X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=contrib%2Fossec-testing%2Ftests%2Fdovecot.ini;fp=contrib%2Fossec-testing%2Ftests%2Fdovecot.ini;h=691bc82b1ab463e090da6488b6894b1e4dba9e9f;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b diff --git a/contrib/ossec-testing/tests/dovecot.ini b/contrib/ossec-testing/tests/dovecot.ini new file mode 100644 index 0000000..691bc82 --- /dev/null +++ b/contrib/ossec-testing/tests/dovecot.ini @@ -0,0 +1,81 @@ +[auth failed] +log 1 pass = Dec 19 06:21:06 ny dovecot: imap-login: Disconnected (auth failed, 7 attempts in 111 secs): user=, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203, session=<+hgd5vxDBMZtycjJ> +log 2 pass = Jan 11 03:45:09 hostname dovecot: auth-worker(default): sql(username,1.2.3.4): unknown user +log 3 pass = Jan 11 03:42:09 hostname dovecot: auth(default): pam(user@example.com,1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module + +rule = 9705 +alert = 5 +decoder = dovecot + +[dovecot is starting] +log 1 pass = Jun 17 10:15:24 hostname dovecot: Dovecot v1.2.rc3 starting up (core dumps disabled) + +rule = 9703 +alert = 3 +decoder = dovecot + +[fatal error] +log 1 pass = Jun 17 10:15:24 hostname dovecot: Fatal: auth(default): Support not compiled in for passdb driver 'ldap' +log 2 pass = Jun 17 10:15:24 hostname dovecot: Fatal: Auth process died too early - shutting down + +rule = 9704 +alert = 2 +decoder = dovecot + +[user authentication failure] +log 1 pass = Jun 23 15:04:05 Info: imap-login: Login: user=, method=PLAIN, rip=1.2.3.4, lip=1.2.3.5 Authentication Failure: + +rule = 9770 +alert = 0 +decoder = dovecot-info + +[dovecot auth failed] +log 1 pass = Jan 11 03:42:09 hostname dovecot: auth-worker(default): sql(user@example.com,1.2.3.4): Password mismatch + +rule = 9702 +alert = 5 +decoder = dovecot + +[XXX nothing] +log 1 fail = Jan 07 14:46:28 Warn: auth(default): userdb(username,::ffff:127.0.0.1): user not found from userdb +log 3 fail = May 31 09:43:57 Info: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5, secured + +rule = 1002 +alert = 2 +decoder = + +[XXX unknown 1002] +log 1 pass = Mar 13 15:25:07 Info: auth(default): pam(user@example.com,::ffff:1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module + +rule = 9771 +alert = 5 +decoder = dovecot-info + +[session disconnected] +log 1 pass = Jul 4 17:30:51 hostname dovecot[2992]: pop3-login: Disconnected: rip=1.2.3.4, lip=1.2.3.5 + +rule = 9706 +alert = 3 +decoder = dovecot + +[aborted login] +log 1 pass = Jan 30 09:37:55 hostname dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5 + +rule = 9707 +alert = 5 +decoder = dovecot + +[XXX logged out] +log 1 fail = Jun 23 15:04:06 Info: IMAP(username): Disconnected: Logged out bytes=59/566 + +rule = 1002 +alert = 2 +decoder = dovecot-info + +[unknown user] +log 1 pass = Mar 13 15:25:07 Info: auth(default): passwd-file(user@example.com,::ffff:1.2.3.4): unknown user + +rule = 9771 +alert = 5 +decoder = dovecot-info +