1<!-- @(#) $Id: ./etc/rules/asterisk_rules.xml, 2011/09/08 dcid Exp $ 2 3 - Official Asterisk rules for OSSEC. 4 - 5 - Copyright (C) 2009 Trend Micro Inc. 6 - All rights reserved. 7 - 8 - This program is a free software; you can redistribute it 9 - and/or modify it under the terms of the GNU General Public 10 - License (version 2) as published by the FSF - Free Software 11 - Foundation. 12 - 13 - License details: http://www.ossec.net/en/licensing.html 14 --> 15 16 17<!-- Asterisk Log messages --> 18<group name="syslog,asterisk,"> 19 <rule id="6200" level="0"> 20 <decoded_as>asterisk</decoded_as> 21 <description>Asterisk messages grouped.</description> 22 </rule> 23 24 <rule id="6201" level="0"> 25 <if_sid>6200</if_sid> 26 <pcre2>^NOTICE</pcre2> 27 <description>Asterisk notice messages grouped.</description> 28 </rule> 29 30 <rule id="6202" level="3"> 31 <if_sid>6200</if_sid> 32 <pcre2>^WARN</pcre2> 33 <description>Asterisk warning message.</description> 34 </rule> 35 36 <rule id="6203" level="3"> 37 <if_sid>6200</if_sid> 38 <pcre2>^ERROR</pcre2> 39 <description>Asterisk error message.</description> 40 </rule> 41 42 <rule id="6210" level="5"> 43 <if_sid>6201</if_sid> 44 <pcre2>Wrong password</pcre2> 45 <description>Login session failed.</description> 46 <group>authentication_failed,</group> 47 </rule> 48 49 <rule id="6211" level="5"> 50 <if_sid>6201</if_sid> 51 <pcre2>Username/auth name mismatch</pcre2> 52 <description>Login session failed (invalid user).</description> 53 <group>invalid_login,</group> 54 </rule> 55 56 <rule id="6212" level="5"> 57 <if_sid>6201</if_sid> 58 <pcre2>No matching peer found</pcre2> 59 <description>Login session failed (invalid extension).</description> 60 <group>invalid_login,</group> 61 </rule> 62 63 <rule id="6250" level="10" frequency="6" timeframe="300"> 64 <if_matched_sid>6211</if_matched_sid> 65 <same_source_ip /> 66 <description>Multiple failed logins (user enumeration in process).</description> 67 </rule> 68 69 <rule id="6251" level="10" frequency="6" timeframe="300"> 70 <if_matched_sid>6210</if_matched_sid> 71 <same_source_ip /> 72 <description>Multiple failed logins.</description> 73 </rule> 74 75 <rule id="6252" level="10" frequency="6" timeframe="300"> 76 <if_matched_sid>6212</if_matched_sid> 77 <same_source_ip /> 78 <description>Extension enumeration.</description> 79 </rule> 80 81 <!--From Javi Benito jabi.benito@gmail.com--> 82 <!--http://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part-ii/--> 83 <rule id="6253" level="5"> 84 <if_sid>6201</if_sid> 85 <pcre2>No registration for peer</pcre2> 86 <description>Login session failed (invalid iax user).</description> 87 <group>invalid_login,</group> 88 </rule> 89 90 <!--From Javi Benito jabi.benito@gmail.com--> 91 <rule id="6254" level="10" frequency="3" timeframe="300"> 92 <if_matched_sid>6253</if_matched_sid> 93 <same_source_ip /> 94 <description>Extension IAX Enumeration.</description> 95 </rule> 96 97 <!--From Javi Benito jabi.benito@gmail.com--> 98 <rule id="6255" level="5"> 99 <if_sid>6202</if_sid> 100 <pcre2>Don't know how to respond via</pcre2> 101 <description>Possible Registration Hijacking.</description> 102 <group>invalid_login,</group> 103 </rule> 104 105 <!--From Javi Benito jabi.benito@gmail.com--> 106 <rule id="6256" level="5"> 107 <if_sid>6201</if_sid> 108 <pcre2>failed MD5 authentication</pcre2> 109 <description>IAX peer Wrong Password.</description> 110 <group>invalid_login,</group> 111 </rule> 112 113 <!--From Javi Benito jabi.benito@gmail.com--> 114 <rule id="6257" level="10" frequency="3" timeframe="300"> 115 <if_matched_sid>6256</if_matched_sid> 116 <same_source_ip /> 117 <description>Multiple failed logins.</description> 118 </rule> 119 120 <rule id="6258" level="5"> 121 <if_sid>6201</if_sid> 122 <pcre2>No matching peer found|extension not found in context</pcre2> 123 <description>Login session failed (invalid extension).</description> 124 <group>invalid_login,</group> 125 </rule> 126 127</group> <!-- ASTERISK --> 128 129<!-- EOF --> 130