1<!-- @(#) $Id: ./etc/rules/vsftpd_rules.xml, 2011/09/08 dcid Exp $ 2 3 - Official vsftpd rules for OSSEC. 4 - Author: Joachim Vorrath <joachim.vorrath@vorrath-net.de> 5 - Author: Jorge Augusto Senger <jorge@br10.com.br> 6 - Author: Daniel B. Cid 7 - License: http://www.ossec.net/en/licensing.html 8 --> 9 10 11<group name="syslog,vsftpd,"> 12 <rule id="11400" level="0" noalert="1"> 13 <decoded_as>vsftpd</decoded_as> 14 <description>Grouping for the vsftpd rules.</description> 15 </rule> 16 17 <rule id="11401" level="3"> 18 <if_sid>11400</if_sid> 19 <pcre2>CONNECT: Client</pcre2> 20 <group>connection_attempt</group> 21 <description>FTP session opened.</description> 22 </rule> 23 24 <rule id="11402" level="3"> 25 <if_sid>11400</if_sid> 26 <pcre2>OK LOGIN: </pcre2> 27 <description>FTP Authentication success.</description> 28 <group>authentication_success,</group> 29 </rule> 30 31 <rule id="11403" level="5"> 32 <if_sid>11400</if_sid> 33 <pcre2>FAIL LOGIN: </pcre2> 34 <description>Login failed accessing the FTP server.</description> 35 <group>authentication_failed,</group> 36 </rule> 37 38 <rule id="11404" level="0"> 39 <if_sid>11400</if_sid> 40 <pcre2>OK UPLOAD: </pcre2> 41 <description>FTP server file upload.</description> 42 </rule> 43 44 <rule id="11451" level="10" frequency="6" timeframe="120"> 45 <if_matched_sid>11403</if_matched_sid> 46 <same_source_ip /> 47 <description>FTP brute force (multiple failed logins).</description> 48 <group>authentication_failures,</group> 49 </rule> 50 51 <rule id="11452" level="10" frequency="10" timeframe="60"> 52 <if_matched_sid>11401</if_matched_sid> 53 <same_source_ip /> 54 <description>Multiple FTP connection attempts from </description> 55 <description>same source IP.</description> 56 <group>recon,</group> 57 </rule> 58 59</group> <!-- SYSLOG,VSFTPD --> 60 61 62<!-- EOF --> 63