PageRenderTime 22ms CodeModel.GetById 20ms app.highlight 1ms RepoModel.GetById 0ms app.codeStats 0ms

/rules/50_imapd_rules.xml

https://bitbucket.org/oscarschneider/ossec-rules
XML | 51 lines | 30 code | 8 blank | 13 comment | 0 complexity | b66e4213e15cf1e6d5dfd160c36905fe MD5 | raw file
 1<!-- @(#) $Id: imapd_rules.xml,v 1.8 2010/03/04 20:12:33 dcid Exp $
 2  -  Official imapd rules for OSSEC.
 3  -
 4  -  Copyright (C) 2009 Trend Micro Inc.
 5  -  All rights reserved.
 6  -
 7  -  This program is a free software; you can redistribute it
 8  -  and/or modify it under the terms of the GNU General Public
 9  -  License (version 2) as published by the FSF - Free Software
10  -  Foundation.
11  -
12  -  License details: http://www.ossec.net/en/licensing.html
13  -->
14
15
16<var name="IMAPD_FREQ">6</var>      
17
18<group name="syslog,imapd,">
19  <rule id="3600" level="0" noalert="1">
20    <decoded_as>imapd</decoded_as>
21    <description>Grouping of the imapd rules.</description>
22  </rule>
23  
24  <rule id="3601" level="5">
25    <if_sid>3600</if_sid>
26    <match>Login failed user=|AUTHENTICATE LOGIN failure</match>
27    <description>Imapd user login failed.</description>
28    <group>authentication_failed,</group>
29  </rule>
30
31  <rule id="3602" level="3">
32    <if_sid>3600</if_sid>
33    <match>Authenticated user=</match>
34    <description>Imapd user login.</description>
35    <group>authentication_success,</group>
36  </rule>
37  
38  <rule id="3603" level="0">
39    <if_sid>3600</if_sid>
40    <match>Logout user=</match>
41    <description>Imapd user logout.</description>
42  </rule>
43  
44  <rule id="3651" level="10" frequency="$IMAPD_FREQ" timeframe="120">
45    <if_matched_sid>3601</if_matched_sid>
46    <same_source_ip />
47    <description>Multiple failed logins from same source ip.</description>
48    <group>authentication_failures,</group>
49  </rule>
50
51</group> <!-- SYSLOG,IMAPD -->