/etc/prelude-lml/ruleset/pcre.rules is in prelude-lml 1.0.0-2build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 | #
# Rule format :
#
# For information about the fields and their meanings, please have a look at
# the IDMEF Draft located at :
#
# http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-16.txt
#
# CREATING AND CONTRIBUTING RULES:
# Rulesets that you contribute to the Prelude-LML maintainer should follow
# these guidelines:
# - Avoid using .+ or .* in regex entries unless actually neccessary. Doing so
# will make your rule CPU-costly to implement.
# - Avoid capturing variables which you don't use. This causes unneccessary
# memory consumption.
# - At a minimum, include regex, classification().text,
# assessment.impact.severity, assessment.impact.type,
# assessment.impact.description.
# - If it's correct for this application, include last.
# - Put only a single field on each line of your rules.
# - Include a sample log entry with each rule.
# - Gather as many pieces of data, and fill as many IDMEF fields as possible
# from the log entry.
# - If a similar rule exists in another ruleset (same function, different
# software), use the classification().text from the other rule.
# - Use only the actual log message, none of the syslog headers (this generally
# includes timestamp, originating node, originating process, and pid).
# - Submit new rulesets to the prelude-devel mailing list for consideration.
#
# See the existing rulesets for examples.
#
# LML-specific fields:
#
# - regex:
# A perl regex instruction to the rule on the correct way to parse the log
# entry concerned.
#
# - id:
# A unique number identifying this rule in the Prelude-LML ruleset. Rulesets
# are assigned IDs in blocks of 100, so if the first rule in a ruleset is
# 2300, all of the rules in that ruleset will be 23xx.
#
# - revision:
# The current revision of the rule. Higher numbers indicate more recent
# versions.
#
# - last:
# Indicates to LML that if this rule is triggered, stop checking for further
# regex matches.
# Prevent LML from matching its own output and creating a logging loop in case
# of odd syslog configurations
regex=no appropriate format defined for log entry; \
silent; \
last
regex=EMU; include = apc-emu.rules;
regex=(anomaly|since|firstSeen); include = arbor.rules;
regex=arpwatch; include = arpwatch.rules;
regex=chan_sip.c; include = asterisk.rules;
regex=CactiTholdLog; include = cacti-thold.rules;
regex=product:; include = checkpoint.rules;
regex=%\S+-\d+-\S+; include = cisco-asa.rules; \
include = cisco-common.rules; \
include = cisco-router.rules;
regex=(IPV4|SSHD|NETMAN)-\d+; include = cisco-css.rules;
regex=snmptrapd; include = cisco-ips.rules;
regex=SEV=; include = cisco-vpn.rules;
# Using this regex rather than simpler clamd to handle events from clamav
# logging format
regex=(FOUND|virus); include = clamav.rules;
regex=server administrator; include = dell-om.rules
regex=(kernel|grsec); include = grsecurity.rules;
regex=(bigconf|kernel); include = f5-bigip.rules;
regex=(honeyd|icmp|tcp|udp); include = honeyd.rules;
regex=\[([0-9-]+) ([0-9:]+)\]; include = honeytrap.rules
regex=\[(SSHChannel|SSHService); include = kojoney.rules
# Using this somewhat complex regex instead of the simpler httpd due to the
# fact that we might be directly monitoring httpd logs instead of httpd syslog
# entries (in which case we won't have the process name to match against)
regex=(\[error\]|Pass|httpd); include = httpd.rules; \
include = modsecurity.rules;
regex=(kernel|ulogd); include = ipchains.rules; \
include = netfilter.rules; \
include = bonding.rules;
regex=ipfw; include = ipfw.rules;
regex=[Ww]ireless; include = linksys-wap11.rules;
regex=clussvc; include = ms-cluster.rules;
regex=mssql; include = ms-sql.rules;
regex=nagios; include = nagios.rules;
regex=norton; include = navce.rules;
regex=\[[^:]*:[^\]]*\]:; include = netapp-ontap.rules;
regex=system-(emergency|alert)-; include = netscreen.rules;
regex=security\[; include = ntsyslog.rules;
regex=[Pp][Aa][Mm]_; include = pam.rules;
regex=[Ss][Uu]:; include = su.rules;
regex=pcanywhere; include = pcanywhere.rules;
regex=portsentry; include = portsentry.rules;
regex=postfix/; include = postfix.rules;
regex=proftpd; include = proftpd.rules;
regex=popper; include = qpopper.rules;
regex=(ppp|pptpd); include = ppp.rules;
regex=INFO\s+srcIP; include = rishi.rules;
regex=avc:; include = selinux.rules;
regex=sendmail; include = sendmail.rules;
regex=(user|group)(mod|add); include = shadow-utils.rules;
regex=id=firewall; include = sonicwall.rules;
regex=spamd; include = spamassassin.rules;
# More complex regex to handle data coming directly from Squid log files
regex=(Acceptin|Squid|Disabled|DENIED); include = squid.rules;
regex=sshd; include = ssh.rules;
regex=sudo; include = sudo.rules;
regex=suhosin; include = suhosin.rules;
regex=tripwire; include = tripwire.rules;
regex=[wl]an @Group:; include = vigor.rules;
regex=vpopmail; include = vpopmail.rules;
regex=webmin; include = webmin.rules;
regex=ftpd; include = wu-ftp.rules;
regex=MSWinEventLog; include = snare_windows.rules;
# Openhostapd.rules doesn't have specific stuff we can match:
regex=(removed node|\(rate:\s(\d+)\/(\d+)\ssec\)|sent ADD notification|attached Host AP interface); include = openhostapd.rules;
# All rules that are standalone/not part of a ruleset go into single.rules
include = single.rules;
|