<rule id="9705" level="5">
<if_sid>9700</if_sid>
- <match>user not found|User not known|unknown user</match>
+ <match>user not found|User not known|unknown user|auth failed</match>
<description>Dovecot Invalid User Login Attempt.</description>
<group>invalid_login,authentication_failed,</group>
</rule>
<description>Dovecot brute force attack (multiple auth failures).</description>
<group>authentication_failures,</group>
</rule>
+
+<rule id="9770" level="0">
+ <decoded_as>dovecot-info</decoded_as>
+ <description>dovecot-info grouping.</description>
+</rule>
+
+<rule id="9771" level="5">
+ <if_sid>9770</if_sid>
+ <match>user not found|User not known|unknown user|auth failed</match>
+ <description>Dovecot Invalid User Login Attempt.</description>
+ <group>invalid_login,authentication_failed,</group>
+</rule>
+
+
</group>