You can make up your own. Give your rules a <group>whatever</group> entry.
ie:
<rule id="100500" level="4">
<decoded_as>named</decoded_as>
<description>bad zone transfer request</description>
<match>bad zone transfer request</match>
<group>sysadmin,</group>
</rule>
Here's a quick list of groups (probably imcomplete/wrong in some cases):
access_denied
account_changed
adduser
agentless
attack
attacks
authentication_failed
authentication_failures
authentication_success
automatic_attack
client_misconfig
config_changed
connection_attempt
dhcp_dns_maintenance
dhcp_ipv6
dhcp_lease_action
dhcp_maintenance
dhcp_rogue_server
exploit_attempt
firewall_drop
fts
hostinfo
ids
invalid_access
invalid_login
invalid_request
ip_spoof
login_day
login_denied
login_time
logs_cleared
low_diskspace
multiple_drops
multiple_spam
new_host
policy_changed
process_monitor
promisc
recon
rootcheck
service_availability
service_start
smf-sav
spam
sql_injection
syscheck
system_error
system_shutdown
time_changed
unknown_resource
virus
web_scan
win_authentication_failed
On Mon, Mar 1, 2010 at 11:02 AM, Derek J. Morris
<[email protected]> wrote:
> I am excited to check out the Reporting feature just added. I need a list of
> categories or groups so I can set it up with what I want to report on. Can you
> make up your own groups or categories too? Where would I add such entries to
> declare them and then edit my rules appropriately?
>
> -Derek Morris
>
>
