+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/vpopmail_rules.xml, 2011/09/08 dcid Exp $
-
- - Official rules for vpopmail.
- -
- - Author: Ceg Ryan <cegryan ( at ) gmail.com>
- - License: http://www.ossec.net/en/licensing.html
- -->
-
-
-<group name="syslog,vpopmail,">
- <rule id="9900" level="0">
- <decoded_as>vpopmail</decoded_as>
- <description>Grouping for the vpopmail rules.</description>
- </rule>
-
- <rule id="9901" level="5">
- <if_sid>9900</if_sid>
- <match> password fail </match>
- <group>authentication_failed,</group>
- <description>Login failed for vpopmail.</description>
- </rule>
-
- <rule id="9902" level="5">
- <if_sid>9900</if_sid>
- <match> vpopmail user not found </match>
- <group>invalid_login,</group>
- <description>Attempt to login to vpopmail with invalid username.</description>
- </rule>
-
- <rule id="9903" level="5">
- <if_sid>9900</if_sid>
- <match> null password given </match>
- <group>authentication_failed,</group>
- <description>Attempt to login to vpopmail with empty password.</description>
- </rule>
-
- <rule id="9904" level="1">
- <if_sid>9900</if_sid>
- <match> login success </match>
- <group>authentication_success,</group>
- <description>Vpopmail successful login.</description>
- </rule>
-
-
- <rule id="9951" level="10" frequency="8" timeframe="240">
- <if_matched_sid>9901</if_matched_sid>
- <same_source_ip />
- <description>Vpopmail brute force (multiple failed logins).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="9952" level="10" frequency="8" timeframe="240">
- <if_matched_sid>9902</if_matched_sid>
- <same_source_ip />
- <description>Vpopmail brute force (email harvesting).</description>
- <group>authentication_failures,</group>
- </rule>
-
- <rule id="9953" level="10" frequency="8" timeframe="240">
- <if_matched_sid>9903</if_matched_sid>
- <same_source_ip />
- <description>VPOPMAIL brute force (empty password).</description>
- <group>authentication_failures,</group>
- </rule>
-
-</group>
-
-<!-- EOF -->
projects / ossec-hids.git / blobdiff