1 <!-- @(#) $Id: ./etc/rules/asterisk_rules.xml, 2011/09/08 dcid Exp $
3 - Official Asterisk rules for OSSEC.
5 - Copyright (C) 2009 Trend Micro Inc.
8 - This program is a free software; you can redistribute it
9 - and/or modify it under the terms of the GNU General Public
10 - License (version 2) as published by the FSF - Free Software
13 - License details: http://www.ossec.net/en/licensing.html
17 <!-- Asterisk Log messages -->
18 <group name="syslog,asterisk,">
19 <rule id="6200" level="0">
20 <decoded_as>asterisk</decoded_as>
21 <description>Asterisk messages grouped.</description>
24 <rule id="6201" level="0">
26 <match>^NOTICE</match>
27 <description>Asterisk notice messages grouped.</description>
30 <rule id="6202" level="3">
33 <description>Asterisk warning message.</description>
36 <rule id="6203" level="3">
39 <description>Asterisk error message.</description>
42 <rule id="6210" level="5">
44 <match>Wrong password</match>
45 <description>Login session failed.</description>
46 <group>authentication_failed,</group>
49 <rule id="6211" level="5">
51 <match>Username/auth name mismatch</match>
52 <description>Login session failed (invalid user).</description>
53 <group>invalid_login,</group>
56 <rule id="6212" level="5">
58 <match>No matching peer found</match>
59 <description>Login session failed (invalid extension).</description>
60 <group>invalid_login,</group>
63 <rule id="6250" level="10" frequency="6" timeframe="300">
64 <if_matched_sid>6211</if_matched_sid>
66 <description>Multiple failed logins (user enumeration in process).</description>
69 <rule id="6251" level="10" frequency="6" timeframe="300">
70 <if_matched_sid>6210</if_matched_sid>
72 <description>Multiple failed logins.</description>
75 <rule id="6252" level="10" frequency="6" timeframe="300">
76 <if_matched_sid>6212</if_matched_sid>
78 <description>Extension enumeration.</description>
81 <!--From Javi Benito jabi.benito@gmail.com-->
82 <!--http://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/-->
83 <rule id="6253" level="5">
85 <match>No registration for peer</match>
86 <description>Login session failed (invalid iax user).</description>
87 <group>invalid_login,</group>
90 <!--From Javi Benito jabi.benito@gmail.com-->
91 <rule id="6254" level="10" frequency="3" timeframe="300">
92 <if_matched_sid>6253</if_matched_sid>
94 <description>Extension IAX Enumeration.</description>
97 <!--From Javi Benito jabi.benito@gmail.com-->
98 <rule id="6255" level="5">
100 <match>Don't know how to respond via</match>
101 <description>Possible Registration Hijacking.</description>
102 <group>invalid_login,</group>
105 <!--From Javi Benito jabi.benito@gmail.com-->
106 <rule id="6256" level="5">
107 <if_sid>6201</if_sid>
108 <match>failed MD5 authentication</match>
109 <description>IAX peer Wrong Password.</description>
110 <group>invalid_login,</group>
113 <!--From Javi Benito jabi.benito@gmail.com-->
114 <rule id="6257" level="10" frequency="3" timeframe="300">
115 <if_matched_sid>6256</if_matched_sid>
117 <description>Multiple failed logins.</description>
120 <rule id="6258" level="5">
121 <if_sid>6201</if_sid>
122 <match>No matching peer found|extension not found in context</match>
123 <description>Login session failed (invalid extension).</description>
124 <group>invalid_login,</group>
127 </group> <!-- ASTERISK -->