[ossec-hids.git] / debian / ossec-hids / var / ossec / rules / exim_rules.xml

<!-- Authors: Alexandr Garaga
-  This program is a free software; you can redistribute it
-  and/or modify it under the terms of the GNU General Public
-  License (version 2) as published by the FSF - Free Software
-  Foundation.
-
-  License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
-->

<group name="exim,">
    <rule id="13000" level="0">
      <decoded_as>windows-date-format</decoded_as>
      <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d SMTP </regex>
      <description>Exim SMTP Messages Grouped.</description>
    </rule>

    <rule id="13001" level="0">
      <decoded_as>windows-date-format</decoded_as>
      <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d dovecot</regex>
      <description>dovecot messages grouped.</description>
    </rule>

    <rule id="13006" level="5">
      <if_sid>13001</if_sid>
      <match>authenticator failed</match>
      <description>Exim Auth failed</description>
      <group>invalid_login,authentication_failed,</group>
    </rule>

    <rule id="13007" level="10" frequency="6" timeframe="240">
      <if_matched_sid>13006</if_matched_sid>
      <same_source_ip />
      <description>Exim brute force attack (multiple auth failures).</description>
      <group>authentication_failures,</group>
    </rule>

    <rule id="13008" level="0">
      <if_sid>13000</if_sid>
      <match>connection count =</match>
      <description>Exim connection</description>
    </rule>

    <rule id="13009" level="1">
      <if_sid>13000</if_sid>
      <match>lost$</match>
      <description>Exim connection lost</description>
    </rule>

    <rule id="13010" level="5">
      <if_sid>13000</if_sid>
      <match>dropped: too many syntax or protocol errors</match>
      <description>Exim syntax or protocol errors</description>
    </rule>

</group>