2 - Official Asterisk rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 2) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
16 <!-- Asterisk Log messages -->
17 <group name="syslog,asterisk,">
18 <rule id="6200" level="0">
19 <decoded_as>asterisk</decoded_as>
20 <description>Asterisk messages grouped.</description>
23 <rule id="6201" level="0">
25 <match>^NOTICE</match>
26 <description>Asterisk notice messages grouped.</description>
29 <rule id="6202" level="3">
32 <description>Asterisk warning message.</description>
35 <rule id="6203" level="3">
38 <description>Asterisk error message.</description>
41 <rule id="6210" level="5">
43 <match>Wrong password</match>
44 <description>Login session failed.</description>
45 <group>authentication_failed,</group>
48 <rule id="6211" level="5">
50 <match>Username/auth name mismatch</match>
51 <description>Login session failed (invalid user).</description>
52 <group>invalid_login,</group>
55 <rule id="6212" level="5">
57 <match>No matching peer found</match>
58 <description>Login session failed (invalid extension).</description>
59 <group>invalid_login,</group>
62 <rule id="6250" level="10" frequency="6" timeframe="300">
63 <if_matched_sid>6211</if_matched_sid>
65 <description>Multiple failed logins (user enumeration in process).</description>
68 <rule id="6251" level="10" frequency="6" timeframe="300">
69 <if_matched_sid>6210</if_matched_sid>
71 <description>Multiple failed logins.</description>
74 <rule id="6252" level="10" frequency="6" timeframe="300">
75 <if_matched_sid>6212</if_matched_sid>
77 <description>Extension enumeration.</description>
80 </group> <!-- ASTERISK -->