projects / ossec-hids.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
new upstream release (3.3.0); modify package compatibility for Stretch
[ossec-hids.git] / debian / ossec-hids / var / ossec / rules / exim_rules.xml
diff --git a/debian/ossec-hids/var/ossec/rules/exim_rules.xml b/debian/ossec-hids/var/ossec/rules/exim_rules.xml
new file mode 100644 (file)
index 0000000..f6147df
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/exim_rules.xml
@@ -0,0 +1,55 @@
+<!-- Authors: Alexandr Garaga
+-  This program is a free software; you can redistribute it
+-  and/or modify it under the terms of the GNU General Public
+-  License (version 2) as published by the FSF - Free Software
+-  Foundation.
+-
+-  License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+-->
+
+<group name="exim,">
+    <rule id="13000" level="0">
+      <decoded_as>windows-date-format</decoded_as>
+      <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d SMTP </regex>
+      <description>Exim SMTP Messages Grouped.</description>
+    </rule>
+
+    <rule id="13001" level="0">
+      <decoded_as>windows-date-format</decoded_as>
+      <regex>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d dovecot</regex>
+      <description>dovecot messages grouped.</description>
+    </rule>
+
+    <rule id="13006" level="5">
+      <if_sid>13001</if_sid>
+      <match>authenticator failed</match>
+      <description>Exim Auth failed</description>
+      <group>invalid_login,authentication_failed,</group>
+    </rule>
+
+    <rule id="13007" level="10" frequency="6" timeframe="240">
+      <if_matched_sid>13006</if_matched_sid>
+      <same_source_ip />
+      <description>Exim brute force attack (multiple auth failures).</description>
+      <group>authentication_failures,</group>
+    </rule>
+
+    <rule id="13008" level="0">
+      <if_sid>13000</if_sid>
+      <match>connection count =</match>
+      <description>Exim connection</description>
+    </rule>
+
+    <rule id="13009" level="1">
+      <if_sid>13000</if_sid>
+      <match>lost$</match>
+      <description>Exim connection lost</description>
+    </rule>
+
+    <rule id="13010" level="5">
+      <if_sid>13000</if_sid>
+      <match>dropped: too many syntax or protocol errors</match>
+      <description>Exim syntax or protocol errors</description>
+    </rule>
+
+</group>
ossec-hids