1 <!-- @(#) $Id: ./etc/rules/wordpress_rules.xml, 2011/09/08 dcid Exp $
3 - Official Wordpress rules for OSSEC.
5 - Author: Daniel B. Cid
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 3) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
15 <group name="syslog,wordpress,">
16 <rule id="9500" level="0">
17 <decoded_as>wordpress</decoded_as>
18 <description>Wordpress messages grouped.</description>
21 <rule id="9501" level="5">
23 <match>User authentication failed</match>
24 <description>Wordpress authentication failed.</description>
25 <group>authentication_failed,</group>
28 <rule id="9502" level="3">
30 <match>User logged in</match>
31 <description>Wordpress authentication succeeded.</description>
32 <group>authentication_success,</group>
35 <rule id="9503" level="3">
37 <match>WPsyslog was successfully initiali</match>
38 <description>WPsyslog was successfully initialized.</description>
41 <rule id="9504" level="3">
43 <match>Plugin deactivated</match>
44 <description>Wordpress plugin deactivated.</description>
47 <rule id="9505" level="7">
49 <match>Warning: Comment flood attempt</match>
50 <description>Wordpress Comment Flood Attempt.</description>
53 <rule id="9510" level="7">
55 <match>Warning: IDS:</match>
56 <description>Attack against Wordpress detected.</description>
59 <rule id="9551" level="10">
60 <if_matched_sid>9501</if_matched_sid>
62 <description>Multiple wordpress authentication failures.</description>
63 <group>authentication_failures,</group>