1 <!-- @(#) $Id: vpopmail_rules.xml,v 1.4 2009/07/23 14:10:44 dcid Exp $
2 - Official rules for vpopmail.
4 - Author: Ceg Ryan <cegryan ( at ) gmail.com>
5 - License: http://www.ossec.net/en/licensing.html
9 <group name="syslog,vpopmail,">
10 <rule id="9900" level="0">
11 <decoded_as>vpopmail</decoded_as>
12 <description>Grouping for the vpopmail rules.</description>
15 <rule id="9901" level="5">
17 <match> password fail </match>
18 <group>authentication_failed,</group>
19 <description>Login failed for vpopmail.</description>
22 <rule id="9902" level="5">
24 <match> vpopmail user not found </match>
25 <group>invalid_login,</group>
26 <description>Attempt to login to vpopmail with invalid username.</description>
29 <rule id="9903" level="5">
31 <match> null password given </match>
32 <group>authentication_failed,</group>
33 <description>Attempt to login to vpopmail with empty password.</description>
36 <rule id="9904" level="1">
38 <match> login success </match>
39 <group>authentication_success,</group>
40 <description>Vpopmail successful login.</description>
44 <rule id="9951" level="10" frequency="8" timeframe="240">
45 <if_matched_sid>9901</if_matched_sid>
47 <description>Vpopmail brute force (multiple failed logins).</description>
48 <group>authentication_failures,</group>
51 <rule id="9952" level="10" frequency="8" timeframe="240">
52 <if_matched_sid>9902</if_matched_sid>
54 <description>Vpopmail brute force (email harvesting).</description>
55 <group>authentication_failures,</group>
58 <rule id="9953" level="10" frequency="8" timeframe="240">
59 <if_matched_sid>9903</if_matched_sid>
61 <description>VPOPMAIL brute force (empty password).</description>
62 <group>authentication_failures,</group>
projects / ossec-hids.git / blob