/rules/translated/pure_ftpd/pure-ftpd_rules_sv.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 69 lines · 49 code · 13 blank · 7 comment · 0 complexity · 381e32a315dd93be504e14ee2b8893e6 MD5 · raw file 

    

  1. <!-- @(#) $Id: pure-ftpd_rules_sv.xml,v 1.1 2008/04/10 18:47:42 dcid Exp $
    2. 

  2.   -  Official pure-ftpd rules for OSSEC.
    3. 

  3.   -  Author: Peter Ahlert <peter@ifup.de>
    4. 

  4.   -  Author: Daniel B. Cid
    5. 

  5.   -  License: http://www.ossec.net/en/licensing.html
    6. 

  6.   -->
    7. 

  7.       
    8. 

  8. 

  9. <group name="syslog,pure-ftpd,">
    10. 

  10.   <rule id="11300" level="0">
    11. 

  11.     <decoded_as>pure-ftpd</decoded_as>
    12. 

  12.     <description>Grouping for the pure-ftpd rules.</description>
    13. 

  13.   </rule>
    14. 

  14.   
    15. 

  15.   <rule id="11301" level="3">
    16. 

  16.     <if_sid>11300</if_sid>
    17. 

  17.     <match>[INFO] Nyanslutning från</match>
    18. 

  18.     <description>New FTP connection.</description>
    19. 

  19.     <group>connection_attempt,</group>
    20. 

  20.   </rule>
    21. 

  21. 

  22.   <rule id="11302" level="5">
    23. 

  23.     <if_sid>11300</if_sid>
    24. 

  24.     <match>[WARNING] Behörighetskontroll misslyckas för användare</match>
    25. 

  25.     <description>FTP Authentication failed.</description>
    26. 

  26.     <group>authentication_failed,</group>
    27. 

  27.   </rule>
    28. 

  28. 

  29.   <rule id="11303" level="0">
    30. 

  30.     <if_sid>11300</if_sid>
    31. 

  31.     <match> [INFO] Logout| [INFO] Timeout</match>
    32. 

  32.     <description>FTP user logout/timeout</description>
    33. 

  33.   </rule>
    34. 

  34.   
    35. 

  35.   <rule id="11304" level="0">
    36. 

  36.     <if_sid>11300</if_sid>
    37. 

  37.     <match> [NOTICE] </match>
    38. 

  38.     <description>FTP notice messages</description>
    39. 

  39.   </rule>
    40. 

  40.   
    41. 

  41.   <rule id="11305" level="5">
    42. 

  42.     <if_sid>11300</if_sid>
    43. 

  43.     <match>[INFO] Kan ej ändra bibliotek till</match>
    44. 

  44.     <description>Attempt to access invalid directory</description>
    45. 

  45.   </rule>  
    46. 

  46. 

  47.   <rule id="11306" level="10" frequency="6" timeframe="3600">
    48. 

  48.     <if_matched_sid>11302</if_matched_sid>
    49. 

  49.     <description>FTP brute force (multiple failed logins).</description>
    50. 

  50.     <group>authentication_failures,</group>
    51. 

  51.   </rule>
    52. 

  52. 

  53.   <rule id="11307" level="10" frequency="6" timeframe="60">
    54. 

  54.     <if_matched_sid>11301</if_matched_sid>
    55. 

  55.     <same_source_ip />
    56. 

  56.     <description>Multiple connection attempts from same source.</description>
    57. 

  57.     <group>recon,</group>
    58. 

  58.   </rule>
    59. 

  59. 

  60.   <rule id="11309" level="3">
    61. 

  61.     <match>[INFO] \S+ har loggat in</match>
    62. 

  62.     <description>FTP Authentication success.</description>
    63. 

  63.     <group>authentication_success,</group>
    64. 

  64.   </rule>  
    65. 

  65. 

  66. </group> <!-- SYSLOG,PURE-FTPD -->
    67. 

  67. 

  68. 

  69. <!-- EOF -->
    70.