debian/ossec-hids/var/ossec/rules/proxmox-ve_rules.xml

   1 <group name="syslog,proxmox-ve,">
   2   <rule id="53400" level="0">
   3     <decoded_as>pvedaemon</decoded_as>
   4     <description>pvedaemon messages grouped.</description>
   5   </rule>
   6
   7   <rule id="53401" level="6">
   8     <if_sid>53400</if_sid>
   9     <match>authentication failure; </match>
  10     <description>Proxmox VE authentication failed.</description>
  11     <group>authentication_failed,</group>
  12   </rule>
  13
  14   <rule id="53402" level="10" frequency="6" timeframe="120">
  15     <if_matched_sid>53401</if_matched_sid>
  16     <same_source_ip />
  17     <description>Proxmox VE brute force (multiple failed logins).</description>
  18     <group>authentication_failures,</group>
  19   </rule>
  20
  21   <rule id="53403" level="3">
  22     <if_sid>53400</if_sid>
  23     <match> successful auth for user </match>
  24     <description>Proxmox VE authentication succeeded.</description>
  25     <group>authentication_success,</group>
  26   </rule>
  27
  28 </group>