-<!-- @(#) $Id: courier_rules.xml,v 1.4 2009/06/24 17:06:19 dcid Exp $
+<!-- @(#) $Id: ./etc/rules/courier_rules.xml, 2011/09/08 dcid Exp $
+
- Official Courier rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
+ - License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
<rule id="3902" level="5">
<if_sid>3900</if_sid>
- <match>^LOGIN FAILED,</match>
+ <match>^LOGIN FAILED,| FAILED:</match>
<description>Courier (imap/pop3) authentication failed.</description>
<group>authentication_failed,</group>
</rule>
<group>authentication_success,</group>
</rule>
- <rule id="3910" level="10" frequency="6" timeframe="240">
+ <rule id="3910" level="10" frequency="10" timeframe="30">
<if_matched_sid>3902</if_matched_sid>
<description>Courier brute force (multiple failed logins).</description>
<group>authentication_failures,</group>
<same_source_ip />
</rule>
- <rule id="3911" level="10" frequency="10" timeframe="60">
+ <rule id="3911" level="10" frequency="15" timeframe="30">
<if_matched_sid>3901</if_matched_sid>
<same_source_ip />
<description>Multiple connection attempts from same source.</description>