+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/asterisk_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Asterisk rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-
-<!-- Asterisk Log messages -->
-<group name="syslog,asterisk,">
- <rule id="6200" level="0">
- <decoded_as>asterisk</decoded_as>
- <description>Asterisk messages grouped.</description>
- </rule>
-
- <rule id="6201" level="0">
- <if_sid>6200</if_sid>
- <match>^NOTICE</match>
- <description>Asterisk notice messages grouped.</description>
- </rule>
-
- <rule id="6202" level="3">
- <if_sid>6200</if_sid>
- <match>^WARN</match>
- <description>Asterisk warning message.</description>
- </rule>
-
- <rule id="6203" level="3">
- <if_sid>6200</if_sid>
- <match>^ERROR</match>
- <description>Asterisk error message.</description>
- </rule>
-
- <rule id="6210" level="5">
- <if_sid>6201</if_sid>
- <match>Wrong password</match>
- <description>Login session failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="6211" level="5">
- <if_sid>6201</if_sid>
- <match>Username/auth name mismatch</match>
- <description>Login session failed (invalid user).</description>
- <group>invalid_login,</group>
- </rule>
-
- <rule id="6212" level="5">
- <if_sid>6201</if_sid>
- <match>No matching peer found</match>
- <description>Login session failed (invalid extension).</description>
- <group>invalid_login,</group>
- </rule>
-
- <rule id="6250" level="10" frequency="6" timeframe="300">
- <if_matched_sid>6211</if_matched_sid>
- <same_source_ip />
- <description>Multiple failed logins (user enumeration in process).</description>
- </rule>
-
- <rule id="6251" level="10" frequency="6" timeframe="300">
- <if_matched_sid>6210</if_matched_sid>
- <same_source_ip />
- <description>Multiple failed logins.</description>
- </rule>
-
- <rule id="6252" level="10" frequency="6" timeframe="300">
- <if_matched_sid>6212</if_matched_sid>
- <same_source_ip />
- <description>Extension enumeration.</description>
- </rule>
-
- <!--From Javi Benito jabi.benito@gmail.com-->
- <!--http://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/-->
- <rule id="6253" level="5">
- <if_sid>6201</if_sid>
- <match>No registration for peer</match>
- <description>Login session failed (invalid iax user).</description>
- <group>invalid_login,</group>
- </rule>
-
- <!--From Javi Benito jabi.benito@gmail.com-->
- <rule id="6254" level="10" frequency="3" timeframe="300">
- <if_matched_sid>6253</if_matched_sid>
- <same_source_ip />
- <description>Extension IAX Enumeration.</description>
- </rule>
-
- <!--From Javi Benito jabi.benito@gmail.com-->
- <rule id="6255" level="5">
- <if_sid>6202</if_sid>
- <match>Don't know how to respond via</match>
- <description>Possible Registration Hijacking.</description>
- <group>invalid_login,</group>
- </rule>
-
- <!--From Javi Benito jabi.benito@gmail.com-->
- <rule id="6256" level="5">
- <if_sid>6201</if_sid>
- <match>failed MD5 authentication</match>
- <description>IAX peer Wrong Password.</description>
- <group>invalid_login,</group>
- </rule>
-
- <!--From Javi Benito jabi.benito@gmail.com-->
- <rule id="6257" level="10" frequency="3" timeframe="300">
- <if_matched_sid>6256</if_matched_sid>
- <same_source_ip />
- <description>Multiple failed logins.</description>
- </rule>
-
- <rule id="6258" level="5">
- <if_sid>6201</if_sid>
- <match>No matching peer found|extension not found in context</match>
- <description>Login session failed (invalid extension).</description>
- <group>invalid_login,</group>
- </rule>
-
-</group> <!-- ASTERISK -->
-
-<!-- EOF -->