1 <!-- @(#) $Id: ./etc/rules/ftpd_rules.xml, 2011/09/08 dcid Exp $
3 - Official ftpd rules for OSSEC.
5 - License: http://www.ossec.net/en/licensing.html
9 <group name="syslog,ftpd,">
10 <rule id="11100" level="0" noalert="1">
11 <decoded_as>ftpd</decoded_as>
12 <description>Grouping for the ftpd rules.</description>
15 <rule id="11101" level="5">
16 <if_sid>11100</if_sid>
17 <match>FTP LOGIN REFUSED</match>
18 <description>FTP connection refused.</description>
19 <group>authentication_failed,access_denied,</group>
22 <rule id="11102" level="0">
23 <if_sid>11100</if_sid>
24 <match> created </match>
25 <description>File created via FTP</description>
28 <rule id="11103" level="0">
29 <if_sid>11100</if_sid>
30 <match> deleted </match>
31 <description>File deleted via FTP</description>
34 <rule id="11104" level="0">
35 <if_sid>11100</if_sid>
36 <match>FTPD: IMPORT file</match>
37 <description>User uploaded a file to server.</description>
40 <rule id="11105" level="0">
41 <if_sid>11100</if_sid>
42 <match>FTPD: EXPORT file</match>
43 <description>User downloaded a file to server.</description>
46 <rule id="11106" level="3">
47 <if_sid>11100</if_sid>
48 <match>FTP LOGIN FROM|connection from|connect from</match>
49 <group>connection_attempt</group>
50 <description>Remote host connected to FTP server.</description>
53 <rule id="11107" level="5">
54 <if_sid>11100</if_sid>
55 <match>refused connect from</match>
56 <group>access_denied,</group>
57 <description>Connection blocked by Tcp Wrappers.</description>
60 <rule id="11108" level="5">
61 <if_sid>11100</if_sid>
62 <match>warning: can't verify hostname: |gethostbyaddr: </match>
63 <description>Reverse lookup error (bad ISP config).</description>
64 <group>client_misconfig,</group>
67 <rule id="11109" level="10">
68 <if_sid>11100</if_sid>
69 <match>repeated login failures</match>
70 <description>Multiple FTP failed login attempts.</description>
71 <group>authentication_failures,</group>
74 <rule id="11110" level="3">
75 <if_sid>11100</if_sid>
76 <match>timed out after</match>
77 <description>User disconnected due to time out.</description>
80 <rule id="11111" level="9">
81 <if_sid>11100</if_sid>
82 <match>PAM_ERROR_MSG: Account is disabled</match>
83 <description>Attempt to login with disabled account.</description>
84 <group>authentication_failed,</group>
87 <rule id="11112" level="5">
88 <if_sid>11100</if_sid>
89 <match>^Failed authentication from</match>
90 <description>FTP authentication failure.</description>
91 <group>authentication_failed,</group>
94 <rule id="11113" level="5">
95 <if_sid>11100</if_sid>
96 <regex>^login \S+ from \S+ failed</regex>
97 <description>FTP authentication failure.</description>
98 <group>authentication_failed,</group>
100 </group> <!-- SYSLOG,FTPD -->