2 - Official Horde IMP rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 2) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
16 <group name="syslog,hordeimp,">
17 <rule id="9300" level="0">
18 <decoded_as>horde_imp</decoded_as>
19 <description>Grouping for the Horde imp rules.</description>
22 <rule id="9301" level="0">
24 <match>^[info]</match>
25 <description>Horde IMP informational message.</description>
28 <rule id="9302" level="3">
30 <match>^[notice]</match>
31 <description>Horde IMP notice message.</description>
34 <rule id="9303" level="5">
36 <match>^[error]</match>
37 <description>Horde IMP error message.</description>
40 <rule id="9304" level="9" ignore="60">
42 <match>^[emergency]</match>
43 <description>Horde IMP emergency message.</description>
44 <group>service_availability,</group>
47 <rule id="9305" level="3">
49 <match>Login success for </match>
50 <description>Horde IMP successful login.</description>
51 <group>authentication_success,</group>
54 <rule id="9306" level="5">
56 <match>FAILED LOGIN </match>
57 <description>Horde IMP Failed login.</description>
58 <group>authentication_failed,</group>
61 <rule id="9351" level="10" frequency="6" timeframe="120">
62 <if_matched_sid>9306</if_matched_sid>
64 <description>Horde brute force (multiple failed logins).</description>
65 <group>authentication_failures,</group>
68 <rule id="9352" level="10" frequency="4" timeframe="320">
69 <if_matched_sid>9304</if_matched_sid>
70 <description>Multiple Horde emergency messages.</description>
71 <group>service_availability,</group>
74 </group> <!-- SYSLOG,HORDE_IMP -->