1 <!-- @(#) $Id: ./etc/rules/proftpd_rules.xml, 2011/09/08 dcid Exp $
3 - Official Proftpd rules for OSSEC.
5 - Copyright (C) 2009 Trend Micro Inc.
8 - This program is a free software; you can redistribute it
9 - and/or modify it under the terms of the GNU General Public
10 - License (version 2) as published by the FSF - Free Software
13 - License details: http://www.ossec.net/en/licensing.html
18 <group name="syslog,proftpd,">
19 <rule id="11200" level="0" noalert="1">
20 <decoded_as>proftpd</decoded_as>
21 <description>Grouping for the proftpd rules.</description>
24 <rule id="11201" level="3">
25 <if_sid>11200</if_sid>
26 <match>FTP session opened.$</match>
27 <description>FTP session opened.</description>
28 <group>connection_attempt,</group>
31 <rule id="11202" level="0">
32 <if_sid>11200</if_sid>
33 <match>FTP session closed.$</match>
34 <description>FTP session closed.</description>
37 <rule id="11203" level="5">
38 <if_sid>11200</if_sid>
39 <match> no such user </match>
40 <description>Attempt to login using a non-existent user.</description>
41 <group>invalid_login,</group>
44 <rule id="11204" level="5">
45 <if_sid>11200</if_sid>
46 <match>Incorrect password.$|Login failed</match>
47 <description>Login failed accessing the FTP server</description>
48 <group>authentication_failed,</group>
51 <rule id="11205" level="3">
52 <if_sid>11200</if_sid>
53 <match>Login successful</match>
54 <description>FTP Authentication success.</description>
55 <group>authentication_success,</group>
58 <rule id="11206" level="5">
59 <if_sid>11200</if_sid>
60 <regex>Connection from \S+ [\S+] denied</regex>
61 <description>Connection denied by ProFTPD configuration.</description>
62 <group>access_denied,</group>
65 <rule id="11207" level="5">
66 <if_sid>11200</if_sid>
67 <match>refused connect from</match>
68 <description>Connection refused by TCP Wrappers.</description>
69 <group>access_denied,</group>
72 <rule id="11208" level="4">
73 <if_sid>11200</if_sid>
74 <match>unable to find open port in PassivePorts range</match>
75 <description>Small PassivePorts range in config file. </description>
76 <description>Server misconfiguration.</description>
79 <rule id="11209" level="14">
80 <if_sid>11200</if_sid>
81 <match>Refused PORT </match>
82 <description>Attempt to bypass firewall that can't adequately</description>
83 <description> keep state of FTP traffic.</description>
84 <info type="link">http://www.kb.cert.org/vuls/id/328867</info>
85 <info type="text">US-Cert Note VU#328867: Multiple vendors' firewalls do not adequately keep state of FTP traffic</info>
88 <rule id="11210" level="10">
89 <if_sid>11200</if_sid>
90 <match>Maximum login attempts </match>
91 <description>Multiple failed login attempts.</description>
92 <group>authentication_failures,</group>
95 <rule id="11211" level="4">
96 <if_sid>11200</if_sid>
97 <match>host name/name mismatch|host name/address mismatch</match>
98 <description>Mismatch in server's hostname.</description>
101 <rule id="11212" level="5">
102 <if_sid>11200</if_sid>
103 <match>warning: can't verify hostname: </match>
104 <description>Reverse lookup error (bad ISP config).</description>
107 <rule id="11213" level="3">
108 <if_sid>11200</if_sid>
109 <match>connect from </match>
110 <description>Remote host connected to FTP server.</description>
111 <group>connection_attempt,</group>
114 <rule id="11214" level="3">
115 <if_sid>11200</if_sid>
116 <match>FTP no transfer timeout, disconnected</match>
117 <description>Remote host disconnected due to inactivity.</description>
120 <rule id="11215" level="3">
121 <if_sid>11200</if_sid>
122 <match>FTP login timed out, disconnected</match>
123 <description>Remote host disconnected due to login time out.</description>
126 <rule id="11216" level="3">
127 <if_sid>11200</if_sid>
128 <match>FTP session idle timeout, disconnected</match>
129 <description>Remote host disconnected due to time out.</description>
132 <rule id="11217" level="3">
133 <if_sid>11200</if_sid>
134 <match>Data transfer stall timeout:</match>
135 <description>Data transfer stalled.</description>
138 <rule id="11218" level="12">
139 <if_sid>11200</if_sid>
140 <match>ProFTPD terminating (signal 11)</match>
141 <description>FTP process crashed.</description>
142 <group>service_availability,</group>
145 <rule id="11219" level="12">
146 <if_sid>11200</if_sid>
147 <match>Reallocating sreaddir buffer</match>
148 <description>FTP server Buffer overflow attempt.</description>
151 <rule id="11220" level="4">
152 <if_sid>11200</if_sid>
153 <match>listen() failed in</match>
154 <description>Unable to bind to adress.</description>
157 <rule id="11221" level="0">
158 <if_sid>11200</if_sid>
159 <match>error setting IPV6_V6ONLY: Protocol not available|</match>
160 <match> - mod_delay/|PAM(setcred): System error|</match>
161 <match>PAM(close_session): System error|cap_set_proc failed|reverting to normal operation|error retrieving information about user</match>
162 <description>IPv6 error and mod-delay info (ignored).</description>
165 <rule id="11251" level="10" frequency="6" timeframe="120">
166 <if_matched_sid>11204</if_matched_sid>
168 <description>FTP brute force (multiple failed logins).</description>
169 <group>authentication_failures,</group>
172 <rule id="11252" level="10" frequency="10" timeframe="60">
173 <if_matched_sid>11201</if_matched_sid>
175 <description>Multiple connection attempts from same source.</description>
176 <group>recon,</group>
179 <rule id="11253" level="10" frequency="10" timeframe="120">
180 <if_matched_sid>11215</if_matched_sid>
182 <description>Multiple timed out logins from same source.</description>
185 </group> <!-- SYSLOG,PROFTPD -->
projects / ossec-hids.git / blob