--- /dev/null
+<!-- @(#) $Id: ./etc/rules/vpopmail_rules.xml, 2011/09/08 dcid Exp $
+
+ - Official rules for vpopmail.
+ -
+ - Author: Ceg Ryan <cegryan ( at ) gmail.com>
+ - License: http://www.ossec.net/en/licensing.html
+ -->
+
+
+<group name="syslog,vpopmail,">
+ <rule id="9900" level="0">
+ <decoded_as>vpopmail</decoded_as>
+ <description>Grouping for the vpopmail rules.</description>
+ </rule>
+
+ <rule id="9901" level="5">
+ <if_sid>9900</if_sid>
+ <match> password fail </match>
+ <group>authentication_failed,</group>
+ <description>Login failed for vpopmail.</description>
+ </rule>
+
+ <rule id="9902" level="5">
+ <if_sid>9900</if_sid>
+ <match> vpopmail user not found </match>
+ <group>invalid_login,</group>
+ <description>Attempt to login to vpopmail with invalid username.</description>
+ </rule>
+
+ <rule id="9903" level="5">
+ <if_sid>9900</if_sid>
+ <match> null password given </match>
+ <group>authentication_failed,</group>
+ <description>Attempt to login to vpopmail with empty password.</description>
+ </rule>
+
+ <rule id="9904" level="1">
+ <if_sid>9900</if_sid>
+ <match> login success </match>
+ <group>authentication_success,</group>
+ <description>Vpopmail successful login.</description>
+ </rule>
+
+
+ <rule id="9951" level="10" frequency="8" timeframe="240">
+ <if_matched_sid>9901</if_matched_sid>
+ <same_source_ip />
+ <description>Vpopmail brute force (multiple failed logins).</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+ <rule id="9952" level="10" frequency="8" timeframe="240">
+ <if_matched_sid>9902</if_matched_sid>
+ <same_source_ip />
+ <description>Vpopmail brute force (email harvesting).</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+ <rule id="9953" level="10" frequency="8" timeframe="240">
+ <if_matched_sid>9903</if_matched_sid>
+ <same_source_ip />
+ <description>VPOPMAIL brute force (empty password).</description>
+ <group>authentication_failures,</group>
+ </rule>
+
+</group>
+
+<!-- EOF -->