-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael,
Thank you from a lurker on this group. These look like they will work
well.
-David
Michael Caplan wrote:
> Problem solved (thanks dcid)!
>
> I also rewrote my rules to use best practises outlined in
> http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
>
> For anyone else interested, my rules look like this:
>
>
> <rule id="100100" level="0" noalert="1">
> <decoded_as>clamd</decoded_as>
> <description>Grouping of the clamd rules.</description>
> </rule>
>
> <rule id="100101" level="0" noalert="1">
> <decoded_as>freshclam</decoded_as>
> <description>ClamAV database update</description>
> </rule>
>
> <rule id="100102" level="8">
> <if_sid>100100</if_sid>
> <match>FOUND</match>
> <description>Virus detected</description>
> <group>virus</group>
> </rule>
>
> <rule id="100103" level="10">
> <if_sid>100100</if_sid>
> <match>^ERROR: </match>
> <description>Clamd error</description>
> <group>virus</group>
> </rule>
>
> <rule id="100104" level="7">
> <if_sid>100100</if_sid>
> <match>^WARNING: </match>
> <description>Clamd warning</description>
> <group>virus</group>
> </rule>
>
> <rule id="100105" level="3">
> <if_sid>100100</if_sid>
> <match>clamd daemon</match>
> <description>Clamd restarted</description>
> <group>virus</group>
> </rule>
>
> <rule id="100106" level="3">
> <if_sid>100100</if_sid>
> <match>Database modification detected</match>
> <description>Clamd database updated</description>
> <group>virus</group>
> </rule>
>
> <rule id="100107" level="3">
> <if_sid>100101</if_sid>
> <match>ClamAV update process started </match>
> <description>ClamAV database update</description>
> <group>virus</group>
> </rule>
>
> <rule id="100108" level="3">
> <if_sid>100101</if_sid>
> <match>Database updated </match>
> <description>ClamAV database updated</description>
> <group>virus</group>
> </rule>
>
>
> With the following decoders added:
>
> <decoder name="clamd">
> <program_name>^clamd</program_name>
> </decoder>
>
> <decoder name="freshclam">
> <program_name>^freshclam</program_name>
> </decoder>
>
>
>
>
>
> Please consider the environment before printing this email.
>
>
> E-mail messages may contain viruses, worms, or other malicious code. By
> reading the message and opening any attachments, the recipient accepts full
> responsibility for taking protective action against such code. Henry Schein
> is not liable for any loss or damage arising from this message.
>
> The information in this email is confidential and may be legally privileged.
> It is intended solely for the addressee(s). Access to this e-mail by anyone
> else is unauthorized.
>
- --
_______________________________________________
GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAknBongACgkQCzuSgviBh03wGwCgrLxRrhKs/VzZpW5HgyfnP38y
jRIAnA38wY745yAocKlOo4unJk0xnXHA
=zsqB
-----END PGP SIGNATURE-----
