Imported Upstream version 2.7

[ossec-hids.git] / etc / rules / asterisk_rules.xml

<!-- @(#) $Id: ./etc/rules/asterisk_rules.xml, 2011/09/08 dcid Exp $

  -  Official Asterisk rules for OSSEC.
  -
  -  Copyright (C) 2009 Trend Micro Inc.
  -  All rights reserved.
  -
  -  This program is a free software; you can redistribute it
  -  and/or modify it under the terms of the GNU General Public
  -  License (version 2) as published by the FSF - Free Software
  -  Foundation.
  -
  -  License details: http://www.ossec.net/en/licensing.html
  -->
  

<!-- Asterisk Log messages -->
<group name="syslog,asterisk,">
  <rule id="6200" level="0">
    <decoded_as>asterisk</decoded_as>
    <description>Asterisk messages grouped.</description>
  </rule>
  
  <rule id="6201" level="0">
    <if_sid>6200</if_sid>
    <match>^NOTICE</match>
    <description>Asterisk notice messages grouped.</description>
  </rule>

  <rule id="6202" level="3">
    <if_sid>6200</if_sid>
    <match>^WARN</match>
    <description>Asterisk warning message.</description>
  </rule>
  
  <rule id="6203" level="3">
    <if_sid>6200</if_sid>
    <match>^ERROR</match>
    <description>Asterisk error message.</description>
  </rule>

  <rule id="6210" level="5">
    <if_sid>6201</if_sid>
    <match>Wrong password</match>
    <description>Login session failed.</description>
    <group>authentication_failed,</group>
  </rule>

  <rule id="6211" level="5">
    <if_sid>6201</if_sid>
    <match>Username/auth name mismatch</match>
    <description>Login session failed (invalid user).</description>
    <group>invalid_login,</group>
  </rule>

  <rule id="6212" level="5">
    <if_sid>6201</if_sid>
    <match>No matching peer found</match>
    <description>Login session failed (invalid extension).</description>
    <group>invalid_login,</group>
  </rule>

  <rule id="6250" level="10" frequency="6" timeframe="300">
    <if_matched_sid>6211</if_matched_sid>
    <same_source_ip />
    <description>Multiple failed logins (user enumeration in process).</description>
  </rule>

  <rule id="6251" level="10" frequency="6" timeframe="300">
    <if_matched_sid>6210</if_matched_sid>
    <same_source_ip />
    <description>Multiple failed logins.</description>
  </rule>
  
  <rule id="6252" level="10" frequency="6" timeframe="300">
    <if_matched_sid>6212</if_matched_sid>
    <same_source_ip />
    <description>Extension enumeration.</description>
  </rule>

  <!--From Javi Benito jabi.benito@gmail.com-->
  <!--http://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/-->
  <rule id="6253" level="5">
    <if_sid>6201</if_sid>
    <match>No registration for peer</match>
    <description>Login session failed (invalid iax user).</description>
    <group>invalid_login,</group>
  </rule>

  <!--From Javi Benito jabi.benito@gmail.com-->
  <rule id="6254" level="10" frequency="3" timeframe="300">
    <if_matched_sid>6253</if_matched_sid>
    <same_source_ip />
    <description>Extension IAX Enumeration.</description>
  </rule>

  <!--From Javi Benito jabi.benito@gmail.com-->
  <rule id="6255" level="5">
    <if_sid>6202</if_sid>
    <match>Don't know how to respond via</match>
    <description>Possible Registration Hijacking.</description>
    <group>invalid_login,</group>
  </rule>

  <!--From Javi Benito jabi.benito@gmail.com-->
  <rule id="6256" level="5">
    <if_sid>6201</if_sid>
    <match>failed MD5 authentication</match>
    <description>IAX peer Wrong Password.</description>
    <group>invalid_login,</group>
  </rule>

  <!--From Javi Benito jabi.benito@gmail.com-->
  <rule id="6257" level="10" frequency="3" timeframe="300">
    <if_matched_sid>6256</if_matched_sid>
    <same_source_ip />
    <description>Multiple failed logins.</description>
  </rule>

  
</group> <!-- ASTERISK -->

<!-- EOF -->