/rules/50_imapd_rules.xml
XML | 51 lines | 30 code | 8 blank | 13 comment | 0 complexity | b66e4213e15cf1e6d5dfd160c36905fe MD5 | raw file
1<!-- @(#) $Id: imapd_rules.xml,v 1.8 2010/03/04 20:12:33 dcid Exp $ 2 - Official imapd rules for OSSEC. 3 - 4 - Copyright (C) 2009 Trend Micro Inc. 5 - All rights reserved. 6 - 7 - This program is a free software; you can redistribute it 8 - and/or modify it under the terms of the GNU General Public 9 - License (version 2) as published by the FSF - Free Software 10 - Foundation. 11 - 12 - License details: http://www.ossec.net/en/licensing.html 13 --> 14 15 16<var name="IMAPD_FREQ">6</var> 17 18<group name="syslog,imapd,"> 19 <rule id="3600" level="0" noalert="1"> 20 <decoded_as>imapd</decoded_as> 21 <description>Grouping of the imapd rules.</description> 22 </rule> 23 24 <rule id="3601" level="5"> 25 <if_sid>3600</if_sid> 26 <match>Login failed user=|AUTHENTICATE LOGIN failure</match> 27 <description>Imapd user login failed.</description> 28 <group>authentication_failed,</group> 29 </rule> 30 31 <rule id="3602" level="3"> 32 <if_sid>3600</if_sid> 33 <match>Authenticated user=</match> 34 <description>Imapd user login.</description> 35 <group>authentication_success,</group> 36 </rule> 37 38 <rule id="3603" level="0"> 39 <if_sid>3600</if_sid> 40 <match>Logout user=</match> 41 <description>Imapd user logout.</description> 42 </rule> 43 44 <rule id="3651" level="10" frequency="$IMAPD_FREQ" timeframe="120"> 45 <if_matched_sid>3601</if_matched_sid> 46 <same_source_ip /> 47 <description>Multiple failed logins from same source ip.</description> 48 <group>authentication_failures,</group> 49 </rule> 50 51</group> <!-- SYSLOG,IMAPD -->