--- /dev/null
+<!-- @(#) $Id: ./etc/rules/imapd_rules.xml, 2011/09/08 dcid Exp $
+
+ - Official imapd rules for OSSEC.
+ -
+ - Copyright (C) 2009 Trend Micro Inc.
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 2) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
+ -->
+
+
+<var name="IMAPD_FREQ">6</var>
+
+<group name="syslog,imapd,">
+ <rule id="3600" level="0" noalert="1">
+ <decoded_as>imapd</decoded_as>
+ <description>Grouping of the imapd rules.</description>
+ </rule>
+
+ <rule id="3601" level="5">
+ <if_sid>3600</if_sid>
+ <match>Login failed user=|AUTHENTICATE LOGIN failure</match>
+ <description>Imapd user login failed.</description>
+ <group>authentication_failed,</group>
+ </rule>
+
+ <rule id="3602" level="3">
+ <if_sid>3600</if_sid>
+ <match>Authenticated user=</match>
+ <description>Imapd user login.</description>
+ <group>authentication_success,</group>
+ </rule>
+
+ <rule id="3603" level="0">
+ <if_sid>3600</if_sid>
+ <match>Logout user=</match>
+ <description>Imapd user logout.</description>
+ </rule>
+
+ <rule id="3651" level="10" frequency="$IMAPD_FREQ" timeframe="120">
+ <if_matched_sid>3601</if_matched_sid>
+ <same_source_ip />
+ <description>Multiple failed logins from same source ip.</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+</group> <!-- SYSLOG,IMAPD -->