+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/postfix_rules.xml, 2011/09/08 dcid Exp $
-
- - Official postfix rules for OSSEC.
- - Author: Ahmet Ozturk
- - Author: Daniel B. Cid
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-<var name="POSTFIX_FREQ">6</var>
-
-<group name="syslog,postfix,">
- <rule id="3300" level="0">
- <decoded_as>postfix-reject</decoded_as>
- <description>Grouping of the postfix reject rules.</description>
- </rule>
-
- <rule id="3301" level="6">
- <if_sid>3300</if_sid>
- <id>^554$</id>
- <description>Attempt to use mail server as relay </description>
- <description>(client host rejected).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3302" level="6">
- <if_sid>3300</if_sid>
- <id>^550$</id>
- <description>Rejected by access list </description>
- <description>(Requested action not taken).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3303" level="5">
- <if_sid>3300</if_sid>
- <id>^450$</id>
- <description>Sender domain is not found </description>
- <description>(450: Requested mail action not taken).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3304" level="5">
- <if_sid>3300</if_sid>
- <id>^503$</id>
- <description>Improper use of SMTP command pipelining </description>
- <description>(503: Bad sequence of commands).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3305" level="5">
- <if_sid>3300</if_sid>
- <id>^504$</id>
- <description>Recipient address must contain FQDN </description>
- <description>(504: Command parameter not implemented).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3306" level="6">
- <if_sid>3301, 3302</if_sid>
- <match> blocked using </match>
- <description>IP Address deny-listed by anti-spam (blocked).</description>
- <group>spam,</group>
- </rule>
-
- <rule id="3320" level="0">
- <decoded_as>postfix</decoded_as>
- <description>Grouping of the postfix rules.</description>
- </rule>
-
- <rule id="3330" level="10" ignore="240">
- <if_sid>3320</if_sid>
- <match>defer service failure|Resource temporarily unavailable|</match>
- <match>^fatal: the Postfix mail system is not running</match>
- <description>Postfix process error.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="3332" level="5">
- <if_sid>3320</if_sid>
- <match> authentication failed</match>
- <description>Postfix SASL authentication failure.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="3331" level="10" ignore="120">
- <if_sid>3300</if_sid>
- <id>^452</id>
- <description>Postfix insufficient disk space error.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="3334" level="3">
- <if_sid>3320</if_sid>
- <match>^daemon started </match>
- <description>Postfix started.</description>
- </rule>
-
- <rule id="3333" level="7">
- <if_sid>3320</if_sid>
- <match>^terminating on signal</match>
- <description>Postfix stopped.</description>
- <group>service_availability,</group>
- </rule>
-
- <rule id="3351" level="6" frequency="$POSTFIX_FREQ" timeframe="90">
- <if_matched_sid>3301</if_matched_sid>
- <same_source_ip />
- <description>Multiple relaying attempts of spam.</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3352" level="6" frequency="$POSTFIX_FREQ" timeframe="120">
- <if_matched_sid>3302</if_matched_sid>
- <same_source_ip />
- <description>Multiple attempts to send e-mail from a </description>
- <description>rejected sender IP (access).</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3353" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
- <if_matched_sid>3303</if_matched_sid>
- <same_source_ip />
- <description>Multiple attempts to send e-mail from </description>
- <description>invalid/unknown sender domain.</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3354" level="12" frequency="$POSTFIX_FREQ" timeframe="120">
- <if_matched_sid>3304</if_matched_sid>
- <same_source_ip />
- <description>Multiple misuse of SMTP service </description>
- <description>(bad sequence of commands).</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3355" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
- <if_matched_sid>3305</if_matched_sid>
- <same_source_ip />
- <description>Multiple attempts to send e-mail to </description>
- <description>invalid recipient or from unknown sender domain.</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3356" level="10" frequency="$POSTFIX_FREQ" timeframe="120" ignore="30">
- <if_matched_sid>3306</if_matched_sid>
- <same_source_ip />
- <description>Multiple attempts to send e-mail from </description>
- <description>deny-listed IP address (blocked).</description>
- <group>multiple_spam,</group>
- </rule>
-
- <rule id="3357" level="10" frequency="6" timeframe="120" ignore="60">
- <if_matched_sid>3332</if_matched_sid>
- <same_source_ip />
- <description>Multiple SASL authentication failures.</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="3390" level="0">
- <match>^clamsmtpd: </match>
- <description>Grouping of the clamsmtpd rules.</description>
- </rule>
-</group> <!-- SYSLOG,POSTFIX -->