2 - Official rules for vm-pop3d.
4 - License: http://www.ossec.net/en/licensing.html
8 <group name="syslog,vm-pop3d,">
9 <rule id="9800" level="0" noalert="1">
10 <decoded_as>vm-pop3d</decoded_as>
11 <description>Grouping for the vm-pop3d rules.</description>
14 <rule id="9801" level="5">
16 <match>failed auth</match>
17 <group>authentication_failed,</group>
18 <description>Login failed accessing the pop3 server.</description>
21 <rule id="9820" level="10" frequency="6" timeframe="240">
22 <if_matched_sid>9801</if_matched_sid>
24 <description>POP3 brute force (multiple failed logins).</description>
25 <group>authentication_failures,</group>