1 <!-- Copyright (C) 2009 Michael Starks
2 - This program is a free software; you can redistribute it
3 - and/or modify it under the terms of the GNU General Public
4 - License (version 3) as published by the FSF - Free Software
9 <group name="dovecot,">
10 <rule id="9700" level="0">
11 <decoded_as>dovecot</decoded_as>
12 <description>Dovecot Messages Grouped.</description>
15 <rule id="9701" level="3">
17 <match>login: Login: </match>
18 <description>Dovecot Authentication Success.</description>
19 <group>authentication_success,</group>
22 <rule id="9702" level="5">
24 <match>Password mismatch$</match>
25 <description>Dovecot Authentication Failed.</description>
26 <group>authentication_failed,</group>
29 <rule id="9703" level="3">
31 <match>starting up</match>
32 <description>Dovecot is Starting Up.</description>
35 <rule id="9704" level="2">
37 <match>^Fatal: </match>
38 <options>alert_by_email</options>
39 <description>Dovecot Fatal Failure.</description>
42 <rule id="9705" level="5">
44 <match>user not found|User not known|unknown user</match>
45 <description>Dovecot Invalid User Login Attempt.</description>
46 <group>invalid_login,authentication_failed,</group>
49 <rule id="9706" level="3">
51 <match>: Disconnected: </match>
52 <description>Dovecot Session Disconnected.</description>
55 <rule id="9707" level="5">
57 <match>: Aborted login</match>
58 <description>Dovecot Aborted Login.</description>
59 <group>invalid_login,</group>
63 <!-- Composite rules -->
64 <rule id="9750" level="10" frequency="6" timeframe="120">
65 <if_matched_sid>9702</if_matched_sid>
67 <description>Dovecot Multiple Authentication Failures.</description>
68 <group>authentication_failures,</group>
71 <rule id="9751" level="10" frequency="6" timeframe="240">
72 <if_matched_sid>9705</if_matched_sid>
74 <description>Dovecot brute force attack (multiple auth failures).</description>
75 <group>authentication_failures,</group>