2 - Official imapd rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 2) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
16 <var name="IMAPD_FREQ">6</var>
18 <group name="syslog,imapd,">
19 <rule id="3600" level="0" noalert="1">
20 <decoded_as>imapd</decoded_as>
21 <description>Grouping of the imapd rules.</description>
24 <rule id="3601" level="5">
26 <match>Login failed user=|AUTHENTICATE LOGIN failure</match>
27 <description>Imapd user login failed.</description>
28 <group>authentication_failed,</group>
31 <rule id="3602" level="3">
33 <match>Authenticated user=</match>
34 <description>Imapd user login.</description>
35 <group>authentication_success,</group>
38 <rule id="3603" level="0">
40 <match>Logout user=</match>
41 <description>Imapd user logout.</description>
44 <rule id="3651" level="10" frequency="$IMAPD_FREQ" timeframe="120">
45 <if_matched_sid>3601</if_matched_sid>
47 <description>Multiple failed logins from same source ip.</description>
48 <group>authentication_failures,</group>
51 </group> <!-- SYSLOG,IMAPD -->