projects / ossec-hids.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Imported Upstream version 2.7
[ossec-hids.git] / etc / rules / postfix_rules.xml
1 <!-- @(#) $Id: ./etc/rules/postfix_rules.xml, 2011/09/08 dcid Exp $
2
3   -  Official postfix rules for OSSEC.
4   -  Author: Ahmet Ozturk
5   -  Author: Daniel B. Cid
6   -  License: http://www.ossec.net/en/licensing.html
7   -->
8
9 <var name="POSTFIX_FREQ">6</var>      
10
11 <group name="syslog,postfix,">
12   <rule id="3300" level="0">
13     <decoded_as>postfix-reject</decoded_as>
14     <description>Grouping of the postfix reject rules.</description>
15   </rule>
16   
17   <rule id="3301" level="6">
18     <if_sid>3300</if_sid>
19     <id>^554$</id>
20     <description>Attempt to use mail server as relay </description>
21     <description>(client host rejected).</description>
22     <group>spam,</group>
23   </rule>
24
25   <rule id="3302" level="6">
26     <if_sid>3300</if_sid>
27     <id>^550$</id>
28     <description>Rejected by access list </description>
29     <description>(Requested action not taken).</description>
30     <group>spam,</group>
31   </rule>
32
33   <rule id="3303" level="5">
34     <if_sid>3300</if_sid>
35     <id>^450$</id>
36     <description>Sender domain is not found </description>
37     <description>(450: Requested mail action not taken).</description>
38     <group>spam,</group>
39   </rule>
40
41   <rule id="3304" level="5">
42     <if_sid>3300</if_sid>
43     <id>^503$</id>
44     <description>Improper use of SMTP command pipelining </description>
45     <description>(503: Bad sequence of commands).</description>
46     <group>spam,</group>
47   </rule>
48   
49   <rule id="3305" level="5">
50     <if_sid>3300</if_sid>
51     <id>^504$</id>
52     <description>Receipent address must contain FQDN </description>
53     <description>(504: Command parameter not implemented).</description>
54     <group>spam,</group>
55   </rule>
56   
57   <rule id="3306" level="6">
58     <if_sid>3301, 3302</if_sid>
59     <match> blocked using </match>
60     <description>IP Address black-listed by anti-spam (blocked).</description>
61     <group>spam,</group>
62   </rule>
63   
64   <rule id="3320" level="0">
65     <decoded_as>postfix</decoded_as>
66     <description>Grouping of the postfix rules.</description>
67   </rule>
68
69   <rule id="3330" level="10" ignore="240">
70     <if_sid>3320</if_sid>
71     <match>defer service failure|Resource temporarily unavailable|</match>
72     <match>^fatal: the Postfix mail system is not running</match>
73     <description>Postfix process error.</description>
74     <group>service_availability,</group>
75   </rule>
76
77   <rule id="3332" level="5">
78     <if_sid>3320</if_sid>
79     <match> authentication failed</match>
80     <description>Postfix SASL authentication failure.</description>
81     <group>authentication_failed,</group>
82   </rule>
83
84   <rule id="3331" level="10" ignore="120">
85     <if_sid>3300</if_sid>
86     <id>^452</id>
87     <description>Postfix insufficient disk space error.</description>
88     <group>service_availability,</group>
89   </rule>
90
91   <rule id="3334" level="3">
92     <if_sid>3320</if_sid>
93     <match>^daemon started </match>
94     <description>Postfix started.</description>
95   </rule>
96
97   <rule id="3333" level="7">
98     <if_sid>3320</if_sid>
99     <match>^terminating on signal</match>
100     <description>Postfix stopped.</description>
101     <group>service_availability,</group>
102   </rule>
103
104   <rule id="3351" level="6" frequency="$POSTFIX_FREQ" timeframe="90">
105     <if_matched_sid>3301</if_matched_sid>
106     <same_source_ip />
107     <description>Multiple relaying attempts of spam.</description>
108     <group>multiple_spam,</group>
109   </rule>
110
111   <rule id="3352" level="6" frequency="$POSTFIX_FREQ" timeframe="120">
112     <if_matched_sid>3302</if_matched_sid>
113     <same_source_ip />
114     <description>Multiple attempts to send e-mail from a </description>
115     <description>rejected sender IP (access).</description>
116     <group>multiple_spam,</group>
117   </rule>
118
119   <rule id="3353" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
120     <if_matched_sid>3303</if_matched_sid>
121     <same_source_ip />
122     <description>Multiple attempts to send e-mail from </description>
123     <description>invalid/unknown sender domain.</description>
124     <group>multiple_spam,</group>
125   </rule>
126
127   <rule id="3354" level="12" frequency="$POSTFIX_FREQ" timeframe="120">
128     <if_matched_sid>3304</if_matched_sid>
129     <same_source_ip />
130     <description>Multiple misuse of SMTP service </description>
131     <description>(bad sequence of commands).</description>
132     <group>multiple_spam,</group>
133   </rule>
134
135   <rule id="3355" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
136     <if_matched_sid>3305</if_matched_sid>
137     <same_source_ip />
138     <description>Multiple attempts to send e-mail to </description>
139     <description>invalid recipient or from unknown sender domain.</description>
140     <group>multiple_spam,</group>
141   </rule>
142
143   <rule id="3356" level="10" frequency="$POSTFIX_FREQ" timeframe="120" ignore="30">
144     <if_matched_sid>3306</if_matched_sid>
145     <same_source_ip />
146     <description>Multiple attempts to send e-mail from </description>
147     <description>black-listed IP address (blocked).</description>
148     <group>multiple_spam,</group>
149   </rule>
150
151   <rule id="3357" level="10" frequency="6" timeframe="120" ignore="60">
152     <if_matched_sid>3332</if_matched_sid>
153     <same_source_ip />
154     <description>Multiple SASL authentication failures.</description>
155     <group>authentication_failures,</group>
156   </rule>
157
158   <rule id="3390" level="0">
159     <match>^clamsmtpd: </match>
160     <description>Grouping of the clamsmtpd rules.</description>
161   </rule>
162 </group> <!-- SYSLOG,POSTFIX -->
ossec-hids