--- /dev/null
+<!-- @(#) $Id: ./etc/rules/proftpd_rules.xml, 2011/09/08 dcid Exp $
+
+ - Official Proftpd rules for OSSEC.
+ -
+ - Copyright (C) 2009 Trend Micro Inc.
+ - All rights reserved.
+ -
+ - This program is a free software; you can redistribute it
+ - and/or modify it under the terms of the GNU General Public
+ - License (version 2) as published by the FSF - Free Software
+ - Foundation.
+ -
+ - License details: http://www.ossec.net/en/licensing.html
+ -->
+
+
+
+<group name="syslog,proftpd,">
+ <rule id="11200" level="0" noalert="1">
+ <decoded_as>proftpd</decoded_as>
+ <description>Grouping for the proftpd rules.</description>
+ </rule>
+
+ <rule id="11201" level="3">
+ <if_sid>11200</if_sid>
+ <match>FTP session opened.$</match>
+ <description>FTP session opened.</description>
+ <group>connection_attempt,</group>
+ </rule>
+
+ <rule id="11202" level="0">
+ <if_sid>11200</if_sid>
+ <match>FTP session closed.$</match>
+ <description>FTP session closed.</description>
+ </rule>
+
+ <rule id="11203" level="5">
+ <if_sid>11200</if_sid>
+ <match> no such user </match>
+ <description>Attempt to login using a non-existent user.</description>
+ <group>invalid_login,</group>
+ </rule>
+
+ <rule id="11204" level="5">
+ <if_sid>11200</if_sid>
+ <match>Incorrect password.$|Login failed</match>
+ <description>Login failed accessing the FTP server</description>
+ <group>authentication_failed,</group>
+ </rule>
+
+ <rule id="11205" level="3">
+ <if_sid>11200</if_sid>
+ <match>Login successful</match>
+ <description>FTP Authentication success.</description>
+ <group>authentication_success,</group>
+ </rule>
+
+ <rule id="11206" level="5">
+ <if_sid>11200</if_sid>
+ <regex>Connection from \S+ [\S+] denied</regex>
+ <description>Connection denied by ProFTPD configuration.</description>
+ <group>access_denied,</group>
+ </rule>
+
+ <rule id="11207" level="5">
+ <if_sid>11200</if_sid>
+ <match>refused connect from</match>
+ <description>Connection refused by TCP Wrappers.</description>
+ <group>access_denied,</group>
+ </rule>
+
+ <rule id="11208" level="4">
+ <if_sid>11200</if_sid>
+ <match>unable to find open port in PassivePorts range</match>
+ <description>Small PassivePorts range in config file. </description>
+ <description>Server misconfiguration.</description>
+ </rule>
+
+ <rule id="11209" level="14">
+ <if_sid>11200</if_sid>
+ <match>Refused PORT </match>
+ <description>Attempt to bypass firewall that can't adequately</description>
+ <description> keep state of FTP traffic.</description>
+ <info type="link">http://www.kb.cert.org/vuls/id/328867</info>
+ <info type="text">US-Cert Note VU#328867: Multiple vendors' firewalls do not adequately keep state of FTP traffic</info>
+ </rule>
+
+ <rule id="11210" level="10">
+ <if_sid>11200</if_sid>
+ <match>Maximum login attempts </match>
+ <description>Multiple failed login attempts.</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+ <rule id="11211" level="4">
+ <if_sid>11200</if_sid>
+ <match>host name/name mismatch|host name/address mismatch</match>
+ <description>Mismatch in server's hostname.</description>
+ </rule>
+
+ <rule id="11212" level="5">
+ <if_sid>11200</if_sid>
+ <match>warning: can't verify hostname: </match>
+ <description>Reverse lookup error (bad ISP config).</description>
+ </rule>
+
+ <rule id="11213" level="3">
+ <if_sid>11200</if_sid>
+ <match>connect from </match>
+ <description>Remote host connected to FTP server.</description>
+ <group>connection_attempt,</group>
+ </rule>
+
+ <rule id="11214" level="3">
+ <if_sid>11200</if_sid>
+ <match>FTP no transfer timeout, disconnected</match>
+ <description>Remote host disconnected due to inactivity.</description>
+ </rule>
+
+ <rule id="11215" level="3">
+ <if_sid>11200</if_sid>
+ <match>FTP login timed out, disconnected</match>
+ <description>Remote host disconnected due to login time out.</description>
+ </rule>
+
+ <rule id="11216" level="3">
+ <if_sid>11200</if_sid>
+ <match>FTP session idle timeout, disconnected</match>
+ <description>Remote host disconnected due to time out.</description>
+ </rule>
+
+ <rule id="11217" level="3">
+ <if_sid>11200</if_sid>
+ <match>Data transfer stall timeout:</match>
+ <description>Data transfer stalled.</description>
+ </rule>
+
+ <rule id="11218" level="12">
+ <if_sid>11200</if_sid>
+ <match>ProFTPD terminating (signal 11)</match>
+ <description>FTP process crashed.</description>
+ <group>service_availability,</group>
+ </rule>
+
+ <rule id="11219" level="12">
+ <if_sid>11200</if_sid>
+ <match>Reallocating sreaddir buffer</match>
+ <description>FTP server Buffer overflow attempt.</description>
+ </rule>
+
+ <rule id="11220" level="4">
+ <if_sid>11200</if_sid>
+ <match>listen() failed in</match>
+ <description>Unable to bind to adress.</description>
+ </rule>
+
+ <rule id="11221" level="0">
+ <if_sid>11200</if_sid>
+ <match>error setting IPV6_V6ONLY: Protocol not available|</match>
+ <match> - mod_delay/|PAM(setcred): System error|</match>
+ <match>PAM(close_session): System error|cap_set_proc failed|reverting to normal operation|error retrieving information about user</match>
+ <description>IPv6 error and mod-delay info (ignored).</description>
+ </rule>
+
+ <rule id="11222" level="4">
+ <if_sid>11200</if_sid>
+ <match>unable to open incoming connection</match>
+ <description>Couldn't open the incoming connection. </description>
+ <description>Check log message for reason.</description>
+ </rule>
+
+ <rule id="11251" level="10" frequency="6" timeframe="120">
+ <if_matched_sid>11204</if_matched_sid>
+ <same_source_ip />
+ <description>FTP brute force (multiple failed logins).</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+ <rule id="11252" level="10" frequency="10" timeframe="60">
+ <if_matched_sid>11201</if_matched_sid>
+ <same_source_ip />
+ <description>Multiple connection attempts from same source.</description>
+ <group>recon,</group>
+ </rule>
+
+ <rule id="11253" level="10" frequency="10" timeframe="120">
+ <if_matched_sid>11215</if_matched_sid>
+ <same_source_ip />
+ <description>Multiple timed out logins from same source.</description>
+ </rule>
+
+</group> <!-- SYSLOG,PROFTPD -->
+
+
+<!-- EOF -->