1 <!-- @(#) $Id: ./etc/rules/vpopmail_rules.xml, 2011/09/08 dcid Exp $
3 - Official rules for vpopmail.
5 - Author: Ceg Ryan <cegryan ( at ) gmail.com>
6 - License: http://www.ossec.net/en/licensing.html
10 <group name="syslog,vpopmail,">
11 <rule id="9900" level="0">
12 <decoded_as>vpopmail</decoded_as>
13 <description>Grouping for the vpopmail rules.</description>
16 <rule id="9901" level="5">
18 <match> password fail </match>
19 <group>authentication_failed,</group>
20 <description>Login failed for vpopmail.</description>
23 <rule id="9902" level="5">
25 <match> vpopmail user not found </match>
26 <group>invalid_login,</group>
27 <description>Attempt to login to vpopmail with invalid username.</description>
30 <rule id="9903" level="5">
32 <match> null password given </match>
33 <group>authentication_failed,</group>
34 <description>Attempt to login to vpopmail with empty password.</description>
37 <rule id="9904" level="1">
39 <match> login success </match>
40 <group>authentication_success,</group>
41 <description>Vpopmail successful login.</description>
45 <rule id="9951" level="10" frequency="8" timeframe="240">
46 <if_matched_sid>9901</if_matched_sid>
48 <description>Vpopmail brute force (multiple failed logins).</description>
49 <group>authentication_failures,</group>
52 <rule id="9952" level="10" frequency="8" timeframe="240">
53 <if_matched_sid>9902</if_matched_sid>
55 <description>Vpopmail brute force (email harvesting).</description>
56 <group>authentication_failures,</group>
59 <rule id="9953" level="10" frequency="8" timeframe="240">
60 <if_matched_sid>9903</if_matched_sid>
62 <description>VPOPMAIL brute force (empty password).</description>
63 <group>authentication_failures,</group>