[ossec-hids.git] / etc / rules / proftpd_rules.xml

<!-- @(#) $Id$
  -  Official Proftpd rules for OSSEC.
  -
  -  Copyright (C) 2009 Trend Micro Inc.
  -  All rights reserved.
  -
  -  This program is a free software; you can redistribute it
  -  and/or modify it under the terms of the GNU General Public
  -  License (version 2) as published by the FSF - Free Software
  -  Foundation.
  -
  -  License details: http://www.ossec.net/en/licensing.html
  -->



<group name="syslog,proftpd,">
  <rule id="11200" level="0" noalert="1">
    <decoded_as>proftpd</decoded_as>
    <description>Grouping for the proftpd rules.</description>
  </rule>
  
  <rule id="11201" level="3">
    <if_sid>11200</if_sid>
    <match>FTP session opened.$</match>
    <description>FTP session opened.</description>
    <group>connection_attempt,</group>
  </rule>

  <rule id="11202" level="0">
    <if_sid>11200</if_sid>
    <match>FTP session closed.$</match>
    <description>FTP session closed.</description>
  </rule>

  <rule id="11203" level="5">
    <if_sid>11200</if_sid>
    <match> no such user </match>
    <description>Attempt to login using a non-existent user.</description>
    <group>invalid_login,</group>
  </rule>

  <rule id="11204" level="5">
    <if_sid>11200</if_sid>
    <match>Incorrect password.$|Login failed</match>
    <description>Login failed accessing the FTP server</description>
    <group>authentication_failed,</group>
  </rule>

  <rule id="11205" level="3">
    <if_sid>11200</if_sid>
    <match>Login successful</match>
    <description>FTP Authentication success.</description>
    <group>authentication_success,</group>
  </rule>

  <rule id="11206" level="5">
    <if_sid>11200</if_sid>
    <regex>Connection from \S+ [\S+] denied</regex>
    <description>Connection denied by ProFTPD configuration.</description>
    <group>access_denied,</group>
  </rule>
  
  <rule id="11207" level="5">
    <if_sid>11200</if_sid>
    <match>refused connect from</match>
    <description>Connection refused by TCP Wrappers.</description>
    <group>access_denied,</group>
  </rule>

  <rule id="11208" level="4">
    <if_sid>11200</if_sid>
    <match>unable to find open port in PassivePorts range</match>
    <description>Small PassivePorts range in config file. </description>
    <description>Server misconfiguration.</description>
  </rule>

  <rule id="11209" level="14">
    <if_sid>11200</if_sid>
    <match>Refused PORT </match> 
    <description>Attempt to bypass firewall that can't adequately</description>
    <description> keep state of FTP traffic.</description>
    <info type="link">http://www.kb.cert.org/vuls/id/328867</info>
    <info type="text">US-Cert Note VU#328867: Multiple vendors' firewalls do not adequately keep state of FTP traffic</info>
  </rule>

  <rule id="11210" level="10">
    <if_sid>11200</if_sid>
    <match>Maximum login attempts </match>
    <description>Multiple failed login attempts.</description>
    <group>authentication_failures,</group>
  </rule>

  <rule id="11211" level="4">
    <if_sid>11200</if_sid>
    <match>host name/name mismatch|host name/address mismatch</match>
    <description>Mismatch in server's hostname.</description>
  </rule>

  <rule id="11212" level="5">
    <if_sid>11200</if_sid>
    <match>warning: can't verify hostname: </match>
    <description>Reverse lookup error (bad ISP config).</description>
  </rule>

  <rule id="11213" level="3">
    <if_sid>11200</if_sid>
    <match>connect from </match>
    <description>Remote host connected to FTP server.</description>
    <group>connection_attempt,</group>
  </rule>

  <rule id="11214" level="3">
    <if_sid>11200</if_sid>
    <match>FTP no transfer timeout, disconnected</match>
    <description>Remote host disconnected due to inactivity.</description>
  </rule>

  <rule id="11215" level="3">
    <if_sid>11200</if_sid>
    <match>FTP login timed out, disconnected</match>
    <description>Remote host disconnected due to login time out.</description>
  </rule>

  <rule id="11216" level="3">
    <if_sid>11200</if_sid>
    <match>FTP session idle timeout, disconnected</match>
    <description>Remote host disconnected due to time out.</description>
  </rule>

  <rule id="11217" level="3">
    <if_sid>11200</if_sid>
    <match>Data transfer stall timeout:</match>
    <description>Data transfer stalled.</description>
  </rule>

  <rule id="11218" level="12">
    <if_sid>11200</if_sid>
    <match>ProFTPD terminating (signal 11)</match>
    <description>FTP process crashed.</description>
    <group>service_availability,</group>
  </rule>

  <rule id="11219" level="12">
    <if_sid>11200</if_sid>
    <match>Reallocating sreaddir buffer</match>
    <description>FTP server Buffer overflow attempt.</description>
  </rule>

  <rule id="11220" level="4">
    <if_sid>11200</if_sid>
    <match>listen() failed in</match>
    <description>Unable to bind to adress.</description>
  </rule>
  
  <rule id="11221" level="0">
    <if_sid>11200</if_sid>
    <match>error setting IPV6_V6ONLY: Protocol not available|</match>
    <match> - mod_delay/|PAM(setcred): System error|</match>
    <match>PAM(close_session): System error</match>
    <description>IPv6 error and mod-delay info (ignored).</description>
  </rule>
  
  <rule id="11251" level="10" frequency="6" timeframe="120">
    <if_matched_sid>11204</if_matched_sid>
    <same_source_ip />
    <description>FTP brute force (multiple failed logins).</description>
    <group>authentication_failures,</group>
  </rule>

  <rule id="11252" level="10" frequency="10" timeframe="60">
    <if_matched_sid>11201</if_matched_sid>
    <same_source_ip />
    <description>Multiple connection attempts from same source.</description>
    <group>recon,</group>
  </rule>
            
  <rule id="11253" level="10" frequency="10" timeframe="120">
    <if_matched_sid>11215</if_matched_sid>
    <same_source_ip />
    <description>Multiple timed out logins from same source.</description>
  </rule>
            
</group> <!-- SYSLOG,PROFTPD -->


<!-- EOF -->