projects / ossec-hids.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
new upstream release (3.3.0); modify package compatibility for Stretch
[ossec-hids.git] / debian / ossec-hids / var / ossec / rules / vsftpd_rules.xml
diff --git a/debian/ossec-hids/var/ossec/rules/vsftpd_rules.xml b/debian/ossec-hids/var/ossec/rules/vsftpd_rules.xml
new file mode 100644 (file)
index 0000000..250b26a
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/vsftpd_rules.xml
@@ -0,0 +1,62 @@
+<!-- @(#) $Id: ./etc/rules/vsftpd_rules.xml, 2011/09/08 dcid Exp $
+
+  -  Official vsftpd rules for OSSEC.
+  -  Author: Joachim Vorrath <joachim.vorrath@vorrath-net.de>
+  -  Author: Jorge Augusto Senger <jorge@br10.com.br>
+  -  Author: Daniel B. Cid
+  -  License: http://www.ossec.net/en/licensing.html
+  -->
+      
+
+<group name="syslog,vsftpd,">
+  <rule id="11400" level="0" noalert="1">
+    <decoded_as>vsftpd</decoded_as>
+    <description>Grouping for the vsftpd rules.</description>
+  </rule>
+  
+  <rule id="11401" level="3">
+    <if_sid>11400</if_sid>
+    <match>CONNECT: Client</match>
+    <group>connection_attempt</group>
+    <description>FTP session opened.</description>
+  </rule>
+
+  <rule id="11402" level="3">
+    <if_sid>11400</if_sid>
+    <match>OK LOGIN: </match>
+    <description>FTP Authentication success.</description>
+    <group>authentication_success,</group>
+  </rule>
+
+  <rule id="11403" level="5">
+    <if_sid>11400</if_sid>
+    <match>FAIL LOGIN: </match>
+    <description>Login failed accessing the FTP server.</description>
+    <group>authentication_failed,</group>
+  </rule>
+  
+  <rule id="11404" level="0">
+    <if_sid>11400</if_sid>
+    <match>OK UPLOAD: </match>
+    <description>FTP server file upload.</description>
+  </rule>
+  
+  <rule id="11451" level="10" frequency="6" timeframe="120">
+    <if_matched_sid>11403</if_matched_sid>
+    <same_source_ip />
+    <description>FTP brute force (multiple failed logins).</description>
+    <group>authentication_failures,</group>
+  </rule>
+
+  <rule id="11452" level="10" frequency="10" timeframe="60">
+    <if_matched_sid>11401</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple FTP connection attempts from </description>
+    <description>same source IP.</description>
+    <group>recon,</group>
+  </rule>
+            
+</group> <!-- SYSLOG,VSFTPD -->
+
+
+<!-- EOF -->
ossec-hids