etc/rules/postfix_rules.xml

   1 <!-- @(#) $Id$
   2   -  Official postfix rules for OSSEC.
   3   -  Author: Ahmet Ozturk
   4   -  Author: Daniel B. Cid
   5   -  License: http://www.ossec.net/en/licensing.html
   6   -->
   7
   8 <var name="POSTFIX_FREQ">6</var>
   9
  10 <group name="syslog,postfix,">
  11   <rule id="3300" level="0">
  12     <decoded_as>postfix-reject</decoded_as>
  13     <description>Grouping of the postfix reject rules.</description>
  14   </rule>
  15
  16   <rule id="3301" level="6">
  17     <if_sid>3300</if_sid>
  18     <id>^554$</id>
  19     <description>Attempt to use mail server as relay </description>
  20     <description>(client host rejected).</description>
  21     <group>spam,</group>
  22   </rule>
  23
  24   <rule id="3302" level="6">
  25     <if_sid>3300</if_sid>
  26     <id>^550$</id>
  27     <description>Rejected by access list </description>
  28     <description>(Requested action not taken).</description>
  29     <group>spam,</group>
  30   </rule>
  31
  32   <rule id="3303" level="5">
  33     <if_sid>3300</if_sid>
  34     <id>^450$</id>
  35     <description>Sender domain is not found </description>
  36     <description>(450: Requested mail action not taken).</description>
  37     <group>spam,</group>
  38   </rule>
  39
  40   <rule id="3304" level="5">
  41     <if_sid>3300</if_sid>
  42     <id>^503$</id>
  43     <description>Improper use of SMTP command pipelining </description>
  44     <description>(503: Bad sequence of commands).</description>
  45     <group>spam,</group>
  46   </rule>
  47
  48   <rule id="3305" level="5">
  49     <if_sid>3300</if_sid>
  50     <id>^504$</id>
  51     <description>Receipent address must contain FQDN </description>
  52     <description>(504: Command parameter not implemented).</description>
  53     <group>spam,</group>
  54   </rule>
  55
  56   <rule id="3306" level="6">
  57     <if_sid>3301, 3302</if_sid>
  58     <match> blocked using </match>
  59     <description>IP Address black-listed by anti-spam (blocked).</description>
  60     <group>spam,</group>
  61   </rule>
  62
  63   <rule id="3320" level="0">
  64     <decoded_as>postfix</decoded_as>
  65     <description>Grouping of the postfix rules.</description>
  66   </rule>
  67
  68   <rule id="3330" level="10" ignore="240">
  69     <if_sid>3320</if_sid>
  70     <match>defer service failure|Resource temporarily unavailable|</match>
  71     <match>^fatal: the Postfix mail system is not running</match>
  72     <description>Postfix process error.</description>
  73     <group>service_availability,</group>
  74   </rule>
  75
  76   <rule id="3332" level="5">
  77     <if_sid>3320</if_sid>
  78     <match> authentication failed</match>
  79     <description>Postfix SASL authentication failure.</description>
  80     <group>authentication_failed,</group>
  81   </rule>
  82
  83   <rule id="3331" level="10" ignore="120">
  84     <if_sid>3300</if_sid>
  85     <id>^452</id>
  86     <description>Postfix insufficient disk space error.</description>
  87     <group>service_availability,</group>
  88   </rule>
  89
  90   <rule id="3334" level="3">
  91     <if_sid>3320</if_sid>
  92     <match>^daemon started </match>
  93     <description>Postfix started.</description>
  94   </rule>
  95
  96   <rule id="3333" level="7">
  97     <if_sid>3320</if_sid>
  98     <match>^terminating on signal</match>
  99     <description>Postfix stopped.</description>
 100     <group>service_availability,</group>
 101   </rule>
 102
 103   <rule id="3351" level="6" frequency="$POSTFIX_FREQ" timeframe="90">
 104     <if_matched_sid>3301</if_matched_sid>
 105     <same_source_ip />
 106     <description>Multiple relaying attempts of spam.</description>
 107     <group>multiple_spam,</group>
 108   </rule>
 109
 110   <rule id="3352" level="6" frequency="$POSTFIX_FREQ" timeframe="120">
 111     <if_matched_sid>3302</if_matched_sid>
 112     <same_source_ip />
 113     <description>Multiple attempts to send e-mail from a </description>
 114     <description>rejected sender IP (access).</description>
 115     <group>multiple_spam,</group>
 116   </rule>
 117
 118   <rule id="3353" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
 119     <if_matched_sid>3303</if_matched_sid>
 120     <same_source_ip />
 121     <description>Multiple attempts to send e-mail from </description>
 122     <description>invalid/unknown sender domain.</description>
 123     <group>multiple_spam,</group>
 124   </rule>
 125
 126   <rule id="3354" level="12" frequency="$POSTFIX_FREQ" timeframe="120">
 127     <if_matched_sid>3304</if_matched_sid>
 128     <same_source_ip />
 129     <description>Multiple misuse of SMTP service </description>
 130     <description>(bad sequence of commands).</description>
 131     <group>multiple_spam,</group>
 132   </rule>
 133
 134   <rule id="3355" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
 135     <if_matched_sid>3305</if_matched_sid>
 136     <same_source_ip />
 137     <description>Multiple attempts to send e-mail to </description>
 138     <description>invalid recipient or from unknown sender domain.</description>
 139     <group>multiple_spam,</group>
 140   </rule>
 141
 142   <rule id="3356" level="10" frequency="$POSTFIX_FREQ" timeframe="120" ignore="30">
 143     <if_matched_sid>3306</if_matched_sid>
 144     <same_source_ip />
 145     <description>Multiple attempts to send e-mail from </description>
 146     <description>black-listed IP address (blocked).</description>
 147     <group>multiple_spam,</group>
 148   </rule>
 149
 150   <rule id="3357" level="10" frequency="6" timeframe="120" ignore="60">
 151     <if_matched_sid>3332</if_matched_sid>
 152     <same_source_ip />
 153     <description>Multiple SASL authentication failures.</description>
 154     <group>authentication_failures,</group>
 155   </rule>
 156
 157   <rule id="3390" level="0">
 158     <match>^clamsmtpd: </match>
 159     <description>Grouping of the clamsmtpd rules.</description>
 160   </rule>
 161 </group> <!-- SYSLOG,POSTFIX -->