1<!-- @(#) $Id: ./etc/rules/ftpd_rules.xml, 2011/09/08 dcid Exp $ 2 3 - Official ftpd rules for OSSEC. 4 - Author: Ahmet Ozturk 5 - License: http://www.ossec.net/en/licensing.html 6 --> 7 8 9<group name="syslog,ftpd,"> 10 <rule id="11100" level="0" noalert="1"> 11 <decoded_as>ftpd</decoded_as> 12 <description>Grouping for the ftpd rules.</description> 13 </rule> 14 15 <rule id="11101" level="5"> 16 <if_sid>11100</if_sid> 17 <pcre2>FTP LOGIN REFUSED</pcre2> 18 <description>FTP connection refused.</description> 19 <group>authentication_failed,access_denied,</group> 20 </rule> 21 22 <rule id="11102" level="0"> 23 <if_sid>11100</if_sid> 24 <pcre2> created </pcre2> 25 <description>File created via FTP</description> 26 </rule> 27 28 <rule id="11103" level="0"> 29 <if_sid>11100</if_sid> 30 <pcre2> deleted </pcre2> 31 <description>File deleted via FTP</description> 32 </rule> 33 34 <rule id="11104" level="0"> 35 <if_sid>11100</if_sid> 36 <pcre2>FTPD: IMPORT file</pcre2> 37 <description>User uploaded a file to server.</description> 38 </rule> 39 40 <rule id="11105" level="0"> 41 <if_sid>11100</if_sid> 42 <pcre2>FTPD: EXPORT file</pcre2> 43 <description>User downloaded a file to server.</description> 44 </rule> 45 46 <rule id="11106" level="3"> 47 <if_sid>11100</if_sid> 48 <pcre2>FTP LOGIN FROM|connection from|connect from</pcre2> 49 <group>connection_attempt</group> 50 <description>Remote host connected to FTP server.</description> 51 </rule> 52 53 <rule id="11107" level="5"> 54 <if_sid>11100</if_sid> 55 <pcre2>refused connect from</pcre2> 56 <group>access_denied,</group> 57 <description>Connection blocked by Tcp Wrappers.</description> 58 </rule> 59 60 <rule id="11108" level="5"> 61 <if_sid>11100</if_sid> 62 <pcre2>warning: can't verify hostname: |gethostbyaddr: </pcre2> 63 <description>Reverse lookup error (bad ISP config).</description> 64 <group>client_misconfig,</group> 65 </rule> 66 67 <rule id="11109" level="10"> 68 <if_sid>11100</if_sid> 69 <pcre2>repeated login failures</pcre2> 70 <description>Multiple FTP failed login attempts.</description> 71 <group>authentication_failures,</group> 72 </rule> 73 74 <rule id="11110" level="3"> 75 <if_sid>11100</if_sid> 76 <pcre2>timed out after</pcre2> 77 <description>User disconnected due to time out.</description> 78 </rule> 79 80 <rule id="11111" level="9"> 81 <if_sid>11100</if_sid> 82 <pcre2>PAM_ERROR_MSG: Account is disabled</pcre2> 83 <description>Attempt to login with disabled account.</description> 84 <group>authentication_failed,</group> 85 </rule> 86 87 <rule id="11112" level="5"> 88 <if_sid>11100</if_sid> 89 <pcre2>^Failed authentication from</pcre2> 90 <description>FTP authentication failure.</description> 91 <group>authentication_failed,</group> 92 </rule> 93 94 <rule id="11113" level="5"> 95 <if_sid>11100</if_sid> 96 <pcre2>^login \S+ from \S+ failed</pcre2> 97 <description>FTP authentication failure.</description> 98 <group>authentication_failed,</group> 99 </rule> 100</group> <!-- SYSLOG,FTPD --> 101 102 103<!-- EOF --> 104