-suspicious; program: ossec; sid: 6006302; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - The log was temporarily paused due to low disk space. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6303 "; classtype: exploit-attempt; program: ossec; sid: 6006303; rev:1;)
#(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Database cleanup end. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6372 "; classtype: not-suspicious; program: ossec; sid: 6006372; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A lease was deleted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6310 "; classtype: tcp-connection; program: ossec; sid: 6006310; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Codes above 50 are used for Rogue Server Detection information. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6321 "; classtype: exploit-attempt; program: ossec; sid: 6006321; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - DNS update request to the named DNS server. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6318 "; classtype: tcp-connection; program: ossec; sid: 6006318; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - A dynamic BOOTP address was leased to a client. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6313 "; classtype: tcp-connection; program: ossec; sid: 6006313; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Service authorized in AD. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6374 "; classtype: not-suspicious; program: ossec; sid: 6006374; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - A BOOTP request could not be satisfied because the scope's  address pool for BOOTP was exhausted. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6314 "; classtype: exploit-attempt; program: ossec; sid: 6006314; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Service not authorized in AD. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6373 "; classtype: exploit-attempt; program: ossec; sid: 6006373; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Release. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6358 "; classtype: tcp-connection; program: ossec; sid: 6006358; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - DHCP Decline. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6357 "; classtype: system-event; program: ossec; sid: 6006357; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Bad Address. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6365 "; classtype: system-event; program: ossec; sid: 6006365; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Stopped. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6362 "; classtype: system-event; program: ossec; sid: 6006362; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Rebind. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6356 "; classtype: tcp-connection; program: ossec; sid: 6006356; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Expired and Deleted count. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6370 "; classtype: tcp-connection; program: ossec; sid: 6006370; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the MS-DHCP rules. (ms_dhcp_rules.xml:windows,dhcp)"; content: "Rule: 6300 "; classtype: tcp-connection; program: ossec; sid: 6006300; rev:1;)


## Rule group: syslog_rules.xml:syslog,tripwire
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Problems with the tripwire checking (syslog_rules.xml:syslog,tripwire)"; content: "Rule: 7101 "; classtype: system-event; program: ossec; sid: 6007101; rev:1;)


## Rule group: roundcube_rules.xml:syslog,roundcube
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Roundcube authentication failed. (roundcube_rules.xml:syslog,roundcube)"; content: "Rule: 9401 "; classtype: system-event; program: ossec; sid: 6009401; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Roundcube messages groupe.d (roundcube_rules.xml:syslog,roundcube)"; content: "Rule: 9400 "; classtype: tcp-connection; program: ossec; sid: 6009400; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Roundcube authentication succeeded. (roundcube_rules.xml:syslog,roundcube)"; content: "Rule: 9402 "; classtype: not-suspicious; program: ossec; sid: 6009402; rev:1;)


## Rule group: vmware_rules.xml:vmware
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VMWare ESX authentication failures. (vmware_rules.xml:vmware)"; content: "Rule: 19152 "; classtype: exploit-attempt; program: ossec; sid: 6019152; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - VMware ESX error message. (vmware_rules.xml:vmware)"; content: "Rule: 19103 "; classtype: not-suspicious; program: ossec; sid: 6019103; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMware ESX verbose message. (vmware_rules.xml:vmware)"; content: "Rule: 19107 "; classtype: tcp-connection; program: ossec; sid: 6019107; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Virtual machine being turned ON. (vmware_rules.xml:vmware)"; content: "Rule: 19121 "; classtype: not-suspicious; program: ossec; sid: 6019121; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - VMware ESX critical message. (vmware_rules.xml:vmware)"; content: "Rule: 19102 "; classtype: system-event; program: ossec; sid: 6019102; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VMWare ESX warning messages. (vmware_rules.xml:vmware)"; content: "Rule: 19150 "; classtype: exploit-attempt; program: ossec; sid: 6019150; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VMware ESX warning message. (vmware_rules.xml:vmware)"; content: "Rule: 19104 "; classtype: not-suspicious; program: ossec; sid: 6019104; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - VMWare ESX authentication failure. (vmware_rules.xml:vmware)"; content: "Rule: 19111 "; classtype: system-event; program: ossec; sid: 6019111; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Virtual machine being reconfigured. (vmware_rules.xml:vmware)"; content: "Rule: 19123 "; classtype: system-event; program: ossec; sid: 6019123; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMware ESX notice message. (vmware_rules.xml:vmware)"; content: "Rule: 19105 "; classtype: tcp-connection; program: ossec; sid: 6019105; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMWare messages grouped. (vmware_rules.xml:vmware)"; content: "Rule: 19100 "; classtype: tcp-connection; program: ossec; sid: 6019100; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VMWare ESX authentication success. (vmware_rules.xml:vmware)"; content: "Rule: 19110 "; classtype: not-suspicious; program: ossec; sid: 6019110; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VMWare ESX error messages. (vmware_rules.xml:vmware)"; content: "Rule: 19151 "; classtype: exploit-attempt; program: ossec; sid: 6019151; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VMWare ESX user authentication failure. (vmware_rules.xml:vmware)"; content: "Rule: 19113 "; classtype: not-suspicious; program: ossec; sid: 6019113; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMware ESX informational message. (vmware_rules.xml:vmware)"; content: "Rule: 19106 "; classtype: tcp-connection; program: ossec; sid: 6019106; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple VMWare ESX user authentication failures. (vmware_rules.xml:vmware)"; content: "Rule: 19153 "; classtype: exploit-attempt; program: ossec; sid: 6019153; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - VMWare ESX user login. (vmware_rules.xml:vmware)"; content: "Rule: 19112 "; classtype: not-suspicious; program: ossec; sid: 6019112; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Virtual machine state changed to ON. (vmware_rules.xml:vmware)"; content: "Rule: 19122 "; classtype: not-suspicious; program: ossec; sid: 6019122; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Virtual machine state changed to OFF. (vmware_rules.xml:vmware)"; content: "Rule: 19120 "; classtype: system-event; program: ossec; sid: 6019120; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - VMWare ESX syslog messages grouped. (vmware_rules.xml:vmware)"; content: "Rule: 19101 "; classtype: tcp-connection; program: ossec; sid: 6019101; rev:1;)


## Rule group: rules_config.xml:web-log
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all web rules. (rules_config.xml:web-log)"; content: "Rule: 04 "; classtype: tcp-connection; program: ossec; sid: 6000004; rev:1;)


## Rule group: syslog_rules.xml:syslog,fts
##
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - First time user logged in. (syslog_rules.xml:syslog,fts)"; content: "Rule: 10100 "; classtype: not-suspicious; program: ossec; sid: 6010100; rev:1;)


## Rule group: rules_config.xml:firewall
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all firewall rules. (rules_config.xml:firewall)"; content: "Rule: 02 "; classtype: tcp-connection; program: ossec; sid: 6000002; rev:1;)


## Rule group: sshd_rules.xml:syslog,sshd
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - SSHD brute force trying to get access to the system. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5712 "; classtype: exploit-attempt; program: ossec; sid: 6005712; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Possible breakin attempt (high number of reverse lookup errors). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5703 "; classtype: exploit-attempt; program: ossec; sid: 6005703; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Reverse lookup error (bad ISP or attack). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5702 "; classtype: system-event; program: ossec; sid: 6005702; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Corrupted bytes on SSHD. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5713 "; classtype: system-event; program: ossec; sid: 6005713; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - SSHD authentication failed. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5716 "; classtype: system-event; program: ossec; sid: 6005716; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple SSHD authentication failures. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5720 "; classtype: exploit-attempt; program: ossec; sid: 6005720; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login using a non-existent user (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5710 "; classtype: system-event; program: ossec; sid: 6005710; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - SSHD authentication success. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5715 "; classtype: not-suspicious; program: ossec; sid: 6005715; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Timeout while logging in (sshd). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5704 "; classtype: not-suspicious; program: ossec; sid: 6005704; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - OpenSSH challenge-response exploit. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5707 "; classtype: exploit-attempt; program: ossec; sid: 6005707; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple access attempts using a denied user. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5719 "; classtype: exploit-attempt; program: ossec; sid: 6005719; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - SSH insecure connection attempt (scan). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5706 "; classtype: system-event; program: ossec; sid: 6005706; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Useless SSHD message without an user/ip and context. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5709 "; classtype: tcp-connection; program: ossec; sid: 6005709; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 14 - SSH CRC-32 Compensation attack (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5714 "; classtype: exploit-attempt; program: ossec; sid: 6005714; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Possible attack on the ssh server (or version gathering). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5701 "; classtype: system-event; program: ossec; sid: 6005701; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - SSHD configuration error (moduli). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5717 "; classtype: not-suspicious; program: ossec; sid: 6005717; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Possible scan or breakin attempt (high number of login timeouts). (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5705 "; classtype: exploit-attempt; program: ossec; sid: 6005705; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SSHD messages grouped. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5700 "; classtype: tcp-connection; program: ossec; sid: 6005700; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Useless/Duplicated SSHD message without a user/ip. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5711 "; classtype: tcp-connection; program: ossec; sid: 6005711; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login using a denied user. (sshd_rules.xml:syslog,sshd)"; content: "Rule: 5718 "; classtype: system-event; program: ossec; sid: 6005718; rev:1;)


## Rule group: netscreenfw_rules.xml:netscreenfw
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall policy changed. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4508 "; classtype: system-event; program: ossec; sid: 6004508; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Netscreen warning message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4502 "; classtype: not-suspicious; program: ossec; sid: 6004502; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Netscreen critical/alert message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4513 "; classtype: system-event; program: ossec; sid: 6004513; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 11 - Netscreen Erase sequence started. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4505 "; classtype: exploit-attempt; program: ossec; sid: 6004505; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the Netscreen Firewall rules (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4500 "; classtype: tcp-connection; program: ossec; sid: 6004500; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall configuration changed. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4509 "; classtype: system-event; program: ossec; sid: 6004509; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Netscreen critical messages from same source IP. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4550 "; classtype: exploit-attempt; program: ossec; sid: 6004550; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Netscreen critical/alert message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4503 "; classtype: system-event; program: ossec; sid: 6004503; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Netscreen alert messages. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4553 "; classtype: exploit-attempt; program: ossec; sid: 6004553; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Netscreen notification message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4501 "; classtype: not-suspicious; program: ossec; sid: 6004501; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Netscreen informational message. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4504 "; classtype: system-event; program: ossec; sid: 6004504; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Netscreen critical messages. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4551 "; classtype: exploit-attempt; program: ossec; sid: 6004551; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Successfull admin login to the Netscreen firewall (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4506 "; classtype: system-event; program: ossec; sid: 6004506; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Successfull admin login to the Netscreen firewall (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4507 "; classtype: system-event; program: ossec; sid: 6004507; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Netscreen alert messages from same source IP. (netscreenfw_rules.xml:netscreenfw)"; content: "Rule: 4552 "; classtype: exploit-attempt; program: ossec; sid: 6004552; rev:1;)


## Rule group: pix_rules.xml:syslog,pix
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4330 "; classtype: system-event; program: ossec; sid: 6004330; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Failed login attempt at the PIX firewall. (pix_rules.xml:syslog,pix)"; content: "Rule: 4321 "; classtype: system-event; program: ossec; sid: 6004321; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - User created or modified on the Firewall. (pix_rules.xml:syslog,pix)"; content: "Rule: 4342 "; classtype: system-event; program: ossec; sid: 6004342; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - AAA (VPN) authentication successful. (pix_rules.xml:syslog,pix)"; content: "Rule: 4335 "; classtype: not-suspicious; program: ossec; sid: 6004335; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Firewall command executed (for accounting only). (pix_rules.xml:syslog,pix)"; content: "Rule: 4341 "; classtype: not-suspicious; program: ossec; sid: 6004341; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple PIX critical messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4381 "; classtype: exploit-attempt; program: ossec; sid: 6004381; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PIX alert message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4310 "; classtype: system-event; program: ossec; sid: 6004310; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall configuration changed. (pix_rules.xml:syslog,pix)"; content: "Rule: 4340 "; classtype: system-event; program: ossec; sid: 6004340; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple PIX alert messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4380 "; classtype: exploit-attempt; program: ossec; sid: 6004380; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Connection limit exceeded. (pix_rules.xml:syslog,pix)"; content: "Rule: 4327 "; classtype: system-event; program: ossec; sid: 6004327; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - PIX error message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4312 "; classtype: not-suspicious; program: ossec; sid: 6004312; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attack in progress messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4385 "; classtype: exploit-attempt; program: ossec; sid: 6004385; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple PIX warning messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4383 "; classtype: exploit-attempt; program: ossec; sid: 6004383; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall configuration deleted. (pix_rules.xml:syslog,pix)"; content: "Rule: 4339 "; classtype: system-event; program: ossec; sid: 6004339; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Firewall failover pair communication problem. (pix_rules.xml:syslog,pix)"; content: "Rule: 4338 "; classtype: system-event; program: ossec; sid: 6004338; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - The PIX is disallowing new connections. (pix_rules.xml:syslog,pix)"; content: "Rule: 4337 "; classtype: system-event; program: ossec; sid: 6004337; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4332 "; classtype: system-event; program: ossec; sid: 6004332; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple PIX error messages. (pix_rules.xml:syslog,pix)"; content: "Rule: 4382 "; classtype: exploit-attempt; program: ossec; sid: 6004382; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PIX debug message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4315 "; classtype: tcp-connection; program: ossec; sid: 6004315; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Password mismatch while running 'enable' on the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4324 "; classtype: system-event; program: ossec; sid: 6004324; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4331 "; classtype: system-event; program: ossec; sid: 6004331; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - PIX notification/informational message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4314 "; classtype: tcp-connection; program: ossec; sid: 6004314; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attempt to connect from a blocked (shunned) IP. (pix_rules.xml:syslog,pix)"; content: "Rule: 4326 "; classtype: system-event; program: ossec; sid: 6004326; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - AAA (VPN) user locked out. (pix_rules.xml:syslog,pix)"; content: "Rule: 4336 "; classtype: system-event; program: ossec; sid: 6004336; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - PIX warning message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4313 "; classtype: not-suspicious; program: ossec; sid: 6004313; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Attack in progress detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4333 "; classtype: system-event; program: ossec; sid: 6004333; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Successful login to the PIX firewall. (pix_rules.xml:syslog,pix)"; content: "Rule: 4323 "; classtype: not-suspicious; program: ossec; sid: 6004323; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Nultiple AAA (VPN) authentication failures. (pix_rules.xml:syslog,pix)"; content: "Rule: 4386 "; classtype: exploit-attempt; program: ossec; sid: 6004386; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Privilege changed in the PIX firewall. (pix_rules.xml:syslog,pix)"; content: "Rule: 4322 "; classtype: not-suspicious; program: ossec; sid: 6004322; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - AAA (VPN) authentication failed. (pix_rules.xml:syslog,pix)"; content: "Rule: 4334 "; classtype: system-event; program: ossec; sid: 6004334; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of PIX rules (pix_rules.xml:syslog,pix)"; content: "Rule: 4300 "; classtype: tcp-connection; program: ossec; sid: 6004300; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - ARP collision detected by the PIX. (pix_rules.xml:syslog,pix)"; content: "Rule: 4325 "; classtype: system-event; program: ossec; sid: 6004325; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - PIX critical message. (pix_rules.xml:syslog,pix)"; content: "Rule: 4311 "; classtype: system-event; program: ossec; sid: 6004311; rev:1;)


## Rule group: syslog_rules.xml:syslog,mail
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring procmail messages. (syslog_rules.xml:syslog,mail)"; content: "Rule: 2701 "; classtype: tcp-connection; program: ossec; sid: 6002701; rev:1;)


## Rule group: syslog_rules.xml:syslog,xinetd
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Excessive number connections to a service. (syslog_rules.xml:syslog,xinetd)"; content: "Rule: 2301 "; classtype: exploit-attempt; program: ossec; sid: 6002301; rev:1;)


## Rule group: syslog_rules.xml:syslog,access_control
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Connection to rshd from unprivileged port. Possible network scan. (syslog_rules.xml:syslog,access_control)"; content: "Rule: 2551 "; classtype: exploit-attempt; program: ossec; sid: 6002551; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - rshd messages grouped. (syslog_rules.xml:syslog,access_control)"; content: "Rule: 2550 "; classtype: tcp-connection; program: ossec; sid: 6002550; rev:1;)


## Rule group: syslog_rules.xml:syslog,dpkg
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Dpkg (Debian Package) log. (syslog_rules.xml:syslog,dpkg)"; content: "Rule: 2900 "; classtype: tcp-connection; program: ossec; sid: 6002900; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New dpkg (Debian Package) requested to install. (syslog_rules.xml:syslog,dpkg)"; content: "Rule: 2901 "; classtype: not-suspicious; program: ossec; sid: 6002901; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Dpkg (Debian Package) removed. (syslog_rules.xml:syslog,dpkg)"; content: "Rule: 2903 "; classtype: system-event; program: ossec; sid: 6002903; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - New dpkg (Debian Package) installed. (syslog_rules.xml:syslog,dpkg)"; content: "Rule: 2902 "; classtype: system-event; program: ossec; sid: 6002902; rev:1;)


## Rule group: sonicwall_rules.xml:syslog,sonicwall
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple firewall error messages. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4851 "; classtype: exploit-attempt; program: ossec; sid: 6004851; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Firewall authentication failure. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4811 "; classtype: system-event; program: ossec; sid: 6004811; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SonicWall messages grouped. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4800 "; classtype: tcp-connection; program: ossec; sid: 6004800; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SonicWall notice message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4805 "; classtype: tcp-connection; program: ossec; sid: 6004805; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SonicWall informational message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4806 "; classtype: tcp-connection; program: ossec; sid: 6004806; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Firewall administrator login. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4810 "; classtype: not-suspicious; program: ossec; sid: 6004810; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - SonicWall critical message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4802 "; classtype: system-event; program: ossec; sid: 6004802; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple firewall warning messages. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4850 "; classtype: exploit-attempt; program: ossec; sid: 6004850; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - SonicWall error message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4803 "; classtype: not-suspicious; program: ossec; sid: 6004803; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - SonicWall warning message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4804 "; classtype: not-suspicious; program: ossec; sid: 6004804; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - SonicWall critical message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4801 "; classtype: system-event; program: ossec; sid: 6004801; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - SonicWall debug message. (sonicwall_rules.xml:syslog,sonicwall)"; content: "Rule: 4807 "; classtype: tcp-connection; program: ossec; sid: 6004807; rev:1;)


## Rule group: syslog_rules.xml:syslog,cron
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Crontab entry changed. (syslog_rules.xml:syslog,cron)"; content: "Rule: 2832 "; classtype: system-event; program: ossec; sid: 6002832; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Root's crontab entry changed. (syslog_rules.xml:syslog,cron)"; content: "Rule: 2833 "; classtype: system-event; program: ossec; sid: 6002833; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Crontab rule group. (syslog_rules.xml:syslog,cron)"; content: "Rule: 2830 "; classtype: tcp-connection; program: ossec; sid: 6002830; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Crontab opened for editing. (syslog_rules.xml:syslog,cron)"; content: "Rule: 2834 "; classtype: system-event; program: ossec; sid: 6002834; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Wrong crond configuration (syslog_rules.xml:syslog,cron)"; content: "Rule: 2831 "; classtype: tcp-connection; program: ossec; sid: 6002831; rev:1;)


## Rule group: squid_rules.xml:squid
##
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Squid generic error codes. (squid_rules.xml:squid)"; content: "Rule: 35002 "; classtype: not-suspicious; program: ossec; sid: 6035002; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Attempt to access a worm/trojan related site. (squid_rules.xml:squid)"; content: "Rule: 35022 "; classtype: system-event; program: ossec; sid: 6035022; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring multiple attempts from same source ip (alert only once). (squid_rules.xml:squid)"; content: "Rule: 35095 "; classtype: tcp-connection; program: ossec; sid: 6035095; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple unauthorized attempts to use proxy. (squid_rules.xml:squid)"; content: "Rule: 35052 "; classtype: exploit-attempt; program: ossec; sid: 6035052; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Attempt to access a Beagle worm (or variant) file. (squid_rules.xml:squid)"; content: "Rule: 35021 "; classtype: system-event; program: ossec; sid: 6035021; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Bad request/Invalid syntax. (squid_rules.xml:squid)"; content: "Rule: 35003 "; classtype: system-event; program: ossec; sid: 6035003; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Forbidden: Attempt to access forbidden file or directory. (squid_rules.xml:squid)"; content: "Rule: 35005 "; classtype: system-event; program: ossec; sid: 6035005; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Not Found: Attempt to access non-existent file or directory. (squid_rules.xml:squid)"; content: "Rule: 35006 "; classtype: system-event; program: ossec; sid: 6035006; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignored files on a 40x error. (squid_rules.xml:squid)"; content: "Rule: 35023 "; classtype: tcp-connection; program: ossec; sid: 6035023; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Squid 503 error code (server unavailable). (squid_rules.xml:squid)"; content: "Rule: 35010 "; classtype: not-suspicious; program: ossec; sid: 6035010; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to access forbidden file or directory from same source ip. (squid_rules.xml:squid)"; content: "Rule: 35051 "; classtype: exploit-attempt; program: ossec; sid: 6035051; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Squid 500/600 error code (server error). (squid_rules.xml:squid)"; content: "Rule: 35009 "; classtype: system-event; program: ossec; sid: 6035009; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple 500/600 error codes (server error). (squid_rules.xml:squid)"; content: "Rule: 35058 "; classtype: exploit-attempt; program: ossec; sid: 6035058; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Squid 400 error code (request failed). (squid_rules.xml:squid)"; content: "Rule: 35008 "; classtype: system-event; program: ossec; sid: 6035008; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Bad requests/Invalid syntax. (squid_rules.xml:squid)"; content: "Rule: 35053 "; classtype: exploit-attempt; program: ossec; sid: 6035053; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Squid messages grouped. (squid_rules.xml:squid)"; content: "Rule: 35000 "; classtype: tcp-connection; program: ossec; sid: 6035000; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Proxy Authentication Required: User is not authorized to use proxy. (squid_rules.xml:squid)"; content: "Rule: 35007 "; classtype: system-event; program: ossec; sid: 6035007; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Multiple attempts to access a worm/trojan/virus related web site. System probably infected. (squid_rules.xml:squid)"; content: "Rule: 35056 "; classtype: exploit-attempt; program: ossec; sid: 6035056; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple 400 error codes (requests failed). (squid_rules.xml:squid)"; content: "Rule: 35057 "; classtype: exploit-attempt; program: ossec; sid: 6035057; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Unauthorized: Failed attempt to access authorization-required file or directory. (squid_rules.xml:squid)"; content: "Rule: 35004 "; classtype: system-event; program: ossec; sid: 6035004; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Infected machine with W32.Beagle.DP. (squid_rules.xml:squid)"; content: "Rule: 35054 "; classtype: exploit-attempt; program: ossec; sid: 6035054; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to access a non-existent file. (squid_rules.xml:squid)"; content: "Rule: 35055 "; classtype: exploit-attempt; program: ossec; sid: 6035055; rev:1;)


## Rule group: vsftpd_rules.xml:syslog,vsftpd
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - FTP brute force (multiple failed logins). (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11451 "; classtype: exploit-attempt; program: ossec; sid: 6011451; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple FTP connection attempts from same source IP. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11452 "; classtype: exploit-attempt; program: ossec; sid: 6011452; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed accessing the FTP server. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11403 "; classtype: system-event; program: ossec; sid: 6011403; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP session opened. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11401 "; classtype: not-suspicious; program: ossec; sid: 6011401; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - FTP server file upload. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11404 "; classtype: tcp-connection; program: ossec; sid: 6011404; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP Authentication success. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11402 "; classtype: not-suspicious; program: ossec; sid: 6011402; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the vsftpd rules. (vsftpd_rules.xml:syslog,vsftpd)"; content: "Rule: 11400 "; classtype: tcp-connection; program: ossec; sid: 6011400; rev:1;)


## Rule group: vmpop3d_rules.xml:syslog,vm-pop3d
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - POP3 brute force (multiple failed logins). (vmpop3d_rules.xml:syslog,vm-pop3d)"; content: "Rule: 9820 "; classtype: exploit-attempt; program: ossec; sid: 6009820; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the vm-pop3d rules. (vmpop3d_rules.xml:syslog,vm-pop3d)"; content: "Rule: 9800 "; classtype: tcp-connection; program: ossec; sid: 6009800; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed accessing the pop3 server. (vmpop3d_rules.xml:syslog,vm-pop3d)"; content: "Rule: 9801 "; classtype: system-event; program: ossec; sid: 6009801; rev:1;)


## Rule group: zeus_rules.xml:zeus
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Zeus fatal log. (zeus_rules.xml:zeus)"; content: "Rule: 31204 "; classtype: exploit-attempt; program: ossec; sid: 6031204; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Zeus serious log. (zeus_rules.xml:zeus)"; content: "Rule: 31203 "; classtype: system-event; program: ossec; sid: 6031203; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Zeus rules. (zeus_rules.xml:zeus)"; content: "Rule: 31200 "; classtype: tcp-connection; program: ossec; sid: 6031200; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Zeus informational logs. (zeus_rules.xml:zeus)"; content: "Rule: 31201 "; classtype: tcp-connection; program: ossec; sid: 6031201; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Zeus warning log. (zeus_rules.xml:zeus)"; content: "Rule: 31202 "; classtype: not-suspicious; program: ossec; sid: 6031202; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Zeus warnings. (zeus_rules.xml:zeus)"; content: "Rule: 31251 "; classtype: exploit-attempt; program: ossec; sid: 6031251; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Configuration warning (ignored). (zeus_rules.xml:zeus)"; content: "Rule: 31206 "; classtype: tcp-connection; program: ossec; sid: 6031206; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Admin authentication failed. (zeus_rules.xml:zeus)"; content: "Rule: 31205 "; classtype: system-event; program: ossec; sid: 6031205; rev:1;)


## Rule group: pure-ftpd_rules.xml:syslog,pure-ftpd
##
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - FTP Authentication success. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11309 "; classtype: not-suspicious; program: ossec; sid: 6011309; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - FTP user logout/timeout (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11303 "; classtype: tcp-connection; program: ossec; sid: 6011303; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the pure-ftpd rules. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11300 "; classtype: tcp-connection; program: ossec; sid: 6011300; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to access invalid directory (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11305 "; classtype: system-event; program: ossec; sid: 6011305; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - FTP notice messages (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11304 "; classtype: tcp-connection; program: ossec; sid: 6011304; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - New FTP connection. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11301 "; classtype: not-suspicious; program: ossec; sid: 6011301; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - FTP Authentication failed. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11302 "; classtype: system-event; program: ossec; sid: 6011302; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - FTP brute force (multiple failed logins). (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11306 "; classtype: exploit-attempt; program: ossec; sid: 6011306; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple connection attempts from same source. (pure-ftpd_rules.xml:syslog,pure-ftpd)"; content: "Rule: 11307 "; classtype: exploit-attempt; program: ossec; sid: 6011307; rev:1;)


## Rule group: smbd_rules.xml:syslog,smbd
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Samba network problems. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13101 "; classtype: tcp-connection; program: ossec; sid: 6013101; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Samba network problems. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13103 "; classtype: tcp-connection; program: ossec; sid: 6013103; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User action denied by configuration. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13104 "; classtype: system-event; program: ossec; sid: 6013104; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Samba connection denied. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13102 "; classtype: system-event; program: ossec; sid: 6013102; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the smbd rules. (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13100 "; classtype: tcp-connection; program: ossec; sid: 6013100; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Samba network problems (unable to connect). (smbd_rules.xml:syslog,smbd)"; content: "Rule: 13105 "; classtype: not-suspicious; program: ossec; sid: 6013105; rev:1;)


## Rule group: syslog_rules.xml:syslog,errors
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - File system full. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1007 "; classtype: system-event; program: ossec; sid: 6001007; rev:1;)
#(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - Unknown problem somewhere in the system. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1002 "; classtype: not-suspicious; program: ossec; sid: 6001002; rev:1;)
#(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - File missing. Root access unrestricted. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1001 "; classtype: not-suspicious; program: ossec; sid: 6001001; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Syslogd restarted. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1005 "; classtype: system-event; program: ossec; sid: 6001005; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Syslogd exiting (logging stopped). (syslog_rules.xml:syslog,errors)"; content: "Rule: 1004 "; classtype: system-event; program: ossec; sid: 6001004; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Syslogd restarted. (syslog_rules.xml:syslog,errors)"; content: "Rule: 1006 "; classtype: system-event; program: ossec; sid: 6001006; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 13 - Non standard syslog message (size too large). (syslog_rules.xml:syslog,errors)"; content: "Rule: 1003 "; classtype: exploit-attempt; program: ossec; sid: 6001003; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Process exiting (killed). (syslog_rules.xml:syslog,errors)"; content: "Rule: 1008 "; classtype: system-event; program: ossec; sid: 6001008; rev:1;)


## Rule group: syslog_rules.xml:syslog,sudo
##
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - First time user executed sudo. (syslog_rules.xml:syslog,sudo)"; content: "Rule: 5403 "; classtype: not-suspicious; program: ossec; sid: 6005403; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Initial group for sudo messages (syslog_rules.xml:syslog,sudo)"; content: "Rule: 5400 "; classtype: tcp-connection; program: ossec; sid: 6005400; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Three failed attempts to run sudo (syslog_rules.xml:syslog,sudo)"; content: "Rule: 5401 "; classtype: exploit-attempt; program: ossec; sid: 6005401; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Successful sudo to ROOT executed (syslog_rules.xml:syslog,sudo)"; content: "Rule: 5402 "; classtype: not-suspicious; program: ossec; sid: 6005402; rev:1;)


## Rule group: vpopmail_rules.xml:syslog,vpopmail
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Vpopmail brute force (multiple failed logins). (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9951 "; classtype: exploit-attempt; program: ossec; sid: 6009951; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login to vpopmail with invalid username. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9902 "; classtype: system-event; program: ossec; sid: 6009902; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login to vpopmail with empty password. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9903 "; classtype: system-event; program: ossec; sid: 6009903; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the vpopmail rules. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9900 "; classtype: tcp-connection; program: ossec; sid: 6009900; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - VPOPMAIL brute force (empty password). (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9953 "; classtype: exploit-attempt; program: ossec; sid: 6009953; rev:1;)
#(Level 1) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 1 - Vpopmail successful login. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9904 "; classtype: not-suspicious; program: ossec; sid: 6009904; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Login failed for vpopmail. (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9901 "; classtype: system-event; program: ossec; sid: 6009901; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Vpopmail brute force (email harvesting). (vpopmail_rules.xml:syslog,vpopmail)"; content: "Rule: 9952 "; classtype: exploit-attempt; program: ossec; sid: 6009952; rev:1;)


## Rule group: mcafee_av_rules.xml:mcafee
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus program or DAT update failed. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 07512 "; classtype: system-event; program: ossec; sid: 6007512; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus detected and file will be deleted. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7506 "; classtype: system-event; program: ossec; sid: 6007506; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - McAfee Windows AV - Scan completed with no viruses found. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7508 "; classtype: not-suspicious; program: ossec; sid: 6007508; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple McAfee AV warning events. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7550 "; classtype: exploit-attempt; program: ossec; sid: 6007550; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus program or DAT update cancelled. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7513 "; classtype: system-event; program: ossec; sid: 6007513; rev:1;)
#(Level 2) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 2 - McAfee Windows AV informational event. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7501 "; classtype: not-suspicious; program: ossec; sid: 6007501; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - McAfee Windows AV - Virus detected and not removed. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7504 "; classtype: exploit-attempt; program: ossec; sid: 6007504; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - McAfee Windows AV warning event. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7502 "; classtype: not-suspicious; program: ossec; sid: 6007502; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus scan cancelled. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7509 "; classtype: system-event; program: ossec; sid: 6007509; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - McAfee Windows AV - EICAR test file detected. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7514 "; classtype: system-event; program: ossec; sid: 6007514; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - McAfee Windows AV error event. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7503 "; classtype: not-suspicious; program: ossec; sid: 6007503; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - McAfee Windows AV - Scan started or stopped. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7507 "; classtype: not-suspicious; program: ossec; sid: 6007507; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of McAfee Windows AV rules. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7500 "; classtype: tcp-connection; program: ossec; sid: 6007500; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - McAfee Windows AV - Virus program or DAT update succeeded. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7511 "; classtype: not-suspicious; program: ossec; sid: 6007511; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - McAfee Windows AV - Virus detected and properly removed. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7505 "; classtype: system-event; program: ossec; sid: 6007505; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - McAfee Windows AV - Virus scan cancelled due to shutdown. (mcafee_av_rules.xml:mcafee)"; content: "Rule: 7510 "; classtype: system-event; program: ossec; sid: 6007510; rev:1;)


## Rule group: firewall_rules.xml:firewall
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Firewall drop events from same source. (firewall_rules.xml:firewall)"; content: "Rule: 4151 "; classtype: exploit-attempt; program: ossec; sid: 6004151; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Firewall drop event. (firewall_rules.xml:firewall)"; content: "Rule: 4101 "; classtype: system-event; program: ossec; sid: 6004101; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Firewall rules grouped. (firewall_rules.xml:firewall)"; content: "Rule: 4100 "; classtype: tcp-connection; program: ossec; sid: 6004100; rev:1;)


## Rule group: hordeimp_rules.xml:syslog,hordeimp
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Horde emergency messages. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9352 "; classtype: exploit-attempt; program: ossec; sid: 6009352; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Horde IMP successful login. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9305 "; classtype: not-suspicious; program: ossec; sid: 6009305; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping for the Horde imp rules. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9300 "; classtype: tcp-connection; program: ossec; sid: 6009300; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 9 - Horde IMP emergency message. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9304 "; classtype: system-event; program: ossec; sid: 6009304; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Horde IMP informational message. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9301 "; classtype: tcp-connection; program: ossec; sid: 6009301; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Horde IMP Failed login. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9306 "; classtype: system-event; program: ossec; sid: 6009306; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Horde IMP notice message. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9302 "; classtype: not-suspicious; program: ossec; sid: 6009302; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Horde IMP error message. (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9303 "; classtype: system-event; program: ossec; sid: 6009303; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Horde brute force (multiple failed logins). (hordeimp_rules.xml:syslog,hordeimp)"; content: "Rule: 9351 "; classtype: exploit-attempt; program: ossec; sid: 6009351; rev:1;)


## Rule group: rules_config.xml:syslog
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Generic template for all syslog rules. (rules_config.xml:syslog)"; content: "Rule: 01 "; classtype: tcp-connection; program: ossec; sid: 6000001; rev:1;)


## Rule group: pam_rules.xml:pam,syslog
##
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the pam_unix rules. (pam_rules.xml:pam,syslog)"; content: "Rule: 5500 "; classtype: tcp-connection; program: ossec; sid: 6005500; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring Annoying Ubuntu/debian cron login events. (pam_rules.xml:pam,syslog)"; content: "Rule: 5521 "; classtype: tcp-connection; program: ossec; sid: 6005521; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - User login failed. (pam_rules.xml:pam,syslog)"; content: "Rule: 5503 "; classtype: system-event; program: ossec; sid: 6005503; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Ignoring Annoying Ubuntu/debian cron login events. (pam_rules.xml:pam,syslog)"; content: "Rule: 5522 "; classtype: tcp-connection; program: ossec; sid: 6005522; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Attempt to login with an invalid user. (pam_rules.xml:pam,syslog)"; content: "Rule: 5504 "; classtype: system-event; program: ossec; sid: 6005504; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple failed logins in a small period of time. (pam_rules.xml:pam,syslog)"; content: "Rule: 5551 "; classtype: exploit-attempt; program: ossec; sid: 6005551; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Login session opened. (pam_rules.xml:pam,syslog)"; content: "Rule: 5501 "; classtype: not-suspicious; program: ossec; sid: 6005501; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Login session closed. (pam_rules.xml:pam,syslog)"; content: "Rule: 5502 "; classtype: not-suspicious; program: ossec; sid: 6005502; rev:1;)


## Rule group: ms-se_rules.xml:windows,mse
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Microsoft Security Essentials - Virus detected. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7712 "; classtype: system-event; program: ossec; sid: 6007712; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Microsoft Security Essentials - Virus detected and properly removed. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7711 "; classtype: system-event; program: ossec; sid: 6007711; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Microsoft Security Essentials - Configuration changed. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7720 "; classtype: not-suspicious; program: ossec; sid: 6007720; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Microsoft Security Essentials - Virus detected, but unable to remove. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7710 "; classtype: exploit-attempt; program: ossec; sid: 6007710; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of Microsoft Security Essentials rules. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7701 "; classtype: tcp-connection; program: ossec; sid: 6007701; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Microsoft Security Essentials - EICAR test file detected. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7731 "; classtype: system-event; program: ossec; sid: 6007731; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Microsoft Security Essentials AV warnings detected. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7750 "; classtype: exploit-attempt; program: ossec; sid: 6007750; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple Microsoft Security Essentials AV warnings detected. (ms-se_rules.xml:windows,mse)"; content: "Rule: 7751 "; classtype: exploit-attempt; program: ossec; sid: 6007751; rev:1;)


## Rule group: cimserver_rules.xml:syslog,cimserver
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 12 - Compaq Insight Manager stopped. (cimserver_rules.xml:syslog,cimserver)"; content: "Rule: 9611 "; classtype: exploit-attempt; program: ossec; sid: 6009611; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - cimserver messages grouped. (cimserver_rules.xml:syslog,cimserver)"; content: "Rule: 9600 "; classtype: tcp-connection; program: ossec; sid: 6009600; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Compaq Insight Manager authentication failure. (cimserver_rules.xml:syslog,cimserver)"; content: "Rule: 9610 "; classtype: system-event; program: ossec; sid: 6009610; rev:1;)


## Rule group: sendmail_rules.xml:syslog,sendmail
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Attepmt to use mail server as relay (550: Requested action not taken). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3104 "; classtype: system-event; program: ossec; sid: 6003104; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple relaying attempts of spam. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3153 "; classtype: system-event; program: ossec; sid: 6003153; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Rejected by access list (55x: Requested action not taken). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3103 "; classtype: system-event; program: ossec; sid: 6003103; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Sender domain does not have any valid MX record (Requested action aborted). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3102 "; classtype: system-event; program: ossec; sid: 6003102; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple pre-greetings rejects. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3158 "; classtype: exploit-attempt; program: ossec; sid: 6003158; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 8 - Sendmail save mail panic. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3109 "; classtype: system-event; program: ossec; sid: 6003109; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Multiple attempts to send e-mail from a previously rejected sender (access). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3152 "; classtype: system-event; program: ossec; sid: 6003152; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Sender domain is not found  (553: Requested action not taken). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3105 "; classtype: system-event; program: ossec; sid: 6003105; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Sender domain has bogus MX record. It should not be sending e-mail. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3151 "; classtype: exploit-attempt; program: ossec; sid: 6003151; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - Sendmail rejected due to pre-greeting. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3108 "; classtype: system-event; program: ossec; sid: 6003108; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Sender address does not have domain (553: Requested action not taken). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3106 "; classtype: system-event; program: ossec; sid: 6003106; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender domain. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3154 "; classtype: exploit-attempt; program: ossec; sid: 6003154; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the smf-sav sendmail milter rules. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3190 "; classtype: tcp-connection; program: ossec; sid: 6003190; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 6 - SMF-SAV sendmail milter unable to verify address (REJECTED). (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3191 "; classtype: system-event; program: ossec; sid: 6003191; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple attempts to send e-mail from invalid/unknown sender. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3155 "; classtype: exploit-attempt; program: ossec; sid: 6003155; rev:1;)
#(Level 4) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 4 - Sendmail rejected message. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3107 "; classtype: not-suspicious; program: ossec; sid: 6003107; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the sendmail reject rules. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3101 "; classtype: tcp-connection; program: ossec; sid: 6003101; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Grouping of the sendmail rules. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3100 "; classtype: tcp-connection; program: ossec; sid: 6003100; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple rejected e-mails from same source ip. (sendmail_rules.xml:syslog,sendmail)"; content: "Rule: 3156 "; classtype: exploit-attempt; program: ossec; sid: 6003156; rev:1;)


## Rule group: wordpress_rules.xml:syslog,wordpress
##
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Wordpress Comment Flood Attempt. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9505 "; classtype: system-event; program: ossec; sid: 6009505; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 5 - Wordpress authentication failed. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9501 "; classtype: system-event; program: ossec; sid: 6009501; rev:1;)
#(Level 0) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 0 - Wordpress messages grouped. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9500 "; classtype: tcp-connection; program: ossec; sid: 6009500; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Wordpress authentication succeeded. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9502 "; classtype: not-suspicious; program: ossec; sid: 6009502; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 7 - Attack against Wordpress detected. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9510 "; classtype: system-event; program: ossec; sid: 6009510; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - WPsyslog was successfully initialized. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9503 "; classtype: not-suspicious; program: ossec; sid: 6009503; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 10 - Multiple wordpress authentication failures. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9551 "; classtype: exploit-attempt; program: ossec; sid: 6009551; rev:1;)
#(Level 3) alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[OSSEC] Level 3 - Wordpress plugin deactivated. (wordpress_rules.xml:syslog,wordpress)"; content: "Rule: 9504 "; classtype: not-suspicious; program: ossec; sid: 6009504; rev:1;)