X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fproftpd_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fproftpd_rules.xml;h=37189da5606d718a51d25d43c3520cece2ace690;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b diff --git a/debian/ossec-hids/var/ossec/rules/proftpd_rules.xml b/debian/ossec-hids/var/ossec/rules/proftpd_rules.xml new file mode 100644 index 0000000..37189da --- /dev/null +++ b/debian/ossec-hids/var/ossec/rules/proftpd_rules.xml @@ -0,0 +1,195 @@ + + + + + + + proftpd + Grouping for the proftpd rules. + + + + 11200 + FTP session opened.$ + FTP session opened. + connection_attempt, + + + + 11200 + FTP session closed.$ + FTP session closed. + + + + 11200 + no such user + Attempt to login using a non-existent user. + invalid_login, + + + + 11200 + Incorrect password.$|Login failed + Login failed accessing the FTP server + authentication_failed, + + + + 11200 + Login successful + FTP Authentication success. + authentication_success, + + + + 11200 + Connection from \S+ [\S+] denied + Connection denied by ProFTPD configuration. + access_denied, + + + + 11200 + refused connect from + Connection refused by TCP Wrappers. + access_denied, + + + + 11200 + unable to find open port in PassivePorts range + Small PassivePorts range in config file. + Server misconfiguration. + + + + 11200 + Refused PORT + Attempt to bypass firewall that can't adequately + keep state of FTP traffic. + http://www.kb.cert.org/vuls/id/328867 + US-Cert Note VU#328867: Multiple vendors' firewalls do not adequately keep state of FTP traffic + + + + 11200 + Maximum login attempts + Multiple failed login attempts. + authentication_failures, + + + + 11200 + host name/name mismatch|host name/address mismatch + Mismatch in server's hostname. + + + + 11200 + warning: can't verify hostname: + Reverse lookup error (bad ISP config). + + + + 11200 + connect from + Remote host connected to FTP server. + connection_attempt, + + + + 11200 + FTP no transfer timeout, disconnected + Remote host disconnected due to inactivity. + + + + 11200 + FTP login timed out, disconnected + Remote host disconnected due to login time out. + + + + 11200 + FTP session idle timeout, disconnected + Remote host disconnected due to time out. + + + + 11200 + Data transfer stall timeout: + Data transfer stalled. + + + + 11200 + ProFTPD terminating (signal 11) + FTP process crashed. + service_availability, + + + + 11200 + Reallocating sreaddir buffer + FTP server Buffer overflow attempt. + + + + 11200 + listen() failed in + Unable to bind to adress. + + + + 11200 + error setting IPV6_V6ONLY: Protocol not available| + - mod_delay/|PAM(setcred): System error| + PAM(close_session): System error|cap_set_proc failed|reverting to normal operation|error retrieving information about user + IPv6 error and mod-delay info (ignored). + + + + 11200 + unable to open incoming connection + Couldn't open the incoming connection. + Check log message for reason. + + + + 11204 + + FTP brute force (multiple failed logins). + authentication_failures, + + + + 11201 + + Multiple connection attempts from same source. + recon, + + + + 11215 + + Multiple timed out logins from same source. + + + + + +