[ossec-list] Re: Clamd Rule

Wed, 18 Mar 2009 06:38:26 -0700 

Problem solved (thanks dcid)!

I also rewrote my rules to use best practises outlined in
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf

For anyone else interested, my rules look like this:


  <rule id="100100" level="0" noalert="1">
    <decoded_as>clamd</decoded_as>
    <description>Grouping of the clamd rules.</description>
  </rule>

  <rule id="100101" level="0" noalert="1">
    <decoded_as>freshclam</decoded_as>
    <description>ClamAV database update</description>
  </rule>

  <rule id="100102" level="8">
    <if_sid>100100</if_sid>
    <match>FOUND</match>
    <description>Virus detected</description>
    <group>virus</group>
  </rule>
  
  <rule id="100103" level="10">
    <if_sid>100100</if_sid>
    <match>^ERROR: </match>
    <description>Clamd error</description>
    <group>virus</group>
  </rule>
  
  <rule id="100104" level="7">
    <if_sid>100100</if_sid>
    <match>^WARNING: </match>
    <description>Clamd warning</description>
    <group>virus</group>
  </rule>
  
  <rule id="100105" level="3">
    <if_sid>100100</if_sid>
    <match>clamd daemon</match>
    <description>Clamd restarted</description>
    <group>virus</group>
  </rule>

  <rule id="100106" level="3">
    <if_sid>100100</if_sid>
    <match>Database modification detected</match>
    <description>Clamd database updated</description>
    <group>virus</group>
  </rule>

  <rule id="100107" level="3">
    <if_sid>100101</if_sid>
    <match>ClamAV update process started </match>
    <description>ClamAV database update</description>
    <group>virus</group>
  </rule>

  <rule id="100108" level="3">
    <if_sid>100101</if_sid>
    <match>Database updated </match>
    <description>ClamAV database updated</description>
    <group>virus</group>
  </rule>


With the following decoders added:

<decoder name="clamd">
  <program_name>^clamd</program_name>
</decoder>

<decoder name="freshclam">
  <program_name>^freshclam</program_name>
</decoder>





Please consider the environment before printing this email.


E-mail messages may contain viruses, worms, or other malicious code. By reading 
the message and opening any attachments, the recipient accepts full 
responsibility for taking protective action against such code. Henry Schein is 
not liable for any loss or damage arising from this message.

The information in this email is confidential and may be legally privileged. It 
is intended solely for the addressee(s). Access to this e-mail by anyone else 
is unauthorized.

Reply via email to