+++ /dev/null
-<!-- Copyright (C) 2009 Michael Starks
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
- - Foundation.
- -->
-
-
-<group name="dovecot,">
-<rule id="9700" level="0">
- <decoded_as>dovecot</decoded_as>
- <description>Dovecot Messages Grouped.</description>
-</rule>
-
-<rule id="9701" level="3">
- <if_sid>9700</if_sid>
- <match>login: Login: </match>
- <description>Dovecot Authentication Success.</description>
- <group>authentication_success,</group>
-</rule>
-
-<rule id="9702" level="5">
- <if_sid>9700</if_sid>
- <match>Password mismatch$</match>
- <description>Dovecot Authentication Failed.</description>
- <group>authentication_failed,</group>
-</rule>
-
-<rule id="9703" level="3">
- <if_sid>9700</if_sid>
- <match>starting up</match>
- <description>Dovecot is Starting Up.</description>
-</rule>
-
-<rule id="9704" level="2">
- <if_sid>9700</if_sid>
- <match>^Fatal: </match>
- <options>alert_by_email</options>
- <description>Dovecot Fatal Failure.</description>
-</rule>
-
-<rule id="9705" level="5">
- <if_sid>9700</if_sid>
- <match>user not found|User not known|unknown user|auth failed</match>
- <description>Dovecot Invalid User Login Attempt.</description>
- <group>invalid_login,authentication_failed,</group>
-</rule>
-
-<rule id="9706" level="3">
- <if_sid>9700</if_sid>
- <match>: Disconnected: </match>
- <description>Dovecot Session Disconnected.</description>
-</rule>
-
-<rule id="9707" level="5">
- <if_sid>9700</if_sid>
- <match>: Aborted login</match>
- <description>Dovecot Aborted Login.</description>
- <group>invalid_login,</group>
-</rule>
-
-
-<!-- Composite rules -->
-<rule id="9750" level="10" frequency="6" timeframe="120">
- <if_matched_sid>9702</if_matched_sid>
- <same_source_ip />
- <description>Dovecot Multiple Authentication Failures.</description>
- <group>authentication_failures,</group>
-</rule>
-
-<rule id="9751" level="10" frequency="6" timeframe="240">
- <if_matched_sid>9705</if_matched_sid>
- <same_source_ip />
- <description>Dovecot brute force attack (multiple auth failures).</description>
- <group>authentication_failures,</group>
-</rule>
-
-<rule id="9770" level="0">
- <decoded_as>dovecot-info</decoded_as>
- <description>dovecot-info grouping.</description>
-</rule>
-
-<rule id="9771" level="5">
- <if_sid>9770</if_sid>
- <match>user not found|User not known|unknown user|auth failed</match>
- <description>Dovecot Invalid User Login Attempt.</description>
- <group>invalid_login,authentication_failed,</group>
-</rule>
-
-
-</group>