1 <!-- @(#) $Id: ./etc/rules/ms_ftpd_rules.xml, 2011/09/08 dcid Exp $
3 - Example of Microsoft FTP rules for OSSEC.
5 - Copyright (C) 2009 Trend Micro Inc.
8 - This program is a free software; you can redistribute it
9 - and/or modify it under the terms of the GNU General Public
10 - License (version 2) as published by the FSF - Free Software
13 - License details: http://www.ossec.net/en/licensing.html
17 <group name="syslog,msftp,">
18 <rule id="11500" level="0">
19 <decoded_as>msftp</decoded_as>
20 <description>Grouping for the Microsoft ftp rules.</description>
23 <rule id="11501" level="3">
24 <if_sid>11500</if_sid>
26 <description>New FTP connection.</description>
27 <group>connection_attempt,</group>
30 <rule id="11502" level="5">
31 <if_sid>11500</if_sid>
34 <description>FTP Authentication failed.</description>
35 <group>authentication_failed,</group>
38 <rule id="11503" level="3">
39 <if_sid>11500</if_sid>
42 <description>FTP Authentication success.</description>
43 <group>authentication_success,</group>
46 <rule id="11504" level="4">
47 <if_sid>11500</if_sid>
49 <description>FTP client request failed.</description>
52 <rule id="11510" level="10" frequency="6" timeframe="120">
53 <if_matched_sid>11502</if_matched_sid>
54 <description>FTP brute force (multiple failed logins).</description>
55 <group>authentication_failures,</group>
58 <rule id="11511" level="10" frequency="8" timeframe="30">
59 <if_matched_sid>11501</if_matched_sid>
61 <description>Multiple connection attempts from same source.</description>
65 <rule id="11512" level="10" frequency="6" timeframe="120">
66 <if_matched_sid>11504</if_matched_sid>
68 <description>Multiple FTP errors from same source.</description>
70 </group> <!-- SYSLOG,PURE-FTPD -->