1 <!-- Authors: Alexandr Garaga
2 - This program is a free software; you can redistribute it
3 - and/or modify it under the terms of the GNU General Public
4 - License (version 2) as published by the FSF - Free Software
7 - License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
11 <rule id="13000" level="0">
12 <decoded_as>windows-date-format</decoded_as>
13 <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d SMTP </regex>
14 <description>Exim SMTP Messages Grouped.</description>
17 <rule id="13001" level="0">
18 <decoded_as>windows-date-format</decoded_as>
19 <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d dovecot</regex>
20 <description>dovecot messages grouped.</description>
23 <rule id="13006" level="5">
24 <if_sid>13001</if_sid>
25 <match>authenticator failed</match>
26 <description>Exim Auth failed</description>
27 <group>invalid_login,authentication_failed,</group>
30 <rule id="13007" level="10" frequency="6" timeframe="240">
31 <if_matched_sid>13006</if_matched_sid>
33 <description>Exim brute force attack (multiple auth failures).</description>
34 <group>authentication_failures,</group>
37 <rule id="13008" level="0">
38 <if_sid>13000</if_sid>
39 <match>connection count =</match>
40 <description>Exim connection</description>
43 <rule id="13009" level="1">
44 <if_sid>13000</if_sid>
46 <description>Exim connection lost</description>
49 <rule id="13010" level="5">
50 <if_sid>13000</if_sid>
51 <match>dropped: too many syntax or protocol errors</match>
52 <description>Exim syntax or protocol errors</description>