1 <!-- @(#) $Id: ./etc/rules/imapd_rules.xml, 2011/09/08 dcid Exp $
3 - Official imapd rules for OSSEC.
5 - Copyright (C) 2009 Trend Micro Inc.
8 - This program is a free software; you can redistribute it
9 - and/or modify it under the terms of the GNU General Public
10 - License (version 2) as published by the FSF - Free Software
13 - License details: http://www.ossec.net/en/licensing.html
17 <var name="IMAPD_FREQ">6</var>
19 <group name="syslog,imapd,">
20 <rule id="3600" level="0" noalert="1">
21 <decoded_as>imapd</decoded_as>
22 <description>Grouping of the imapd rules.</description>
25 <rule id="3601" level="5">
27 <match>Login failed user=|AUTHENTICATE LOGIN failure</match>
28 <description>Imapd user login failed.</description>
29 <group>authentication_failed,</group>
32 <rule id="3602" level="3">
34 <match>Authenticated user=</match>
35 <description>Imapd user login.</description>
36 <group>authentication_success,</group>
39 <rule id="3603" level="0">
41 <match>Logout user=</match>
42 <description>Imapd user logout.</description>
45 <rule id="3651" level="10" frequency="$IMAPD_FREQ" timeframe="120">
46 <if_matched_sid>3601</if_matched_sid>
48 <description>Multiple failed logins from same source ip.</description>
49 <group>authentication_failures,</group>
52 </group> <!-- SYSLOG,IMAPD -->