[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] ossec-hids: vpopmail_rules.xml (NEW) squid_rules.xml (HEAD) [dcid]

To: dancid@xxxxxxxxxxxxxxx
Subject: [ossec-dev] ossec-hids: vpopmail_rules.xml (NEW) squid_rules.xml (HEAD) [dcid]
From: OSSEC CVS <cvs-commit@xxxxxxxxx>
Date: Sat, 16 Sep 2006 12:29:23 -0300 (ADT)
Content-transfer-encoding: 8bit

Module name:	ossec-hids
Changes by:	dcid	06/09/16 12:29:21

Modified files:
	squid_rules.xml
Added files:
	vpopmail_rules.xml

Log message:
Description: Multiple rules fixes, addition of vpopmail rules, etc.
Reviewed by: dcid
Bug:

--- NEW FILE: vpopmail_rules.xml ---
<!-- Vpopmail rules.
  -  Official rules for vpopmail
  -
  -  Author: Ceg Ryan <cegryan ( at ) gmail.com>
  -  Date: Sep 15, 2006
  -->
          

<group name="syslog,vpopmail">
  <rule id="9900" level="0" noalert="1">
    <decoded_as>vpopmail</decoded_as>
    <description>Grouping for the vpopmail rules.</description>
  </rule>

  <rule id="9901" level="5">
    <if_sid>9900</if_sid>
    <match>vchkpw-pop3: password fail </match>
    <group>authentication_failed</group>
    <description>Login failed accessing the pop3 server.</description>
  </rule>

  <rule id="9902" level="5">
    <if_sid>9900</if_sid>
    <match>vchkpw-pop3: vpopmail user not found </match>
    <group>invalid_login</group>
    <description>Attempt to login with invalid username.</description>
  </rule>

  <rule id="9951" level="10" frequency="8" timeframe="240">
    <if_matched_sid>9901</if_matched_sid>
    <same_source_ip />
    <description>POP3 brute force (multiple failed logins).</description>
  </rule>

  <rule id="9952" level="10" frequency="8" timeframe="240">
    <if_matched_sid>9902</if_matched_sid>
    <same_source_ip />
    <description>POP3 brute force (email harvesting).</description>
  </rule>
</group>

<!-- EOF -->

Index: squid_rules.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/rules/squid_rules.xml,v
diff -u -r1.24 -r1.25
--- squid_rules.xml	15 Sep 2006 02:36:14 -0000	1.24
+++ squid_rules.xml	16 Sep 2006 15:29:21 -0000	1.25
@@ -78,6 +78,12 @@
     <description>Squid 500/600 error code (server error).</description>
   </rule>
   
+  <rule id="35010" level="4">
+    <if_sid>35009</if_sid>
+    <id>^503</id>
+    <description>Squid 503 error code (server unavailable).</description>
+  </rule>
+  
   <!-- Special rules for 403/404 errors -->
   <rule id="35021" level="6">
     <if_sid>35006</if_sid>

Prev by Date: [ossec-dev] ossec-hids: analysisd.c (HEAD) [dcid]
Next by Date: [ossec-dev] 0.9.2 Beta1 (dev) ready for testing.
Previous by thread: [ossec-dev] ossec-hids: analysisd.c (HEAD) [dcid]
Next by thread: [ossec-dev] 0.9.2 Beta1 (dev) ready for testing.
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.