Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .tests/mailu-front/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
parsers:
- crowdsecurity/syslog-logs
- ./parsers/s01-parse/ruokki/mailu-front-logs.yaml
- crowdsecurity/dateparse-enrich

scenarios:
- ./scenarios/ruokki/mailu-front.yaml
postoverflows:
- ""
log_file: mailu-front.log
log_type: mailu-front
11 changes: 11 additions & 0 deletions .tests/mailu-front/mailu-front.log
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
2025/03/30 04:06:16 [info] 13#13: *282145 client login failed: "AUTH not supported" while in http auth state, client: 10.0.0.1, server: 0.0.0.0:25, login: "[email protected]"
2025/03/30 04:06:48 [info] 13#13: *282155 client login failed: "AUTH not supported" while in http auth state, client: 10.0.0.1, server: 0.0.0.0:25, login: "[email protected]"
2025/03/30 04:07:24 [info] 13#13: *282165 client login failed: "AUTH not supported" while in http auth state, client: 10.0.0.1, server: 0.0.0.0:25, login: "[email protected]"
2025/03/30 04:07:55 [info] 13#13: *282175 client login failed: "AUTH not supported" while in http auth state, client: 10.0.0.1, server: 0.0.0.0:25, login: "[email protected]"
2025/03/30 04:08:27 [info] 13#13: *282187 client login failed: "AUTH not supported" while in http auth state, client: 10.0.0.1, server: 0.0.0.0:25, login: "[email protected]"
2025/03/30 04:08:59 [info] 13#13: *282197 client login failed: "AUTH not supported" while in http auth state, client: 10.0.0.1, server: 0.0.0.0:25, login: "[email protected]"
2025/03/30 04:09:28 [info] 13#13: *282207 client login failed: "AUTH not supported" while in http auth state, client: 10.0.0.1, server: 0.0.0.0:25, login: "[email protected]"
2025/03/30 04:10:02 [info] 13#13: *282217 client login failed: "AUTH not supported" while in http auth state, client: 10.0.0.1, server: 0.0.0.0:25, login: "[email protected]"
2025/03/30 04:10:35 [info] 13#13: *282227 client login failed: "AUTH not supported" while in http auth state, client: 10.0.0.1, server: 0.0.0.0:25, login: "[email protected]"
2025/03/30 04:11:06 [info] 13#13: *282237 client login failed: "AUTH not supported" while in http auth state, client: 10.0.0.1, server: 0.0.0.0:25, login: "[email protected]"
2025/03/30 04:11:38 [info] 13#13: *282249 client login failed: "AUTH not supported" while in http auth state, client: 10.0.0.1, server: 0.0.0.0:25, login: "[email protected]"
16 changes: 16 additions & 0 deletions .tests/mailu-front/parser.assert
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@


len(results["s01-parse"]["ruokki/mailu-front"]) == 11
results["s01-parse"]["ruokki/mailu-front"][0].Success == true
results["s01-parse"]["ruokki/mailu-front"][0].Evt.Parsed["source_ip"] == "10.0.0.1"
results["s01-parse"]["ruokki/mailu-front"][0].Evt.Parsed["time"] == "2025/03/30 04:06:16"
results["s01-parse"]["ruokki/mailu-front"][0].Evt.Parsed["loglevel"] == "info"

results["s01-parse"]["ruokki/mailu-front"][0].Evt.Meta["source_ip"] == "10.0.0.1"
results["s01-parse"]["ruokki/mailu-front"][0].Evt.Meta["log_type"] == "mailu-front"
results["s01-parse"]["ruokki/mailu-front"][0].Evt.Meta["sub_type"] == "auth_fail"

results["s01-parse"]["ruokki/mailu-front"][0].Evt.StrTime == "2025/03/30 04:06:16"

results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-03-30T04:06:16Z"
45 changes: 45 additions & 0 deletions .tests/mailu-front/scenario.assert
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
len(results) == 1
"10.0.0.1" in results[0].Overflow.GetSources()
results[0].Overflow.Sources["10.0.0.1"].IP == "10.0.0.1"
results[0].Overflow.Sources["10.0.0.1"].Range == ""
results[0].Overflow.Sources["10.0.0.1"].GetScope() == "Ip"
results[0].Overflow.Sources["10.0.0.1"].GetValue() == "10.0.0.1"
basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "mailu-front.log"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "mailu-front"
results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.0.0.1"
results[0].Overflow.Alert.Events[0].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-30T04:06:48Z"
basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "mailu-front.log"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "mailu-front"
results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.0.0.1"
results[0].Overflow.Alert.Events[1].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-03-30T04:07:24Z"
basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "mailu-front.log"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "mailu-front"
results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "10.0.0.1"
results[0].Overflow.Alert.Events[2].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-03-30T04:07:55Z"
basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "mailu-front.log"
results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "mailu-front"
results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "10.0.0.1"
results[0].Overflow.Alert.Events[3].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-03-30T04:08:27Z"
basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "mailu-front.log"
results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "mailu-front"
results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "10.0.0.1"
results[0].Overflow.Alert.Events[4].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-03-30T04:08:59Z"
basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "mailu-front.log"
results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "mailu-front"
results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "10.0.0.1"
results[0].Overflow.Alert.Events[5].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-03-30T04:09:28Z"
results[0].Overflow.Alert.GetScenario() == "ruokki/mailu-front-bf"
results[0].Overflow.Alert.Remediation == true
results[0].Overflow.Alert.GetEventsCount() == 7
14 changes: 14 additions & 0 deletions collections/ruokki/mailu-front.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
A collection to defend your [Mailu-front](https://github.com/Mailu/Mailu) instance against common attacks:
- Mailu-front parser
- Mailu-front brute-force detection

## Acquisition template

Example acquisition for this collection:
```yaml
---
source: file
labels:
type: mailu-front
```
Depending on your installation method, you may need to change the acquisition template.
6 changes: 6 additions & 0 deletions collections/ruokki/mailu-front.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
parsers:
- ruokki/mailu-front
scenarios:
- ruokki/mailu-front
description: "Collection including parsers and scenarios mailu-front"
author: ruokki
15 changes: 15 additions & 0 deletions parsers/s01-parse/ruokki/mailu-front-logs.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Description

A parser that will search for unauthorized access to mailu front.

## Acquisition template

Example acquisition for this collection:

```yaml
---
filenames:
- /var/log/mailu-front/*.log
labels:
type: mailu-front
```
19 changes: 19 additions & 0 deletions parsers/s01-parse/ruokki/mailu-front-logs.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
filter: "evt.Parsed.program startsWith 'mailu-front'"
onsuccess: next_stage
name: ruokki/mailu-front
description: "Parse mailu-front service log"
grok:
#our grok pattern : capture .*
pattern: '^%{NGINXERRTIME:time} \[%{LOGLEVEL:loglevel}\] %{NONNEGINT:pid}#%{NONNEGINT:tid}: \*%{NONNEGINT:cid} client login failed: "AUTH not supported" while in http auth state, client: %{IP:source_ip}, server: %{IP:destination_ip}:%{POSINT:port_server}, login: "%{EMAILADDRESS:user_mail}"'
#pattern: ^%{DATA:some_data}$
#the field to which we apply the grok pattern : the log message itself
apply_on: message
statics:
- meta: source_ip
expression: evt.Parsed.source_ip
- meta: log_type
value: mailu-front
- target: evt.StrTime
expression: evt.Parsed.time
- meta: sub_type
value: auth_fail
3 changes: 3 additions & 0 deletions scenarios/ruokki/mailu-front.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Detect failed authentications for Mailu front :

leakspeed of 1m, capacity of 5, blackhole of 5m on source ip
18 changes: 18 additions & 0 deletions scenarios/ruokki/mailu-front.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Dockge Bruteforce
type: leaky
name: ruokki/mailu-front-bf
description: "Mailu Front Bruteforce"
filter: evt.Meta.log_type == 'mailu-front' && evt.Meta.sub_type== 'auth_fail'
groupby: evt.Meta.source_ip
leakspeed: 2m
capacity: 5
labels:
service: mailu-front
classification:
- attack.T1110
behavior: "pop3/imap:bruteforce"
confidence: 3
spoofable: 0
label: "Mailu-front Bruteforce"
remediation: true