Add some openbsd dhcpd rules

contrib/ossec-testing/tests/openbsd-dhcpd.ini

@@ -0,0 +1,25 @@
+[lease release]
+log 1 pass = Jan 26 18:12:55 junction dhcpd[4842]: IP address 192.168.1.16 answers a ping after sending a release
+log 2 pass = Jan 26 18:12:40 junction dhcpd[4842]: Possible release spoof - Not releasing address 192.168.17.160
+
+rule = 53003
+alert = 5
+decoder = dhcpd
+
+[no free leases]
+log 1 pass = Jan 26 17:42:32 junction dhcpd[4842]: no free leases on subnet 192.168.17.0
+
+rule = 53011
+alert = 7
+decoder = dhcpd
+
+[normal dhcp stuff]
+log 1 pass = Jan 27 09:25:36 junction dhcpd[71391]: DHCPREQUEST for 192.168.17.164 from f4:8c:50:9d:eb:35 via em1
+log 2 pass = Jan 27 09:25:36 junction dhcpd[71391]: DHCPDISCOVER from f4:8c:50:9d:eb:35 via em1
+log 3 pass = Jan 27 09:25:31 junction dhcpd[71391]: DHCPOFFER on 192.168.17.164 to f4:8c:50:9d:eb:35 via em1
+
+rule = 53001
+alert = 1
+decoder = dhcpd
+
+

etc/decoder.xml

@@ -3195,4 +3195,28 @@ s=2 SFwdQ=0 SDupQ=0 SErr=0 RQ=2 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=0 SFail=0 SFE
   <order>user</order>
 </decoder>
 
+<decoder name="dhcpd">
+  <program_name>^dhcpd$</program_name>
+</decoder>
+
+<decoder name="dhcpd-data">
+  <parent>dhcpd</parent>
+  <regex offset="after_parent">^(\S+) \S+ (\S+) \S+ (\S+) via (\S+)$</regex>
+  <order>action, srcip, extra_data, extra_data</order>
+</decoder>
+
+<decoder name="dhcpd-ack">
+  <parent>dhcpd</parent>
+  <prematch> acking </prematch>
+  <regex offset="after_parent">already acking lease (\S+)</regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="dhcpd-release">
+  <parent>dhcpd</parent>
+  <prematch>^IP address</prematch>
+  <regex offset="after_parent">^IP address (\S+) </regex>
+  <order>srcip</order>
+</decoder>
+
 <!-- EOF -->

etc/ossec-local.conf

@@ -74,6 +74,7 @@
     <include>sysmon_rules.xml</include>
     <include>opensmtpd_rules.xml</include>
     <include>exim_rules.xml</include>
+    <include>openbsd-dhcpd_rules.xml</include>
     <include>local_rules.xml</include>
   </rules>
 

etc/ossec-server.conf

@@ -72,6 +72,7 @@
     <include>sysmon_rules.xml</include>
     <include>opensmtpd_rules.xml</include>
     <include>exim_rules.xml</include>
+    <include>openbsd-dhcpd_rules.xml</include>
     <include>local_rules.xml</include>
   </rules>
 

etc/ossec.conf

@@ -31,6 +31,7 @@
     <include>dropbear_rules.xml</include>
     <include>sysmon_rules.xml</include>
     <include>opensmtpd_rules.xml</include>
+    <include>openbsd-dhcpd_rules.xml</include>
   </rules>  
 
   <syscheck>

etc/rules/openbsd-dhcpd_rules.xml

@@ -0,0 +1,84 @@
+<!-- OpenBSD dhcpd -->
+<!--
+Aug 10 09:45:28 junction dhcpd[2042]: DHCPREQUEST for 192.168.17.154 from b4:b5:2f:15:4c:ec via sk0
+Aug 10 09:45:28 junction dhcpd[2042]: DHCPACK on 192.168.17.154 to b4:b5:2f:15:4c:ec via sk0
+-->
+
+<group name="syslog,dhcpd,">
+  <rule id="53000" level="0">
+    <decoded_as>dhcpd</decoded_as>
+    <description>dhcpd grouping.</description>
+  </rule>
+
+  <rule id="53001" level="1">
+    <if_sid>53000</if_sid>
+    <match>^DHCPREQUEST|^DHCPOFFER |^DHCPDISCOVER|^DHCPACK</match>
+    <description>Normal dhcp.</description>
+  </rule>
+
+  <rule id="53003" level="5">
+    <if_sid>53000</if_sid>
+    <match>answers a ping after sending a release|Possible release spoof</match>
+    <description>A host issued a release but is responding to pings.</description>
+  </rule>
+
+  <rule id="53004" level="1">
+    <if_sid>53000</if_sid>
+    <match>expecting left brace.$|</match>
+    <match>fixed-address parameter not allowed here.$|</match>
+    <match>parameters not allowed after first declaration.$|</match>
+    <match>Configuration file errors encountered</match>
+    <description>Configuration errors.</description>
+  </rule>
+
+  <rule id="53005" level="3">
+    <if_sid>53000</if_sid>
+    <match>exiting.$</match>
+    <description>dhcpd is exiting.</description>
+  </rule>
+
+  <rule id="53006" level="1">
+    <if_sid>53000</if_sid>
+    <match>Can't listen on </match>
+    <description>dhcpd cannot listen to an interface.</description>
+  </rule>
+
+  <rule id="53007" level="1">
+    <if_sid>53006</if_sid>
+    <match>has no subnet declaration for</match>
+    <description>dhcpd is not configured to listen to an interface.</description>
+  </rule>
+
+  <rule id="53008" level="1">
+    <if_sid>53000</if_sid>
+    <match>Listening on </match>
+    <description>dhcpd has been started.</description>
+  </rule>
+
+  <rule id="53009" level="0">
+    <if_sid>53000</if_sid>
+    <match>^Address range </match>
+    <description>Message with address range.</description>
+  </rule>
+
+  <rule id="53010" level="2">
+    <if_sid>53009</if_sid>
+    <match> not on net </match>
+    <description>Defined address range is not on the configured network.</description>
+  </rule>
+
+  <rule id="53011" level="7">
+    <if_sid>53000</if_sid>
+    <match>^no free leases</match>
+    <description>DHCP server has run out of leases.</description>
+  </rule>
+
+  <rule id="53013" level="2">
+    <if_sid>53000</if_sid>
+    <match>^already acking lease </match>
+    <description>Multiple acks.</description>
+  </rule>
+
+
+</group>
+

etc/templates/config/rules.template

@@ -63,5 +63,6 @@
     <include>sysmon_rules.xml</include>
     <include>opensmtpd_rules.xml</include>
     <include>exim_rules.xml</include>
+    <include>openbsd-dhcpd_rules.xml</include>
     <include>local_rules.xml</include>
   </rules>