X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fsendmail_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fsendmail_rules.xml;h=91b4f4f8373a87e0cf0d3b5656797b23de7bc965;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/debian/ossec-hids/var/ossec/rules/sendmail_rules.xml b/debian/ossec-hids/var/ossec/rules/sendmail_rules.xml
new file mode 100644
index 0000000..91b4f4f
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/sendmail_rules.xml
@@ -0,0 +1,150 @@
+<!-- @(#) $Id: ./etc/rules/sendmail_rules.xml, 2011/09/08 dcid Exp $
+
+  -  Official sendmail rules for OSSEC.
+  -  Author: Ahmet Ozturk
+  -  Author: Daniel B. Cid
+  -  License: http://www.ossec.net/en/licensing.html
+  -->
+      
+
+<group name="syslog,sendmail,">
+  <rule id="3100" level="0">
+    <decoded_as>sendmail-reject</decoded_as>
+    <description>Grouping of the sendmail rules.</description>
+  </rule>
+
+  <rule id="3101" level="0" noalert="1">
+    <if_sid>3100</if_sid>
+    <match>reject=</match>
+    <description>Grouping of the sendmail reject rules.</description>
+  </rule>
+  
+  <rule id="3102" level="5">
+    <if_sid>3101</if_sid>
+    <match>reject=451 4.1.8 </match>
+    <description>Sender domain does not have any valid </description>
+    <description>MX record (Requested action aborted).</description>
+    <group>spam,</group>
+  </rule>
+
+  <rule id="3103" level="6">
+    <if_sid>3101</if_sid>
+    <match>reject=550 5.0.0 |reject=553 5.3.0</match>
+    <description>Rejected by access list </description>
+    <description>(55x: Requested action not taken).</description>
+    <group>spam,</group>
+  </rule>
+
+  <rule id="3104" level="6">
+    <if_sid>3101</if_sid>
+    <match>reject=550 5.7.1 </match>
+    <description>Attempt to use mail server as relay </description>
+    <description>(550: Requested action not taken).</description>
+    <group>spam,</group>
+  </rule>
+
+  <rule id="3105" level="5">
+    <if_sid>3101</if_sid>
+    <match>reject=553 5.1.8 </match>
+    <description>Sender domain is not found </description>
+    <description> (553: Requested action not taken).</description>
+    <group>spam,</group>
+  </rule>
+
+  <rule id="3106" level="5">
+    <if_sid>3101</if_sid>
+    <match>reject=553 5.5.4 </match>
+    <description>Sender address does not have domain </description>
+    <description>(553: Requested action not taken).</description>
+    <group>spam,</group>
+  </rule>
+
+  <rule id="3107" level="4">
+    <if_sid>3101</if_sid>
+    <description>Sendmail rejected message.</description>
+  </rule>
+  
+  <rule id="3108" level="6">
+    <if_sid>3100</if_sid>
+    <match>rejecting commands from</match>
+    <description>Sendmail rejected due to pre-greeting.</description>
+    <group>spam,</group>
+  </rule>
+  
+  <rule id="3109" level="8">
+    <if_sid>3100</if_sid>
+    <match>savemail panic</match>
+    <description>Sendmail save mail panic.</description>
+    <group>system_error,</group>
+  </rule>
+  
+  <rule id="3151" level="10" frequency="6" timeframe="120">
+    <if_matched_sid>3102</if_matched_sid>
+    <same_source_ip />
+    <description>Sender domain has bogus MX record. </description>
+    <description>It should not be sending e-mail.</description>
+    <group>multiple_spam,</group>
+  </rule>
+
+  <rule id="3152" level="6" frequency="6" timeframe="120">
+    <if_matched_sid>3103</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple attempts to send e-mail from a </description>
+    <description>previously rejected sender (access).</description>
+    <group>multiple_spam,</group>
+  </rule>
+
+  <rule id="3153" level="6" frequency="6" timeframe="120">
+    <if_matched_sid>3104</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple relaying attempts of spam.</description>
+    <group>multiple_spam,</group>
+  </rule>
+
+  <rule id="3154" level="10" frequency="6" timeframe="120">
+    <if_matched_sid>3105</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple attempts to send e-mail </description>
+    <description>from invalid/unknown sender domain.</description>
+    <group>multiple_spam,</group>
+  </rule>
+
+  <rule id="3155" level="10" frequency="6" timeframe="120">
+    <if_matched_sid>3106</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple attempts to send e-mail from </description>
+    <description>invalid/unknown sender.</description>
+    <group>multiple_spam,</group>
+  </rule>
+  
+  <rule id="3156" level="10" frequency="10" timeframe="120">
+    <if_matched_sid>3107</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple rejected e-mails from same source ip.</description>
+    <group>multiple_spam,</group>
+  </rule>
+
+  <rule id="3158" level="10" frequency="6" timeframe="120">
+    <if_matched_sid>3108</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple pre-greetings rejects.</description>
+    <group>multiple_spam,</group>
+  </rule>
+
+
+   <!-- Rules for SMF-SAV -->
+   <rule id="3190" level="0">
+     <decoded_as>smf-sav-reject</decoded_as>
+     <description>Grouping of the smf-sav sendmail milter rules.</description>
+     <group>smf-sav,</group>
+   </rule>
+
+   <rule id="3191" level="6">
+     <if_sid>3190</if_sid>
+     <match>^sender check failed|^sender check tempfailed</match>
+     <description>SMF-SAV sendmail milter unable to verify </description>
+     <description>address (REJECTED).</description>
+     <group>smf-sav,spam,</group>
+   </rule>
+
+</group> <!-- SYSLOG,SENDMAIL -->