projects / ossec-hids.git / blob
? search:


2381f34bdd463dcd8a1c6c15326fda43dea67422
[ossec-hids.git] / etc / rules / ms_ftpd_rules.xml
1 <!-- @(#) $Id$
2   -  Example of Microsoft FTP rules for OSSEC.
3   -
4   -  Copyright (C) 2009 Trend Micro Inc.
5   -  All rights reserved.
6   -
7   -  This program is a free software; you can redistribute it
8   -  and/or modify it under the terms of the GNU General Public
9   -  License (version 2) as published by the FSF - Free Software
10   -  Foundation.
11   -
12   -  License details: http://www.ossec.net/en/licensing.html
13   -->
14
15
16 <group name="syslog,msftp,">
17   <rule id="11500" level="0">
18     <decoded_as>msftp</decoded_as>
19     <description>Grouping for the Microsoft ftp rules.</description>
20   </rule>
21   
22   <rule id="11501" level="3">
23     <if_sid>11500</if_sid>
24     <action>USER</action>
25     <description>New FTP connection.</description>
26     <group>connection_attempt,</group>
27   </rule>
28
29   <rule id="11502" level="5">
30     <if_sid>11500</if_sid>
31     <action>PASS</action>
32     <id>530</id>
33     <description>FTP Authentication failed.</description>
34     <group>authentication_failed,</group>
35   </rule>
36
37   <rule id="11503" level="3">
38     <if_sid>11500</if_sid>
39     <action>PASS</action>
40     <id>230</id>
41     <description>FTP Authentication success.</description>
42     <group>authentication_success,</group>
43   </rule>  
44
45   <rule id="11504" level="4">
46     <if_sid>11500</if_sid>
47     <id>^5</id>
48     <description>FTP client request failed.</description>
49   </rule>
50   
51   <rule id="11510" level="10" frequency="6" timeframe="120">
52     <if_matched_sid>11502</if_matched_sid>
53     <description>FTP brute force (multiple failed logins).</description>
54     <group>authentication_failures,</group>
55   </rule>
56
57   <rule id="11511" level="10" frequency="8" timeframe="30">
58     <if_matched_sid>11501</if_matched_sid>
59     <same_source_ip />
60     <description>Multiple connection attempts from same source.</description>
61     <group>recon,</group>
62   </rule>
63
64   <rule id="11512" level="10" frequency="6" timeframe="120">
65     <if_matched_sid>11504</if_matched_sid>
66     <same_source_ip />
67     <description>Multiple FTP errors from same source.</description>
68   </rule>
69 </group> <!-- SYSLOG,PURE-FTPD -->
70
71
72 <!-- EOF -->
ossec-hids