+++ /dev/null
-<!-- Authors: Alexandr Garaga
-- This program is a free software; you can redistribute it
-- and/or modify it under the terms of the GNU General Public
-- License (version 2) as published by the FSF - Free Software
-- Foundation.
--
-- License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
--->
-
-<group name="exim,">
- <rule id="13000" level="0">
- <decoded_as>windows-date-format</decoded_as>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d SMTP </regex>
- <description>Exim SMTP Messages Grouped.</description>
- </rule>
-
- <rule id="13001" level="0">
- <decoded_as>windows-date-format</decoded_as>
- <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d dovecot</regex>
- <description>dovecot messages grouped.</description>
- </rule>
-
- <rule id="13006" level="5">
- <if_sid>13001</if_sid>
- <match>authenticator failed</match>
- <description>Exim Auth failed</description>
- <group>invalid_login,authentication_failed,</group>
- </rule>
-
- <rule id="13007" level="10" frequency="6" timeframe="240">
- <if_matched_sid>13006</if_matched_sid>
- <same_source_ip />
- <description>Exim brute force attack (multiple auth failures).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="13008" level="0">
- <if_sid>13000</if_sid>
- <match>connection count =</match>
- <description>Exim connection</description>
- </rule>
-
- <rule id="13009" level="1">
- <if_sid>13000</if_sid>
- <match>lost$</match>
- <description>Exim connection lost</description>
- </rule>
-
- <rule id="13010" level="5">
- <if_sid>13000</if_sid>
- <match>dropped: too many syntax or protocol errors</match>
- <description>Exim syntax or protocol errors</description>
- </rule>
-
-</group>