--- /dev/null
+<!-- @(#) $Id: ./etc/rules/asterisk_rules.xml, 2011/09/08 dcid Exp $
+
+ - Official Asterisk rules for OSSEC.
+ -
+ - Copyright (C) 2009 Trend Micro Inc.
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 2) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
+ -->
+
+
+<!-- Asterisk Log messages -->
+<group name="syslog,asterisk,">
+ <rule id="6200" level="0">
+ <decoded_as>asterisk</decoded_as>
+ <description>Asterisk messages grouped.</description>
+ </rule>
+
+ <rule id="6201" level="0">
+ <if_sid>6200</if_sid>
+ <match>^NOTICE</match>
+ <description>Asterisk notice messages grouped.</description>
+ </rule>
+
+ <rule id="6202" level="3">
+ <if_sid>6200</if_sid>
+ <match>^WARN</match>
+ <description>Asterisk warning message.</description>
+ </rule>
+
+ <rule id="6203" level="3">
+ <if_sid>6200</if_sid>
+ <match>^ERROR</match>
+ <description>Asterisk error message.</description>
+ </rule>
+
+ <rule id="6210" level="5">
+ <if_sid>6201</if_sid>
+ <match>Wrong password</match>
+ <description>Login session failed.</description>
+ <group>authentication_failed,</group>
+ </rule>
+
+ <rule id="6211" level="5">
+ <if_sid>6201</if_sid>
+ <match>Username/auth name mismatch</match>
+ <description>Login session failed (invalid user).</description>
+ <group>invalid_login,</group>
+ </rule>
+
+ <rule id="6212" level="5">
+ <if_sid>6201</if_sid>
+ <match>No matching peer found</match>
+ <description>Login session failed (invalid extension).</description>
+ <group>invalid_login,</group>
+ </rule>
+
+ <rule id="6250" level="10" frequency="6" timeframe="300">
+ <if_matched_sid>6211</if_matched_sid>
+ <same_source_ip />
+ <description>Multiple failed logins (user enumeration in process).</description>
+ </rule>
+
+ <rule id="6251" level="10" frequency="6" timeframe="300">
+ <if_matched_sid>6210</if_matched_sid>
+ <same_source_ip />
+ <description>Multiple failed logins.</description>
+ </rule>
+
+ <rule id="6252" level="10" frequency="6" timeframe="300">
+ <if_matched_sid>6212</if_matched_sid>
+ <same_source_ip />
+ <description>Extension enumeration.</description>
+ </rule>
+
+ <!--From Javi Benito jabi.benito@gmail.com-->
+ <!--http://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/-->
+ <rule id="6253" level="5">
+ <if_sid>6201</if_sid>
+ <match>No registration for peer</match>
+ <description>Login session failed (invalid iax user).</description>
+ <group>invalid_login,</group>
+ </rule>
+
+ <!--From Javi Benito jabi.benito@gmail.com-->
+ <rule id="6254" level="10" frequency="3" timeframe="300">
+ <if_matched_sid>6253</if_matched_sid>
+ <same_source_ip />
+ <description>Extension IAX Enumeration.</description>
+ </rule>
+
+ <!--From Javi Benito jabi.benito@gmail.com-->
+ <rule id="6255" level="5">
+ <if_sid>6202</if_sid>
+ <match>Don't know how to respond via</match>
+ <description>Possible Registration Hijacking.</description>
+ <group>invalid_login,</group>
+ </rule>
+
+ <!--From Javi Benito jabi.benito@gmail.com-->
+ <rule id="6256" level="5">
+ <if_sid>6201</if_sid>
+ <match>failed MD5 authentication</match>
+ <description>IAX peer Wrong Password.</description>
+ <group>invalid_login,</group>
+ </rule>
+
+ <!--From Javi Benito jabi.benito@gmail.com-->
+ <rule id="6257" level="10" frequency="3" timeframe="300">
+ <if_matched_sid>6256</if_matched_sid>
+ <same_source_ip />
+ <description>Multiple failed logins.</description>
+ </rule>
+
+ <rule id="6258" level="5">
+ <if_sid>6201</if_sid>
+ <match>No matching peer found|extension not found in context</match>
+ <description>Login session failed (invalid extension).</description>
+ <group>invalid_login,</group>
+ </rule>
+
+</group> <!-- ASTERISK -->
+
+<!-- EOF -->