2 - Official pure-ftpd rules for OSSEC.
3 - Author: Peter Ahlert <peter@ifup.de>
4 - Author: Daniel B. Cid
5 - License: http://www.ossec.net/en/licensing.html
9 <group name="syslog,pure-ftpd,">
10 <rule id="11300" level="0">
11 <decoded_as>pure-ftpd</decoded_as>
12 <description>Grouping for the pure-ftpd rules.</description>
15 <rule id="11301" level="3">
16 <if_sid>11300</if_sid>
17 <match>[INFO] New connection from</match>
18 <description>New FTP connection.</description>
19 <group>connection_attempt,</group>
22 <rule id="11302" level="5">
23 <if_sid>11300</if_sid>
24 <match>[WARNING] Authentication failed for user</match>
25 <description>FTP Authentication failed.</description>
26 <group>authentication_failed,</group>
29 <rule id="11303" level="0">
30 <if_sid>11300</if_sid>
31 <match> [INFO] Logout| [INFO] Timeout</match>
32 <description>FTP user logout/timeout</description>
35 <rule id="11304" level="0">
36 <if_sid>11300</if_sid>
37 <match> [NOTICE] </match>
38 <description>FTP notice messages</description>
41 <rule id="11305" level="5">
42 <if_sid>11300</if_sid>
43 <match>[INFO] Can't change directory to</match>
44 <description>Attempt to access invalid directory</description>
47 <rule id="11306" level="10" frequency="6" timeframe="120">
48 <if_matched_sid>11302</if_matched_sid>
49 <description>FTP brute force (multiple failed logins).</description>
50 <group>authentication_failures,</group>
53 <rule id="11307" level="10" frequency="6" timeframe="60">
54 <if_matched_sid>11301</if_matched_sid>
56 <description>Multiple connection attempts from same source.</description>
60 <rule id="11309" level="3">
61 <match>[INFO] \S+ is now logged in</match>
62 <description>FTP Authentication success.</description>
63 <group>authentication_success,</group>
65 </group> <!-- SYSLOG,PURE-FTPD -->