1 <!-- @(#) $Id: ./etc/rules/vmpop3d_rules.xml, 2011/09/08 dcid Exp $
3 - Official rules for vm-pop3d.
5 - License: http://www.ossec.net/en/licensing.html
9 <group name="syslog,vm-pop3d,">
10 <rule id="9800" level="0" noalert="1">
11 <decoded_as>vm-pop3d</decoded_as>
12 <description>Grouping for the vm-pop3d rules.</description>
15 <rule id="9801" level="5">
17 <match>failed auth</match>
18 <group>authentication_failed,</group>
19 <description>Login failed accessing the pop3 server.</description>
22 <rule id="9820" level="10" frequency="6" timeframe="240">
23 <if_matched_sid>9801</if_matched_sid>
25 <description>POP3 brute force (multiple failed logins).</description>
26 <group>authentication_failures,</group>