On Fri, Nov 2, 2012 at 12:36 PM, Andy <[email protected]> wrote:
> I know they work 0-15, but is there any advice when writing new rules?
>
> I'm just writing one or two with a view to submit some back to the community
> and wondered if there was any informal guide as to which level? I've
> skimmed the OSSEC book but can't find anything.
>
> I've always mentally worked on:
> 1-3 - don't really care, just want for an audit
> 4-6 - a little odd, but nothing to cause alarm
> 7-9 - no action needed, but permanent visibility advised
> 10-13 - this shouldn't be happening, lightly investigate then chose course
> of action
> 14-15 - investigate/remedy now
>
> Sound ok?
doc/rules.txt
**The rules will be read from the highest to the lowest level. **
00 - Ignored - No action taken. Used to avoid false positives. These rules
are scanned before all the others. They include events with no
security relevance.
01 - None -
02 - System low priority notification - System notification or
status messages. They have no security relevance.
03 - Successful/Authorized events - They include successful login attempts,
firewall allow events, etc.
04 - System low priority error - Errors related to bad configurations or
unused devices/applications. They have no security relevance and
are usually caused by default installations or software testing.
05 - User generated error - They include missed passwords, denied
actions, etc. By itself they have no security relevance.
06 - Low relevance attack - They indicate a worm or a virus that have
no affect to the system (like code red for apache servers, etc).
They also include frequently IDS events and frequently errors.
07 - "Bad word" matching. They include words like "bad", "error", etc.
These events are most of the time unclassified and may have
some security relevance.
08 - First time seen - Include first time seen events. First time
an IDS event is fired or the first time an user logged in.
If you just started using OSSEC HIDS these messages will
probably be frequently. After a while they should go away.
It also includes security relevant actions (like the starting
of a sniffer or something like that).
09 - Error from invalid source - Include attempts to login as
an unknown user or from an invalid source. May have security
relevance (specially if repeated). They also include errors
regarding the "admin" (root) account.
10 - Multiple user generated errors - They include multiple bad
passwords, multiple failed logins, etc. They may indicate an
attack or may just be that a user just forgot his credencials.
11 - Integrity checking warning - They include messages regarding
the modification of binaries or the presence of rootkits (by
rootcheck). If you just modified your system configuration
you should be fine regarding the "syscheck" messages. They
may indicate a successful attack. Also included IDS events
that will be ignored (high number of repetitions).
12 - High importancy event - They include error or warning messages
from the system, kernel, etc. They may indicate an attack against
a specific application.
13 - Unusual error (high importance) - Most of the times it matches a
common attack pattern.
14 - High importance security event. Most of the times done with
correlation and it indicates an attack.
15 - Severe attack - No chances of false positives. Immediate
attention is necessary.
