1 <!-- @(#) $Id: vsftpd_rules.xml,v 1.5 2007/01/03 02:35:49 dcid Exp $
2 - Official vsftpd rules for OSSEC.
3 - Author: Joachim Vorrath <joachim.vorrath@vorrath-net.de>
4 - Author: Jorge Augusto Senger <jorge@br10.com.br>
5 - Author: Daniel B. Cid
6 - License: http://www.ossec.net/en/licensing.html
10 <group name="syslog,vsftpd,">
11 <rule id="11400" level="0" noalert="1">
12 <decoded_as>vsftpd</decoded_as>
13 <description>Grouping for the vsftpd rules.</description>
16 <rule id="11401" level="3">
17 <if_sid>11400</if_sid>
18 <match>CONNECT: Client</match>
19 <group>connection_attempt</group>
20 <description>FTP session opened.</description>
23 <rule id="11402" level="3">
24 <if_sid>11400</if_sid>
25 <match>OK LOGIN: </match>
26 <description>FTP Authentication success.</description>
27 <group>authentication_success,</group>
30 <rule id="11403" level="5">
31 <if_sid>11400</if_sid>
32 <match>FAIL LOGIN: </match>
33 <description>Login failed accessing the FTP server.</description>
34 <group>authentication_failed,</group>
37 <rule id="11404" level="0">
38 <if_sid>11400</if_sid>
39 <match>OK UPLOAD: </match>
40 <description>FTP server file upload.</description>
43 <rule id="11451" level="10" frequency="6" timeframe="120">
44 <if_matched_sid>11403</if_matched_sid>
46 <description>FTP brute force (multiple failed logins).</description>
47 <group>authentication_failures,</group>
50 <rule id="11452" level="10" frequency="10" timeframe="60">
51 <if_matched_sid>11401</if_matched_sid>
53 <description>Multiple FTP connection attempts from </description>
54 <description>same source IP.</description>
58 </group> <!-- SYSLOG,VSFTPD -->