1<!-- @(#) $Id: ./etc/rules/ftpd_rules.xml, 2011/09/08 dcid Exp $
2
3  -  Official ftpd rules for OSSEC.
4  -  Author: Ahmet Ozturk
5  -  License: http://www.ossec.net/en/licensing.html
6  -->
7
8
9<group name="syslog,ftpd,">
10  <rule id="11100" level="0" noalert="1">
11    <decoded_as>ftpd</decoded_as>
12    <description>Grouping for the ftpd rules.</description>
13  </rule>
14
15  <rule id="11101" level="5">
16    <if_sid>11100</if_sid>
17    <pcre2>FTP LOGIN REFUSED</pcre2>
18    <description>FTP connection refused.</description>
19    <group>authentication_failed,access_denied,</group>
20  </rule>
21
22  <rule id="11102" level="0">
23    <if_sid>11100</if_sid>
24    <pcre2> created </pcre2>
25    <description>File created via FTP</description>
26  </rule>
27
28  <rule id="11103" level="0">
29    <if_sid>11100</if_sid>
30    <pcre2> deleted </pcre2>
31    <description>File deleted via FTP</description>
32  </rule>
33
34  <rule id="11104" level="0">
35    <if_sid>11100</if_sid>
36    <pcre2>FTPD: IMPORT file</pcre2>
37    <description>User uploaded a file to server.</description>
38  </rule>
39
40  <rule id="11105" level="0">
41    <if_sid>11100</if_sid>
42    <pcre2>FTPD: EXPORT file</pcre2>
43    <description>User downloaded a file to server.</description>
44  </rule>
45
46  <rule id="11106" level="3">
47    <if_sid>11100</if_sid>
48    <pcre2>FTP LOGIN FROM|connection from|connect from</pcre2>
49    <group>connection_attempt</group>
50    <description>Remote host connected to FTP server.</description>
51  </rule>
52
53  <rule id="11107" level="5">
54    <if_sid>11100</if_sid>
55    <pcre2>refused connect from</pcre2>
56    <group>access_denied,</group>
57    <description>Connection blocked by Tcp Wrappers.</description>
58  </rule>
59
60  <rule id="11108" level="5">
61    <if_sid>11100</if_sid>
62    <pcre2>warning: can't verify hostname: |gethostbyaddr: </pcre2>
63    <description>Reverse lookup error (bad ISP config).</description>
64    <group>client_misconfig,</group>
65  </rule>
66
67  <rule id="11109" level="10">
68    <if_sid>11100</if_sid>
69    <pcre2>repeated login failures</pcre2>
70    <description>Multiple FTP failed login attempts.</description>
71    <group>authentication_failures,</group>
72  </rule>
73
74  <rule id="11110" level="3">
75    <if_sid>11100</if_sid>
76    <pcre2>timed out after</pcre2>
77    <description>User disconnected due to time out.</description>
78  </rule>
79
80  <rule id="11111" level="9">
81    <if_sid>11100</if_sid>
82    <pcre2>PAM_ERROR_MSG: Account is disabled</pcre2>
83    <description>Attempt to login with disabled account.</description>
84    <group>authentication_failed,</group>
85  </rule>
86
87  <rule id="11112" level="5">
88    <if_sid>11100</if_sid>
89    <pcre2>^Failed authentication from</pcre2>
90    <description>FTP authentication failure.</description>
91    <group>authentication_failed,</group>
92  </rule>
93
94  <rule id="11113" level="5">
95    <if_sid>11100</if_sid>
96    <pcre2>^login \S+ from \S+ failed</pcre2>
97    <description>FTP authentication failure.</description>
98    <group>authentication_failed,</group>
99  </rule>
100</group> <!-- SYSLOG,FTPD -->
101
102
103<!-- EOF -->
104