debian/ossec-hids/var/ossec/rules/dovecot_rules.xml

   1 <!-- Copyright (C) 2009 Michael Starks
   2   -  This program is a free software; you can redistribute it
   3   -  and/or modify it under the terms of the GNU General Public
   4   -  License (version 3) as published by the FSF - Free Software
   5   -  Foundation.
   6  -->
   7
   8
   9 <group name="dovecot,">
  10 <rule id="9700" level="0">
  11   <decoded_as>dovecot</decoded_as>
  12   <description>Dovecot Messages Grouped.</description>
  13 </rule>
  14
  15 <rule id="9701" level="3">
  16   <if_sid>9700</if_sid>
  17   <match>login: Login: </match>
  18   <description>Dovecot Authentication Success.</description>
  19   <group>authentication_success,</group>
  20 </rule>
  21
  22 <rule id="9702" level="5">
  23   <if_sid>9700</if_sid>
  24   <match>Password mismatch$</match>
  25   <description>Dovecot Authentication Failed.</description>
  26   <group>authentication_failed,</group>
  27 </rule>
  28
  29 <rule id="9703" level="3">
  30   <if_sid>9700</if_sid>
  31   <match>starting up</match>
  32   <description>Dovecot is Starting Up.</description>
  33 </rule>
  34
  35 <rule id="9704" level="2">
  36   <if_sid>9700</if_sid>
  37   <match>^Fatal: </match>
  38   <options>alert_by_email</options>
  39   <description>Dovecot Fatal Failure.</description>
  40 </rule>
  41
  42 <rule id="9705" level="5">
  43   <if_sid>9700</if_sid>
  44   <match>user not found|User not known|unknown user|auth failed</match>
  45   <description>Dovecot Invalid User Login Attempt.</description>
  46   <group>invalid_login,authentication_failed,</group>
  47 </rule>
  48
  49 <rule id="9706" level="3">
  50   <if_sid>9700</if_sid>
  51   <match>: Disconnected: </match>
  52   <description>Dovecot Session Disconnected.</description>
  53 </rule>
  54
  55 <rule id="9707" level="5">
  56   <if_sid>9700</if_sid>
  57   <match>: Aborted login</match>
  58   <description>Dovecot Aborted Login.</description>
  59   <group>invalid_login,</group>
  60 </rule>
  61
  62
  63 <!-- Composite rules -->
  64 <rule id="9750" level="10" frequency="6" timeframe="120">
  65   <if_matched_sid>9702</if_matched_sid>
  66   <same_source_ip />
  67   <description>Dovecot Multiple Authentication Failures.</description>
  68   <group>authentication_failures,</group>
  69 </rule>
  70
  71 <rule id="9751" level="10" frequency="6" timeframe="240">
  72   <if_matched_sid>9705</if_matched_sid>
  73   <same_source_ip />
  74   <description>Dovecot brute force attack (multiple auth failures).</description>
  75   <group>authentication_failures,</group>
  76 </rule>
  77
  78 <rule id="9770" level="0">
  79   <decoded_as>dovecot-info</decoded_as>
  80   <description>dovecot-info grouping.</description>
  81 </rule>
  82
  83 <rule id="9771" level="5">
  84   <if_sid>9770</if_sid>
  85   <match>user not found|User not known|unknown user|auth failed</match>
  86   <description>Dovecot Invalid User Login Attempt.</description>
  87   <group>invalid_login,authentication_failed,</group>
  88 </rule>
  89
  90
  91 </group>