1 <!-- @(#) $Id: proftpd_rules.xml,v 1.17 2009/06/24 17:06:19 dcid Exp $
2 - Official Proftpd rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 3) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
17 <group name="syslog,proftpd,">
18 <rule id="11200" level="0" noalert="1">
19 <decoded_as>proftpd</decoded_as>
20 <description>Grouping for the proftpd rules.</description>
23 <rule id="11201" level="3">
24 <if_sid>11200</if_sid>
25 <match>FTP session opened.$</match>
26 <description>FTP session opened.</description>
27 <group>connection_attempt,</group>
30 <rule id="11202" level="0">
31 <if_sid>11200</if_sid>
32 <match>FTP session closed.$</match>
33 <description>FTP session closed.</description>
36 <rule id="11203" level="5">
37 <if_sid>11200</if_sid>
38 <match> no such user </match>
39 <description>Attempt to login using a non-existent user.</description>
40 <group>invalid_login,</group>
43 <rule id="11204" level="5">
44 <if_sid>11200</if_sid>
45 <match>Incorrect password.$|Login failed</match>
46 <description>Login failed accessing the FTP server</description>
47 <group>authentication_failed,</group>
50 <rule id="11205" level="3">
51 <if_sid>11200</if_sid>
52 <match>Login successful</match>
53 <description>FTP Authentication success.</description>
54 <group>authentication_success,</group>
57 <rule id="11206" level="5">
58 <if_sid>11200</if_sid>
59 <regex>Connection from \S+ [\S+] denied</regex>
60 <description>Connection denied by ProFTPD configuration.</description>
61 <group>access_denied,</group>
64 <rule id="11207" level="5">
65 <if_sid>11200</if_sid>
66 <match>refused connect from</match>
67 <description>Connection refused by TCP Wrappers.</description>
68 <group>access_denied,</group>
71 <rule id="11208" level="4">
72 <if_sid>11200</if_sid>
73 <match>unable to find open port in PassivePorts range</match>
74 <description>Small PassivePorts range in config file. </description>
75 <description>Server misconfiguration.</description>
78 <rule id="11209" level="14">
79 <if_sid>11200</if_sid>
80 <match>Refused PORT </match>
81 <description>Attempt to bypass firewall that can't adequately</description>
82 <description> keep state of FTP traffic.</description>
83 <info>http://www.kb.cert.org/vuls/id/328867</info>
86 <rule id="11210" level="10">
87 <if_sid>11200</if_sid>
88 <match>Maximum login attempts </match>
89 <description>Multiple failed login attempts.</description>
90 <group>authentication_failures,</group>
93 <rule id="11211" level="4">
94 <if_sid>11200</if_sid>
95 <match>host name/name mismatch|host name/address mismatch</match>
96 <description>Mismatch in server's hostname.</description>
99 <rule id="11212" level="5">
100 <if_sid>11200</if_sid>
101 <match>warning: can't verify hostname: </match>
102 <description>Reverse lookup error (bad ISP config).</description>
105 <rule id="11213" level="3">
106 <if_sid>11200</if_sid>
107 <match>connect from </match>
108 <description>Remote host connected to FTP server.</description>
109 <group>connection_attempt,</group>
112 <rule id="11214" level="3">
113 <if_sid>11200</if_sid>
114 <match>FTP no transfer timeout, disconnected</match>
115 <description>Remote host disconnected due to inactivity.</description>
118 <rule id="11215" level="3">
119 <if_sid>11200</if_sid>
120 <match>FTP login timed out, disconnected</match>
121 <description>Remote host disconnected due to login time out.</description>
124 <rule id="11216" level="3">
125 <if_sid>11200</if_sid>
126 <match>FTP session idle timeout, disconnected</match>
127 <description>Remote host disconnected due to time out.</description>
130 <rule id="11217" level="3">
131 <if_sid>11200</if_sid>
132 <match>Data transfer stall timeout:</match>
133 <description>Data transfer stalled.</description>
136 <rule id="11218" level="12">
137 <if_sid>11200</if_sid>
138 <match>ProFTPD terminating (signal 11)</match>
139 <description>FTP process crashed.</description>
140 <group>service_availability,</group>
143 <rule id="11219" level="12">
144 <if_sid>11200</if_sid>
145 <match>Reallocating sreaddir buffer</match>
146 <description>FTP server Buffer overflow attempt.</description>
149 <rule id="11220" level="4">
150 <if_sid>11200</if_sid>
151 <match>listen() failed in</match>
152 <description>Unable to bind to adress.</description>
155 <rule id="11221" level="0">
156 <if_sid>11200</if_sid>
157 <match>error setting IPV6_V6ONLY: Protocol not available|</match>
158 <match> - mod_delay/|PAM(setcred): System error|</match>
159 <match>PAM(close_session): System error</match>
160 <description>IPv6 error and mod-delay info (ignored).</description>
163 <rule id="11251" level="10" frequency="6" timeframe="120">
164 <if_matched_sid>11204</if_matched_sid>
166 <description>FTP brute force (multiple failed logins).</description>
167 <group>authentication_failures,</group>
170 <rule id="11252" level="10" frequency="10" timeframe="60">
171 <if_matched_sid>11201</if_matched_sid>
173 <description>Multiple connection attempts from same source.</description>
174 <group>recon,</group>
177 <rule id="11253" level="10" frequency="10" timeframe="120">
178 <if_matched_sid>11215</if_matched_sid>
180 <description>Multiple timed out logins from same source.</description>
183 </group> <!-- SYSLOG,PROFTPD -->