prelude-lml-rules 4.1.0-1 / etc / prelude-lml / ruleset / pcre.rules

This file is indexed.

/etc/prelude-lml/ruleset/pcre.rules is in prelude-lml-rules 4.1.0-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#
# Rule format :
#
# For information about the fields and their meanings, please have a look at
#  the IDMEF Draft located at :
#
# http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-16.txt
#
# CREATING AND CONTRIBUTING RULES:
# Rulesets that you contribute to the Prelude-LML maintainer should follow
# these guidelines:
# - Avoid using .+ or .* in regex entries unless actually neccessary.  Doing so
#   will make your rule CPU-costly to implement.
# - Avoid capturing variables which you don't use.  This causes unneccessary
#   memory consumption.
# - At a minimum, include regex, classification().text,
#   assessment.impact.severity, assessment.impact.type,
#   assessment.impact.description.
# - If it's correct for this application, include last.
# - Put only a single field on each line of your rules.
# - Include a sample log entry with each rule.
# - Gather as many pieces of data, and fill as many IDMEF fields as possible
#   from the log entry.
# - If a similar rule exists in another ruleset (same function, different
#   software), use the classification().text from the other rule.
# - Use only the actual log message, none of the syslog headers (this generally
#   includes timestamp, originating node, originating process, and pid).
# - Submit new rulesets to the prelude-devel mailing list for consideration.
#
# See the existing rulesets for examples.
#
# LML-specific fields:
#
# - regex:
#   A perl regex instruction to the rule on the correct way to parse the log
#   entry concerned.
#
# - id:
#   A unique number identifying this rule in the Prelude-LML ruleset.  Rulesets
#   are assigned IDs in blocks of 100, so if the first rule in a ruleset is
#   2300, all of the rules in that ruleset will be 23xx.
#
# - revision:
#   The current revision of the rule.  Higher numbers indicate more recent
#   versions.
#
# - last:
#   Indicates to LML that if this rule is triggered, stop checking for further
#   regex matches.

# Prevent LML from matching its own output and creating a logging loop in case
# of odd syslog configurations

regex=no appropriate format defined for log entry; \
  silent; \
  last

regex=EMU;                              include = apc-emu.rules;
regex=(anomaly|since|firstSeen);        include = arbor.rules;
regex=arpwatch;                         include = arpwatch.rules;
regex=chan_sip.c;                       include = asterisk.rules;
regex=CactiTholdLog;                    include = cacti-thold.rules;
regex=product:;                         include = checkpoint.rules;
#regex=%\S+-\d+-\S+;                     include = cisco-asa.rules; \
regex=%ACE-\d+-\S+:;                    include = cisco-ace.rules;
regex=-\S+:;                            include = cisco-asa.rules;
regex=%\S+-\d+-\S+;                     include = cisco-common.rules; \
                                        include = cisco-router.rules;
regex=(IPV4|SSHD|NETMAN)-\d+;           include = cisco-css.rules;
regex=(snmptrapd);                      include = cisco-ips-2.rules;
#regex=snmptrapd;                        include = cisco-ips.rules;
regex=SEV=;                             include = cisco-vpn.rules;
# Using this regex rather than simpler clamd to handle events from clamav
# logging format
regex=radiusd\[(\d+)\];                 include = radiusd.rules;
regex=Juniper:;                         include = juniper-vpn.rules;
regex=SymantecServer \S+:;              include = symantec-epm.rules;
regex=snmptrapd;                        include = symantec-scsp.rules;
regex=(FOUND|virus);                    include = clamav.rules;
regex=server administrator;             include = dell-om.rules;
regex=(kernel|grsec);                   include = grsecurity.rules;
regex=(bigconf|kernel);                 include = f5-bigip.rules;
regex=devname=;                         include = fortigate.rules;
regex=(honeyd|icmp|tcp|udp);            include = honeyd.rules;
regex=\[([0-9-]+) ([0-9:]+)\];          include = honeytrap.rules;
regex=\[(SSHChannel|SSHService);        include = kojoney.rules;
# Using this somewhat complex regex instead of the simpler httpd due to the
# fact that we might be directly monitoring httpd logs instead of httpd syslog
# entries (in which case we won't have the process name to match against)
regex=(\[error\]|Pass|httpd);           include = httpd.rules; \
                                        include = modsecurity.rules;
regex=(kernel|ulogd);                   include = ipchains.rules; \
                                        include = netfilter.rules; \
                                        include = bonding.rules;
regex=ipfw;                             include = ipfw.rules;
regex=[Ww]ireless;                      include = linksys-wap11.rules;
regex=clussvc;                          include = ms-cluster.rules;
regex=mssql;                            include = ms-sql.rules;
regex=nagios;                           include = nagios.rules;
regex=norton;                           include = navce.rules;
regex=\[[^:]*:[^\]]*\]:;                include = netapp-ontap.rules;
regex=system-(emergency|alert)-;        include = netscreen.rules;
regex=security\[;                       include = ntsyslog.rules;
regex=[Pp][Aa][Mm]_;                    include = pam.rules;
regex=[Ss][Uu]:;                        include = su.rules;
regex=pcanywhere;                       include = pcanywhere.rules;
regex=portsentry;                       include = portsentry.rules;
regex=postfix/;                         include = postfix.rules;
regex=proftpd;                          include = proftpd.rules;
regex=popper;                           include = qpopper.rules;
regex=(ppp|pptpd);                      include = ppp.rules;
regex=INFO\s+srcIP;                     include = rishi.rules;
regex=avc:;                             include = selinux.rules;
regex=sendmail;                         include = sendmail.rules;
regex=(user|group)(mod|add|del);            include = shadow-utils.rules;
regex=id=firewall;                      include = sonicwall.rules;
regex=spamd;                            include = spamassassin.rules;
# More complex regex to handle data coming directly from Squid log files
regex=(Acceptin|Squid|Disabled|DENIED); include = squid.rules;
regex=sshd;                             include = ssh.rules;
regex=sudo;                             include = sudo.rules;
regex=suhosin;                          include = suhosin.rules;
regex=tripwire;                         include = tripwire.rules;
regex=[wl]an @Group:;                   include = vigor.rules;
regex=vpopmail;                         include = vpopmail.rules;
regex=webmin;                           include = webmin.rules;
regex=ftpd;                             include = wu-ftp.rules;
regex=MSWinEventLog;                    include = snare_windows.rules; \
                                        include = nxlog_windows.rules;


# Openhostapd.rules doesn't have specific stuff we can match:
regex=(removed node|\(rate:\s(\d+)\/(\d+)\ssec\)|sent ADD notification|attached Host AP interface);    include = openhostapd.rules;

# All rules that are standalone/not part of a ruleset go into single.rules
include = single.rules;

APT Browse - Built by Thomas Orozco.