1<!-- Authors: Alexandr Garaga
2-  This program is a free software; you can redistribute it
3-  and/or modify it under the terms of the GNU General Public
4-  License (version 2) as published by the FSF - Free Software
5-  Foundation.
6-
7-  License details: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
8-->
9
10<group name="exim,">
11    <rule id="13000" level="0">
12      <decoded_as>windows-date-format</decoded_as>
13      <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} SMTP </pcre2>
14      <description>Exim SMTP Messages Grouped.</description>
15    </rule>
16
17    <rule id="13001" level="0">
18      <decoded_as>windows-date-format</decoded_as>
19      <pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} dovecot</pcre2>
20      <description>dovecot messages grouped.</description>
21    </rule>
22
23    <rule id="13006" level="5">
24      <if_sid>13001</if_sid>
25      <pcre2>authenticator failed</pcre2>
26      <description>Exim Auth failed</description>
27      <group>invalid_login,authentication_failed,</group>
28    </rule>
29
30    <rule id="13007" level="10" frequency="6" timeframe="240">
31      <if_matched_sid>13006</if_matched_sid>
32      <same_source_ip />
33      <description>Exim brute force attack (multiple auth failures).</description>
34      <group>authentication_failures,</group>
35    </rule>
36
37    <rule id="13008" level="0">
38      <if_sid>13000</if_sid>
39      <pcre2>connection count =</pcre2>
40      <description>Exim connection</description>
41    </rule>
42
43    <rule id="13009" level="1">
44      <if_sid>13000</if_sid>
45      <pcre2>lost$</pcre2>
46      <description>Exim connection lost</description>
47    </rule>
48
49    <rule id="13010" level="5">
50      <if_sid>13000</if_sid>
51      <pcre2>dropped: too many syntax or protocol errors</pcre2>
52      <description>Exim syntax or protocol errors</description>
53    </rule>
54
55</group>
56