--- /dev/null
+<!-- @(#) $Id: ./etc/rules/vmpop3d_rules.xml, 2011/09/08 dcid Exp $
+
+ - Official rules for vm-pop3d.
+ -
+ - License: http://www.ossec.net/en/licensing.html
+ -->
+
+
+<group name="syslog,vm-pop3d,">
+ <rule id="9800" level="0" noalert="1">
+ <decoded_as>vm-pop3d</decoded_as>
+ <description>Grouping for the vm-pop3d rules.</description>
+ </rule>
+
+ <rule id="9801" level="5">
+ <if_sid>9800</if_sid>
+ <match>failed auth</match>
+ <group>authentication_failed,</group>
+ <description>Login failed accessing the pop3 server.</description>
+ </rule>
+
+ <rule id="9820" level="10" frequency="6" timeframe="240">
+ <if_matched_sid>9801</if_matched_sid>
+ <same_source_ip />
+ <description>POP3 brute force (multiple failed logins).</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+</group>
+
+
+<!-- EOF -->