/rules/50_imapd_rules.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 51 lines · 30 code · 8 blank · 13 comment · 0 complexity · b66e4213e15cf1e6d5dfd160c36905fe MD5 · raw file

  1. <!-- @(#) $Id: imapd_rules.xml,v 1.8 2010/03/04 20:12:33 dcid Exp $
  2. - Official imapd rules for OSSEC.
  3. -
  4. - Copyright (C) 2009 Trend Micro Inc.
  5. - All rights reserved.
  6. -
  7. - This program is a free software; you can redistribute it
  8. - and/or modify it under the terms of the GNU General Public
  9. - License (version 2) as published by the FSF - Free Software
  10. - Foundation.
  11. -
  12. - License details: http://www.ossec.net/en/licensing.html
  13. -->
  14. <var name="IMAPD_FREQ">6</var>
  15. <group name="syslog,imapd,">
  16. <rule id="3600" level="0" noalert="1">
  17. <decoded_as>imapd</decoded_as>
  18. <description>Grouping of the imapd rules.</description>
  19. </rule>
  20. <rule id="3601" level="5">
  21. <if_sid>3600</if_sid>
  22. <match>Login failed user=|AUTHENTICATE LOGIN failure</match>
  23. <description>Imapd user login failed.</description>
  24. <group>authentication_failed,</group>
  25. </rule>
  26. <rule id="3602" level="3">
  27. <if_sid>3600</if_sid>
  28. <match>Authenticated user=</match>
  29. <description>Imapd user login.</description>
  30. <group>authentication_success,</group>
  31. </rule>
  32. <rule id="3603" level="0">
  33. <if_sid>3600</if_sid>
  34. <match>Logout user=</match>
  35. <description>Imapd user logout.</description>
  36. </rule>
  37. <rule id="3651" level="10" frequency="$IMAPD_FREQ" timeframe="120">
  38. <if_matched_sid>3601</if_matched_sid>
  39. <same_source_ip />
  40. <description>Multiple failed logins from same source ip.</description>
  41. <group>authentication_failures,</group>
  42. </rule>
  43. </group> <!-- SYSLOG,IMAPD -->