--- /dev/null
+<!-- Copyright (C) 2009 Michael Starks
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 3) as published by the FSF - Free Software
+ - Foundation.
+ -->
+
+
+<group name="dovecot,">
+<rule id="9700" level="0">
+ <decoded_as>dovecot</decoded_as>
+ <description>Dovecot Messages Grouped.</description>
+</rule>
+
+<rule id="9701" level="3">
+ <if_sid>9700</if_sid>
+ <match>login: Login: </match>
+ <description>Dovecot Authentication Success.</description>
+ <group>authentication_success,</group>
+</rule>
+
+<rule id="9702" level="5">
+ <if_sid>9700</if_sid>
+ <match>Password mismatch$</match>
+ <description>Dovecot Authentication Failed.</description>
+ <group>authentication_failed,</group>
+</rule>
+
+<rule id="9703" level="3">
+ <if_sid>9700</if_sid>
+ <match>starting up</match>
+ <description>Dovecot is Starting Up.</description>
+</rule>
+
+<rule id="9704" level="2">
+ <if_sid>9700</if_sid>
+ <match>^Fatal: </match>
+ <options>alert_by_email</options>
+ <description>Dovecot Fatal Failure.</description>
+</rule>
+
+<rule id="9705" level="5">
+ <if_sid>9700</if_sid>
+ <match>user not found|User not known|unknown user|auth failed</match>
+ <description>Dovecot Invalid User Login Attempt.</description>
+ <group>invalid_login,authentication_failed,</group>
+</rule>
+
+<rule id="9706" level="3">
+ <if_sid>9700</if_sid>
+ <match>: Disconnected: </match>
+ <description>Dovecot Session Disconnected.</description>
+</rule>
+
+<rule id="9707" level="5">
+ <if_sid>9700</if_sid>
+ <match>: Aborted login</match>
+ <description>Dovecot Aborted Login.</description>
+ <group>invalid_login,</group>
+</rule>
+
+
+<!-- Composite rules -->
+<rule id="9750" level="10" frequency="6" timeframe="120">
+ <if_matched_sid>9702</if_matched_sid>
+ <same_source_ip />
+ <description>Dovecot Multiple Authentication Failures.</description>
+ <group>authentication_failures,</group>
+</rule>
+
+<rule id="9751" level="10" frequency="6" timeframe="240">
+ <if_matched_sid>9705</if_matched_sid>
+ <same_source_ip />
+ <description>Dovecot brute force attack (multiple auth failures).</description>
+ <group>authentication_failures,</group>
+</rule>
+
+<rule id="9770" level="0">
+ <decoded_as>dovecot-info</decoded_as>
+ <description>dovecot-info grouping.</description>
+</rule>
+
+<rule id="9771" level="5">
+ <if_sid>9770</if_sid>
+ <match>user not found|User not known|unknown user|auth failed</match>
+ <description>Dovecot Invalid User Login Attempt.</description>
+ <group>invalid_login,authentication_failed,</group>
+</rule>
+
+
+</group>