+++ /dev/null
-<!-- @(#) $Id: ./etc/rules/wordpress_rules.xml, 2011/09/08 dcid Exp $
-
- - Official Wordpress rules for OSSEC.
- -
- - Author: Daniel B. Cid
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 3) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
-<group name="syslog,wordpress,">
- <rule id="9500" level="0">
- <decoded_as>wordpress</decoded_as>
- <description>Wordpress messages grouped.</description>
- </rule>
-
- <rule id="9501" level="5">
- <if_sid>9500</if_sid>
- <match>User authentication failed</match>
- <description>Wordpress authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="9502" level="3">
- <if_sid>9500</if_sid>
- <match>User logged in</match>
- <description>Wordpress authentication succeeded.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="9503" level="3">
- <if_sid>9500</if_sid>
- <match>WPsyslog was successfully initiali</match>
- <description>WPsyslog was successfully initialized.</description>
- </rule>
-
- <rule id="9504" level="3">
- <if_sid>9500</if_sid>
- <match>Plugin deactivated</match>
- <description>Wordpress plugin deactivated.</description>
- </rule>
-
- <rule id="9505" level="7">
- <if_sid>9500</if_sid>
- <match>Warning: Comment flood attempt</match>
- <description>Wordpress Comment Flood Attempt.</description>
- </rule>
-
- <rule id="9510" level="7">
- <if_sid>9500</if_sid>
- <match>Warning: IDS:</match>
- <description>Attack against Wordpress detected.</description>
- </rule>
-
- <rule id="9551" level="10">
- <if_matched_sid>9501</if_matched_sid>
- <same_source_ip />
- <description>Multiple wordpress authentication failures.</description>
- <group>authentication_failures,</group>
- </rule>
-
-</group>
-
-
-<!-- EOF -->