X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fusr%2Fshare%2Fdoc%2Fossec-hids%2Fcontrib%2Fossec-testing%2Ftests%2Fcpanel.ini;fp=debian%2Fossec-hids%2Fusr%2Fshare%2Fdoc%2Fossec-hids%2Fcontrib%2Fossec-testing%2Ftests%2Fcpanel.ini;h=ae036efda5d7d5527fa1b3800a78e01fe95f1284;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cpanel.ini b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cpanel.ini
new file mode 100644
index 0000000..ae036ef
--- /dev/null
+++ b/debian/ossec-hids/usr/share/doc/ossec-hids/contrib/ossec-testing/tests/cpanel.ini
@@ -0,0 +1,38 @@
+[successful login]
+log 1 fail = [2016-04-18 13:07:02 -0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN whostmgrd
+log 2 fail = [2016-04-18 13:07:15 -0400] info [cpsrvd] 10.1.5.19 - reseller (possessor: root) - SUCCESS LOGIN cpaneld
+log 3 fail = [2016-04-18 13:08:27 -0400] info [cpsrvd] 10.1.5.19 - emailaccount@reseller.com (possessor: reseller) - SUCCESS LOGIN webmaild
+
+rule = 11007
+alert = 3
+decoder = postgresql_log
+
+
+[cpanel attacks]
+log 1 fail = [2017-01-25 06:01:10 -0500] info [cpsrvd] 10.1.5.19 - test "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user test (loadcpdata failed)
+
+rule = 11001
+alert = 5
+decoder = postgresql_log
+
+[cpanel attacks 2]
+log 1 fail = [2016-11-18 09:32:19 +0000] info [cpsrvd] 10.1.5.19 - admin "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN whostmgrd: user password hash is missing from system (user probably does not exist)
+
+rule = 11000
+alert = 5
+decoder = cpanel-login
+
+[successful login 2]
+log 1 fail = [2016-04-18 13:07:02 +0400] info [cpsrvd] 10.1.5.19 - root - SUCCESS LOGIN whostmgrd
+
+rule = 11006
+alert = 3
+decoder = cpanel-login
+
+[session purge]
+log 1 fail = [2017-01-25 06:15:38 -0500] info [cpsrvd] 10.1.5.19 PURGE root:Nmm4xzhSpA2Sddv3 logout
+
+rule = 11009
+alert = 3
+decoder = postgresql_log
+