2 - Official ftpd rules for OSSEC.
4 - License: http://www.ossec.net/en/licensing.html
8 <group name="syslog,ftpd,">
9 <rule id="11100" level="0" noalert="1">
10 <decoded_as>ftpd</decoded_as>
11 <description>Grouping for the ftpd rules.</description>
14 <rule id="11101" level="5">
15 <if_sid>11100</if_sid>
16 <match>FTP LOGIN REFUSED</match>
17 <description>FTP connection refused.</description>
18 <group>authentication_failed,access_denied,</group>
21 <rule id="11102" level="0">
22 <if_sid>11100</if_sid>
23 <match> created </match>
24 <description>File created via FTP</description>
27 <rule id="11103" level="0">
28 <if_sid>11100</if_sid>
29 <match> deleted </match>
30 <description>File deleted via FTP</description>
33 <rule id="11104" level="0">
34 <if_sid>11100</if_sid>
35 <match>FTPD: IMPORT file</match>
36 <description>User uploaded a file to server.</description>
39 <rule id="11105" level="0">
40 <if_sid>11100</if_sid>
41 <match>FTPD: EXPORT file</match>
42 <description>User downloaded a file to server.</description>
45 <rule id="11106" level="3">
46 <if_sid>11100</if_sid>
47 <match>FTP LOGIN FROM|connection from|connect from</match>
48 <group>connection_attempt</group>
49 <description>Remote host connected to FTP server.</description>
52 <rule id="11107" level="5">
53 <if_sid>11100</if_sid>
54 <match>refused connect from</match>
55 <group>access_denied,</group>
56 <description>Connection blocked by Tcp Wrappers.</description>
59 <rule id="11108" level="5">
60 <if_sid>11100</if_sid>
61 <match>warning: can't verify hostname: |gethostbyaddr: </match>
62 <description>Reverse lookup error (bad ISP config).</description>
63 <group>client_misconfig,</group>
66 <rule id="11109" level="10">
67 <if_sid>11100</if_sid>
68 <match>repeated login failures</match>
69 <description>Multiple FTP failed login attempts.</description>
70 <group>authentication_failures,</group>
73 <rule id="11110" level="3">
74 <if_sid>11100</if_sid>
75 <match>timed out after</match>
76 <description>User disconnected due to time out.</description>
79 <rule id="11111" level="9">
80 <if_sid>11100</if_sid>
81 <match>PAM_ERROR_MSG: Account is disabled</match>
82 <description>Attempt to login with disabled account.</description>
83 <group>authentication_failed,</group>
86 <rule id="11112" level="5">
87 <if_sid>11100</if_sid>
88 <match>^Failed authentication from</match>
89 <description>FTP authentication failure.</description>
90 <group>authentication_failed,</group>
93 <rule id="11113" level="5">
94 <if_sid>11100</if_sid>
95 <regex>^login \S+ from \S+ failed</regex>
96 <description>FTP authentication failure.</description>
97 <group>authentication_failed,</group>
99 </group> <!-- SYSLOG,FTPD -->