diff --git a/.tests/stalwart-bf/config.yaml b/.tests/stalwart-bf/config.yaml new file mode 100644 index 00000000000..e7db66b6c28 --- /dev/null +++ b/.tests/stalwart-bf/config.yaml @@ -0,0 +1,11 @@ +parsers: + - crowdsecurity/syslog-logs + - ./parsers/s01-parse/ananace/stalwart-logs.yaml + - crowdsecurity/dateparse-enrich +scenarios: + - ./scenarios/hitech95/mail-generic-bf.yaml +postoverflows: + - "" +log_file: stalwart-bf.log +log_type: stalwart +ignore_parsers: true diff --git a/.tests/stalwart-bf/parser.assert b/.tests/stalwart-bf/parser.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/.tests/stalwart-bf/scenario.assert b/.tests/stalwart-bf/scenario.assert new file mode 100644 index 00000000000..8daed4f9ef2 --- /dev/null +++ b/.tests/stalwart-bf/scenario.assert @@ -0,0 +1,51 @@ +len(results) == 1 +"172.31.0.11" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["172.31.0.11"].IP == "172.31.0.11" +results[0].Overflow.Sources["172.31.0.11"].Range == "" +results[0].Overflow.Sources["172.31.0.11"].GetScope() == "Ip" +results[0].Overflow.Sources["172.31.0.11"].GetValue() == "172.31.0.11" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stalwart-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "mail_auth" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "stalwart" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.31.0.11" +results[0].Overflow.Alert.Events[0].GetMeta("sub_type") == "auth_fail" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-20T19:11:31Z" +results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "stalwart-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "mail_auth" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "stalwart" +results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.31.0.11" +results[0].Overflow.Alert.Events[1].GetMeta("sub_type") == "auth_fail" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-03-20T19:11:32Z" +results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "stalwart-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "mail_auth" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "stalwart" +results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.31.0.11" +results[0].Overflow.Alert.Events[2].GetMeta("sub_type") == "auth_fail" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-03-20T19:11:32Z" +results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "stalwart-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "mail_auth" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "stalwart" +results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.31.0.11" +results[0].Overflow.Alert.Events[3].GetMeta("sub_type") == "auth_fail" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-03-20T19:11:32Z" +results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "stalwart-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "mail_auth" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "stalwart" +results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "172.31.0.11" +results[0].Overflow.Alert.Events[4].GetMeta("sub_type") == "auth_fail" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-03-20T19:11:32Z" +results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "stalwart-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "mail_auth" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "stalwart" +results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "172.31.0.11" +results[0].Overflow.Alert.Events[5].GetMeta("sub_type") == "auth_fail" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-03-20T19:11:33Z" +results[0].Overflow.Alert.GetScenario() == "hitech95/email-generic-bf" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/stalwart-bf/stalwart-bf.log b/.tests/stalwart-bf/stalwart-bf.log new file mode 100644 index 00000000000..8bff05efb45 --- /dev/null +++ b/.tests/stalwart-bf/stalwart-bf.log @@ -0,0 +1,13 @@ +2025-03-20T19:02:49Z INFO SMTP EHLO command (smtp.ehlo) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.43, remotePort = 42712, domain = "localhost" +2025-03-20T19:11:31Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48712 +2025-03-20T19:11:32Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48713 +2025-03-20T19:11:32Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48714 +2025-03-20T19:11:32Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48715 +2025-03-20T19:11:32Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48716 +2025-03-20T19:11:33Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48717 +2025-03-20T19:11:34Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48718 +2025-03-20T19:11:34Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48719 +2025-03-20T19:11:34Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48720 +2025-03-20T19:11:34Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48721 +2025-03-20T19:11:45Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48722 +2025-03-20T19:11:45Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48723 diff --git a/.tests/stalwart-blocked/config.yaml b/.tests/stalwart-blocked/config.yaml new file mode 100644 index 00000000000..c9318595448 --- /dev/null +++ b/.tests/stalwart-blocked/config.yaml @@ -0,0 +1,11 @@ +parsers: + - crowdsecurity/syslog-logs + - ./parsers/s01-parse/ananace/stalwart-logs.yaml + - crowdsecurity/dateparse-enrich +scenarios: + - ./scenarios/ananace/stalwart-blocked.yaml +postoverflows: + - "" +log_file: stalwart-blocked.log +log_type: stalwart +ignore_parsers: true diff --git a/.tests/stalwart-blocked/parser.assert b/.tests/stalwart-blocked/parser.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/.tests/stalwart-blocked/scenario.assert b/.tests/stalwart-blocked/scenario.assert new file mode 100644 index 00000000000..da27943a7c6 --- /dev/null +++ b/.tests/stalwart-blocked/scenario.assert @@ -0,0 +1,85 @@ +len(results) == 6 +"192.168.0.67" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["192.168.0.67"].IP == "192.168.0.67" +results[0].Overflow.Sources["192.168.0.67"].Range == "" +results[0].Overflow.Sources["192.168.0.67"].GetScope() == "Ip" +results[0].Overflow.Sources["192.168.0.67"].GetValue() == "192.168.0.67" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stalwart-blocked.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "stalwart_blocked_ip" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "stalwart" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.67" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-20T06:00:02Z" +results[0].Overflow.Alert.GetScenario() == "ananace/stalwart-blocked" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 2 +"192.168.0.67" in results[1].Overflow.GetSources() +results[1].Overflow.Sources["192.168.0.67"].IP == "192.168.0.67" +results[1].Overflow.Sources["192.168.0.67"].Range == "" +results[1].Overflow.Sources["192.168.0.67"].GetScope() == "Ip" +results[1].Overflow.Sources["192.168.0.67"].GetValue() == "192.168.0.67" +results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stalwart-blocked.log" +results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "stalwart_blocked_ip" +results[1].Overflow.Alert.Events[0].GetMeta("service") == "stalwart" +results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.67" +results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-20T11:25:10Z" +results[1].Overflow.Alert.GetScenario() == "ananace/stalwart-blocked" +results[1].Overflow.Alert.Remediation == true +results[1].Overflow.Alert.GetEventsCount() == 2 +"192.168.0.29" in results[2].Overflow.GetSources() +results[2].Overflow.Sources["192.168.0.29"].IP == "192.168.0.29" +results[2].Overflow.Sources["192.168.0.29"].Range == "" +results[2].Overflow.Sources["192.168.0.29"].GetScope() == "Ip" +results[2].Overflow.Sources["192.168.0.29"].GetValue() == "192.168.0.29" +results[2].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stalwart-blocked.log" +results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "stalwart_blocked_ip" +results[2].Overflow.Alert.Events[0].GetMeta("service") == "stalwart" +results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.29" +results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-20T11:28:30Z" +results[2].Overflow.Alert.GetScenario() == "ananace/stalwart-blocked" +results[2].Overflow.Alert.Remediation == true +results[2].Overflow.Alert.GetEventsCount() == 2 +"192.168.0.173" in results[3].Overflow.GetSources() +results[3].Overflow.Sources["192.168.0.173"].IP == "192.168.0.173" +results[3].Overflow.Sources["192.168.0.173"].Range == "" +results[3].Overflow.Sources["192.168.0.173"].GetScope() == "Ip" +results[3].Overflow.Sources["192.168.0.173"].GetValue() == "192.168.0.173" +results[3].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stalwart-blocked.log" +results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "stalwart_blocked_ip" +results[3].Overflow.Alert.Events[0].GetMeta("service") == "stalwart" +results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.173" +results[3].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-20T11:19:22Z" +results[3].Overflow.Alert.GetScenario() == "ananace/stalwart-blocked" +results[3].Overflow.Alert.Remediation == true +results[3].Overflow.Alert.GetEventsCount() == 2 +"192.168.0.153" in results[4].Overflow.GetSources() +results[4].Overflow.Sources["192.168.0.153"].IP == "192.168.0.153" +results[4].Overflow.Sources["192.168.0.153"].Range == "" +results[4].Overflow.Sources["192.168.0.153"].GetScope() == "Ip" +results[4].Overflow.Sources["192.168.0.153"].GetValue() == "192.168.0.153" +results[4].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stalwart-blocked.log" +results[4].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[4].Overflow.Alert.Events[0].GetMeta("log_type") == "stalwart_blocked_ip" +results[4].Overflow.Alert.Events[0].GetMeta("service") == "stalwart" +results[4].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.153" +results[4].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-20T11:22:40Z" +results[4].Overflow.Alert.GetScenario() == "ananace/stalwart-blocked" +results[4].Overflow.Alert.Remediation == true +results[4].Overflow.Alert.GetEventsCount() == 2 +"172.16.32.13" in results[5].Overflow.GetSources() +results[5].Overflow.Sources["172.16.32.13"].IP == "172.16.32.13" +results[5].Overflow.Sources["172.16.32.13"].Range == "" +results[5].Overflow.Sources["172.16.32.13"].GetScope() == "Ip" +results[5].Overflow.Sources["172.16.32.13"].GetValue() == "172.16.32.13" +results[5].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stalwart-blocked.log" +results[5].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[5].Overflow.Alert.Events[0].GetMeta("log_type") == "stalwart_blocked_ip" +results[5].Overflow.Alert.Events[0].GetMeta("service") == "stalwart" +results[5].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.16.32.13" +results[5].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-20T11:30:07Z" +results[5].Overflow.Alert.GetScenario() == "ananace/stalwart-blocked" +results[5].Overflow.Alert.Remediation == true +results[5].Overflow.Alert.GetEventsCount() == 2 diff --git a/.tests/stalwart-blocked/stalwart-blocked.log b/.tests/stalwart-blocked/stalwart-blocked.log new file mode 100644 index 00000000000..43d8763e911 --- /dev/null +++ b/.tests/stalwart-blocked/stalwart-blocked.log @@ -0,0 +1,22 @@ +2025-03-20T06:00:02Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.67, remotePort = 25556 +2025-03-20T06:04:02Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.67, remotePort = 25556 +2025-03-20T06:12:14Z INFO Auth mechanism not supported (smtp.auth-mechanism-not-supported) listenerId = "submission", localPort = 587, remoteIp = 36.213.48.131, remotePort = 63934 +2025-03-20T06:33:46Z INFO TLS handshake (tls.handshake) listenerId = "smtp", localPort = 25, remoteIp = 10.0.19.103, remotePort = 32932, listenerId = "smtp", version = "TLSv1_3", details = "TLS13_AES_256_GCM_SHA384" +2025-03-20T11:19:22Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.173, remotePort = 38514 +2025-03-20T11:19:23Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.173, remotePort = 38514 +2025-03-20T11:22:40Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.153, remotePort = 22008 +2025-03-20T11:22:44Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.153, remotePort = 22008 +2025-03-20T11:23:11Z INFO Authentication successful (auth.success) listenerId = "imaptls", localPort = 993, remoteIp = a839:f70d:3ed9:bf86:119b:e579:acdd:dce8, remotePort = 34448, accountName = "ace", accountId = 35 +2025-03-20T11:25:10Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.67, remotePort = 19756 +2025-03-20T11:28:30Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.29, remotePort = 11774 +2025-03-20T11:28:35Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.67, remotePort = 19756 +2025-03-20T11:28:38Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.29, remotePort = 11774 +2025-03-20T11:30:07Z INFO Blocked IP address (security.ip-blocked) listenerId = "smtp", localPort = 25, remoteIp = 172.16.32.13, remotePort = 46700 +2025-03-20T11:30:09Z INFO Blocked IP address (security.ip-blocked) listenerId = "smtp", localPort = 25, remoteIp = 172.16.32.13, remotePort = 46716 +2025-03-20T16:23:09Z INFO Authentication successful (auth.success) listenerId = "imaptls", localPort = 993, remoteIp = a839:f70d:3ed9:bf86:119b:e579:acdd:dce8, remotePort = 45494, accountName = "ace", accountId = 35 +2025-03-20T16:23:59Z INFO Auth mechanism not supported (smtp.auth-mechanism-not-supported) listenerId = "submission", localPort = 587, remoteIp = 36.213.48.131, remotePort = 53664 +2025-03-20T15:15:05Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 10.125.22.186, remotePort = 62768 +2025-03-20T15:20:55Z INFO TLS handshake (tls.handshake) listenerId = "submission", localPort = 587, remoteIp = 10.0.34.114, remotePort = 40564, listenerId = "submission", version = "TLSv1_3", details = "TLS13_AES_256_GCM_SHA384" +2025-03-20T19:00:42Z INFO SMTP EHLO command (smtp.ehlo) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.159, remotePort = 63722, domain = "localhost" +2025-03-20T19:02:15Z INFO SMTP EHLO command (smtp.ehlo) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.195, remotePort = 8950, domain = "localhost" +2025-03-20T19:02:49Z INFO SMTP EHLO command (smtp.ehlo) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.43, remotePort = 42712, domain = "localhost" diff --git a/.tests/stalwart-logs/config.yaml b/.tests/stalwart-logs/config.yaml new file mode 100644 index 00000000000..5956057d07b --- /dev/null +++ b/.tests/stalwart-logs/config.yaml @@ -0,0 +1,10 @@ +parsers: + - crowdsecurity/syslog-logs + - ./parsers/s01-parse/ananace/stalwart-logs.yaml + - crowdsecurity/dateparse-enrich +scenarios: + - "" +postoverflows: + - "" +log_file: stalwart-logs.log +log_type: stalwart diff --git a/.tests/stalwart-logs/parser.assert b/.tests/stalwart-logs/parser.assert new file mode 100644 index 00000000000..c89dfbf5b28 --- /dev/null +++ b/.tests/stalwart-logs/parser.assert @@ -0,0 +1,314 @@ +len(results["s01-parse"]["ananace/stalwart-logs"]) == 18 +results["s01-parse"]["ananace/stalwart-logs"][0].Success == true +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Parsed["date"] == "2025-03-20T06:00:02Z" +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Parsed["event_description"] == "Blocked IP address" +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Parsed["event_type"] == "security.ip-blocked" +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Parsed["listener"] == "submissions" +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Parsed["local_port"] == "465" +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Parsed["message"] == "2025-03-20T06:00:02Z INFO Blocked IP address (security.ip-blocked) listenerId = \"submissions\", localPort = 465, remoteIp = 192.168.0.67, remotePort = 25556" +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Parsed["remote_ip"] == "192.168.0.67" +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Parsed["remote_port"] == "25556" +basename(results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Meta["log_type"] == "stalwart_blocked_ip" +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Meta["source_ip"] == "192.168.0.67" +results["s01-parse"]["ananace/stalwart-logs"][0].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][1].Success == true +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Parsed["date"] == "2025-03-20T06:12:14Z" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Parsed["event_description"] == "Auth mechanism not supported" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Parsed["event_type"] == "smtp.auth-mechanism-not-supported" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Parsed["listener"] == "submission" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Parsed["local_port"] == "587" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Parsed["message"] == "2025-03-20T06:12:14Z INFO Auth mechanism not supported (smtp.auth-mechanism-not-supported) listenerId = \"submission\", localPort = 587, remoteIp = 36.213.48.131, remotePort = 63934" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Parsed["remote_ip"] == "36.213.48.131" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Parsed["remote_port"] == "63934" +basename(results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Meta["log_type"] == "mail_auth" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Meta["source_ip"] == "36.213.48.131" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Meta["sub_type"] == "auth_fail" +results["s01-parse"]["ananace/stalwart-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][2].Success == true +results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Parsed["date"] == "2025-03-20T06:33:46Z" +results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Parsed["event_description"] == "TLS handshake" +results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Parsed["event_type"] == "tls.handshake" +results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Parsed["listener"] == "smtp" +results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Parsed["local_port"] == "25" +results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Parsed["message"] == "2025-03-20T06:33:46Z INFO TLS handshake (tls.handshake) listenerId = \"smtp\", localPort = 25, remoteIp = 10.0.19.103, remotePort = 32932, listenerId = \"smtp\", version = \"TLSv1_3\", details = \"TLS13_AES_256_GCM_SHA384\"" +results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Parsed["remote_ip"] == "10.0.19.103" +results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Parsed["remote_port"] == "32932" +basename(results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Meta["source_ip"] == "10.0.19.103" +results["s01-parse"]["ananace/stalwart-logs"][2].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][3].Success == true +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Parsed["date"] == "2025-03-20T11:19:22Z" +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Parsed["event_description"] == "Blocked IP address" +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Parsed["event_type"] == "security.ip-blocked" +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Parsed["listener"] == "submissions" +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Parsed["local_port"] == "465" +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Parsed["message"] == "2025-03-20T11:19:22Z INFO Blocked IP address (security.ip-blocked) listenerId = \"submissions\", localPort = 465, remoteIp = 192.168.0.173, remotePort = 38514" +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Parsed["remote_ip"] == "192.168.0.173" +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Parsed["remote_port"] == "38514" +basename(results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Meta["log_type"] == "stalwart_blocked_ip" +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Meta["source_ip"] == "192.168.0.173" +results["s01-parse"]["ananace/stalwart-logs"][3].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][4].Success == true +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Parsed["date"] == "2025-03-20T11:22:40Z" +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Parsed["event_description"] == "Blocked IP address" +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Parsed["event_type"] == "security.ip-blocked" +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Parsed["listener"] == "submissions" +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Parsed["local_port"] == "465" +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Parsed["message"] == "2025-03-20T11:22:40Z INFO Blocked IP address (security.ip-blocked) listenerId = \"submissions\", localPort = 465, remoteIp = 192.168.0.153, remotePort = 22008" +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Parsed["remote_ip"] == "192.168.0.153" +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Parsed["remote_port"] == "22008" +basename(results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Meta["log_type"] == "stalwart_blocked_ip" +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Meta["source_ip"] == "192.168.0.153" +results["s01-parse"]["ananace/stalwart-logs"][4].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][5].Success == true +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Parsed["date"] == "2025-03-20T11:23:11Z" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Parsed["event_description"] == "Authentication successful" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Parsed["event_type"] == "auth.success" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Parsed["listener"] == "imaptls" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Parsed["local_port"] == "993" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Parsed["message"] == "2025-03-20T11:23:11Z INFO Authentication successful (auth.success) listenerId = \"imaptls\", localPort = 993, remoteIp = a839:f70d:3ed9:bf86:119b:e579:acdd:dce8, remotePort = 34448, accountName = \"ace\", accountId = 35" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Parsed["remote_ip"] == "a839:f70d:3ed9:bf86:119b:e579:acdd:dce8" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Parsed["remote_port"] == "34448" +basename(results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Meta["log_type"] == "mail_auth" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Meta["source_ip"] == "a839:f70d:3ed9:bf86:119b:e579:acdd:dce8" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Meta["sub_type"] == "auth_success" +results["s01-parse"]["ananace/stalwart-logs"][5].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][6].Success == true +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Parsed["date"] == "2025-03-20T11:25:10Z" +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Parsed["event_description"] == "Blocked IP address" +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Parsed["event_type"] == "security.ip-blocked" +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Parsed["listener"] == "submissions" +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Parsed["local_port"] == "465" +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Parsed["message"] == "2025-03-20T11:25:10Z INFO Blocked IP address (security.ip-blocked) listenerId = \"submissions\", localPort = 465, remoteIp = 192.168.0.67, remotePort = 19756" +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Parsed["remote_ip"] == "192.168.0.67" +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Parsed["remote_port"] == "19756" +basename(results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Meta["log_type"] == "stalwart_blocked_ip" +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Meta["source_ip"] == "192.168.0.67" +results["s01-parse"]["ananace/stalwart-logs"][6].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][7].Success == true +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Parsed["date"] == "2025-03-20T11:28:30Z" +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Parsed["event_description"] == "Blocked IP address" +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Parsed["event_type"] == "security.ip-blocked" +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Parsed["listener"] == "submissions" +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Parsed["local_port"] == "465" +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Parsed["message"] == "2025-03-20T11:28:30Z INFO Blocked IP address (security.ip-blocked) listenerId = \"submissions\", localPort = 465, remoteIp = 192.168.0.29, remotePort = 11774" +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Parsed["remote_ip"] == "192.168.0.29" +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Parsed["remote_port"] == "11774" +basename(results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Meta["log_type"] == "stalwart_blocked_ip" +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Meta["source_ip"] == "192.168.0.29" +results["s01-parse"]["ananace/stalwart-logs"][7].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][8].Success == true +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Parsed["date"] == "2025-03-20T11:30:07Z" +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Parsed["event_description"] == "Blocked IP address" +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Parsed["event_type"] == "security.ip-blocked" +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Parsed["listener"] == "smtp" +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Parsed["local_port"] == "25" +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Parsed["message"] == "2025-03-20T11:30:07Z INFO Blocked IP address (security.ip-blocked) listenerId = \"smtp\", localPort = 25, remoteIp = 172.16.32.13, remotePort = 46700" +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Parsed["remote_ip"] == "172.16.32.13" +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Parsed["remote_port"] == "46700" +basename(results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Meta["log_type"] == "stalwart_blocked_ip" +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Meta["source_ip"] == "172.16.32.13" +results["s01-parse"]["ananace/stalwart-logs"][8].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][9].Success == true +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Parsed["date"] == "2025-03-20T11:30:09Z" +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Parsed["event_description"] == "Blocked IP address" +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Parsed["event_type"] == "security.ip-blocked" +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Parsed["listener"] == "smtp" +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Parsed["local_port"] == "25" +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Parsed["message"] == "2025-03-20T11:30:09Z INFO Blocked IP address (security.ip-blocked) listenerId = \"smtp\", localPort = 25, remoteIp = 172.16.32.13, remotePort = 46716" +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Parsed["remote_ip"] == "172.16.32.13" +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Parsed["remote_port"] == "46716" +basename(results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Meta["log_type"] == "stalwart_blocked_ip" +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Meta["source_ip"] == "172.16.32.13" +results["s01-parse"]["ananace/stalwart-logs"][9].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][10].Success == true +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Parsed["date"] == "2025-03-20T16:23:09Z" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Parsed["event_description"] == "Authentication successful" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Parsed["event_type"] == "auth.success" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Parsed["listener"] == "imaptls" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Parsed["local_port"] == "993" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Parsed["message"] == "2025-03-20T16:23:09Z INFO Authentication successful (auth.success) listenerId = \"imaptls\", localPort = 993, remoteIp = a839:f70d:3ed9:bf86:119b:e579:acdd:dce8, remotePort = 45494, accountName = \"ace\", accountId = 35" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Parsed["remote_ip"] == "a839:f70d:3ed9:bf86:119b:e579:acdd:dce8" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Parsed["remote_port"] == "45494" +basename(results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Meta["log_type"] == "mail_auth" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Meta["source_ip"] == "a839:f70d:3ed9:bf86:119b:e579:acdd:dce8" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Meta["sub_type"] == "auth_success" +results["s01-parse"]["ananace/stalwart-logs"][10].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][11].Success == true +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Parsed["date"] == "2025-03-20T16:23:59Z" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Parsed["event_description"] == "Auth mechanism not supported" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Parsed["event_type"] == "smtp.auth-mechanism-not-supported" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Parsed["listener"] == "submission" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Parsed["local_port"] == "587" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Parsed["message"] == "2025-03-20T16:23:59Z INFO Auth mechanism not supported (smtp.auth-mechanism-not-supported) listenerId = \"submission\", localPort = 587, remoteIp = 36.213.48.131, remotePort = 53664" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Parsed["remote_ip"] == "36.213.48.131" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Parsed["remote_port"] == "53664" +basename(results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Meta["log_type"] == "mail_auth" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Meta["source_ip"] == "36.213.48.131" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Meta["sub_type"] == "auth_fail" +results["s01-parse"]["ananace/stalwart-logs"][11].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][12].Success == true +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Parsed["date"] == "2025-03-20T15:15:05Z" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Parsed["event_description"] == "Authentication not allowed" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Parsed["event_type"] == "smtp.auth-not-allowed" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Parsed["listener"] == "smtp" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Parsed["local_port"] == "25" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Parsed["message"] == "2025-03-20T15:15:05Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = \"smtp\", localPort = 25, remoteIp = 10.125.22.186, remotePort = 62768" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Parsed["remote_ip"] == "10.125.22.186" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Parsed["remote_port"] == "62768" +basename(results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Meta["log_type"] == "mail_auth" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Meta["source_ip"] == "10.125.22.186" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Meta["sub_type"] == "auth_fail" +results["s01-parse"]["ananace/stalwart-logs"][12].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][13].Success == true +results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Parsed["date"] == "2025-03-20T15:20:55Z" +results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Parsed["event_description"] == "TLS handshake" +results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Parsed["event_type"] == "tls.handshake" +results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Parsed["listener"] == "submission" +results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Parsed["local_port"] == "587" +results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Parsed["message"] == "2025-03-20T15:20:55Z INFO TLS handshake (tls.handshake) listenerId = \"submission\", localPort = 587, remoteIp = 10.0.34.114, remotePort = 40564, listenerId = \"submission\", version = \"TLSv1_3\", details = \"TLS13_AES_256_GCM_SHA384\"" +results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Parsed["remote_ip"] == "10.0.34.114" +results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Parsed["remote_port"] == "40564" +basename(results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Meta["source_ip"] == "10.0.34.114" +results["s01-parse"]["ananace/stalwart-logs"][13].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][14].Success == true +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Parsed["date"] == "2025-03-20T19:00:42Z" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Parsed["event_description"] == "SMTP EHLO command" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Parsed["event_type"] == "smtp.ehlo" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Parsed["listener"] == "submissions" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Parsed["local_port"] == "465" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Parsed["message"] == "2025-03-20T19:00:42Z INFO SMTP EHLO command (smtp.ehlo) listenerId = \"submissions\", localPort = 465, remoteIp = 192.168.0.159, remotePort = 63722, domain = \"localhost\"" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Parsed["remote_ip"] == "192.168.0.159" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Parsed["remote_port"] == "63722" +basename(results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Meta["log_type"] == "smtp" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Meta["source_ip"] == "192.168.0.159" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Meta["sub_type"] == "ehlo" +results["s01-parse"]["ananace/stalwart-logs"][14].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][15].Success == true +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Parsed["date"] == "2025-03-20T19:02:15Z" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Parsed["event_description"] == "SMTP EHLO command" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Parsed["event_type"] == "smtp.ehlo" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Parsed["listener"] == "submissions" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Parsed["local_port"] == "465" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Parsed["message"] == "2025-03-20T19:02:15Z INFO SMTP EHLO command (smtp.ehlo) listenerId = \"submissions\", localPort = 465, remoteIp = 192.168.0.195, remotePort = 8950, domain = \"localhost\"" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Parsed["remote_ip"] == "192.168.0.195" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Parsed["remote_port"] == "8950" +basename(results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Meta["log_type"] == "smtp" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Meta["source_ip"] == "192.168.0.195" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Meta["sub_type"] == "ehlo" +results["s01-parse"]["ananace/stalwart-logs"][15].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][16].Success == true +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Parsed["date"] == "2025-03-20T19:02:49Z" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Parsed["event_description"] == "SMTP EHLO command" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Parsed["event_type"] == "smtp.ehlo" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Parsed["listener"] == "submissions" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Parsed["local_port"] == "465" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Parsed["message"] == "2025-03-20T19:02:49Z INFO SMTP EHLO command (smtp.ehlo) listenerId = \"submissions\", localPort = 465, remoteIp = 192.168.0.43, remotePort = 42712, domain = \"localhost\"" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Parsed["remote_ip"] == "192.168.0.43" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Parsed["remote_port"] == "42712" +basename(results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Meta["log_type"] == "smtp" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Meta["source_ip"] == "192.168.0.43" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Meta["sub_type"] == "ehlo" +results["s01-parse"]["ananace/stalwart-logs"][16].Evt.Whitelisted == false +results["s01-parse"]["ananace/stalwart-logs"][17].Success == true +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Parsed["date"] == "2025-03-20T19:03:51Z" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Parsed["event_description"] == "Relay not allowed" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Parsed["event_type"] == "smtp.relay-not-allowed" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Parsed["listener"] == "smtp" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Parsed["local_port"] == "25" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Parsed["log_level"] == "INFO" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Parsed["message"] == "2025-03-20T19:03:51Z INFO Relay not allowed (smtp.relay-not-allowed) listenerId = \"smtp\", localPort = 25, remoteIp = 10.7.1.175, remotePort = 52177, to = \"garbage@example.com\"" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Parsed["program"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Parsed["remote_ip"] == "10.7.1.175" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Parsed["remote_port"] == "52177" +basename(results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Meta["datasource_path"]) == "stalwart-logs.log" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Meta["log_type"] == "smtp" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Meta["service"] == "stalwart" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Meta["source_ip"] == "10.7.1.175" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Meta["sub_type"] == "relay_denied" +results["s01-parse"]["ananace/stalwart-logs"][17].Evt.Whitelisted == false diff --git a/.tests/stalwart-logs/scenario.assert b/.tests/stalwart-logs/scenario.assert new file mode 100644 index 00000000000..03455618a29 --- /dev/null +++ b/.tests/stalwart-logs/scenario.assert @@ -0,0 +1 @@ +len(results) == 0 diff --git a/.tests/stalwart-logs/stalwart-logs.log b/.tests/stalwart-logs/stalwart-logs.log new file mode 100644 index 00000000000..e47f3dad261 --- /dev/null +++ b/.tests/stalwart-logs/stalwart-logs.log @@ -0,0 +1,18 @@ +2025-03-20T06:00:02Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.67, remotePort = 25556 +2025-03-20T06:12:14Z INFO Auth mechanism not supported (smtp.auth-mechanism-not-supported) listenerId = "submission", localPort = 587, remoteIp = 36.213.48.131, remotePort = 63934 +2025-03-20T06:33:46Z INFO TLS handshake (tls.handshake) listenerId = "smtp", localPort = 25, remoteIp = 10.0.19.103, remotePort = 32932, listenerId = "smtp", version = "TLSv1_3", details = "TLS13_AES_256_GCM_SHA384" +2025-03-20T11:19:22Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.173, remotePort = 38514 +2025-03-20T11:22:40Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.153, remotePort = 22008 +2025-03-20T11:23:11Z INFO Authentication successful (auth.success) listenerId = "imaptls", localPort = 993, remoteIp = a839:f70d:3ed9:bf86:119b:e579:acdd:dce8, remotePort = 34448, accountName = "ace", accountId = 35 +2025-03-20T11:25:10Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.67, remotePort = 19756 +2025-03-20T11:28:30Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.29, remotePort = 11774 +2025-03-20T11:30:07Z INFO Blocked IP address (security.ip-blocked) listenerId = "smtp", localPort = 25, remoteIp = 172.16.32.13, remotePort = 46700 +2025-03-20T11:30:09Z INFO Blocked IP address (security.ip-blocked) listenerId = "smtp", localPort = 25, remoteIp = 172.16.32.13, remotePort = 46716 +2025-03-20T16:23:09Z INFO Authentication successful (auth.success) listenerId = "imaptls", localPort = 993, remoteIp = a839:f70d:3ed9:bf86:119b:e579:acdd:dce8, remotePort = 45494, accountName = "ace", accountId = 35 +2025-03-20T16:23:59Z INFO Auth mechanism not supported (smtp.auth-mechanism-not-supported) listenerId = "submission", localPort = 587, remoteIp = 36.213.48.131, remotePort = 53664 +2025-03-20T15:15:05Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 10.125.22.186, remotePort = 62768 +2025-03-20T15:20:55Z INFO TLS handshake (tls.handshake) listenerId = "submission", localPort = 587, remoteIp = 10.0.34.114, remotePort = 40564, listenerId = "submission", version = "TLSv1_3", details = "TLS13_AES_256_GCM_SHA384" +2025-03-20T19:00:42Z INFO SMTP EHLO command (smtp.ehlo) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.159, remotePort = 63722, domain = "localhost" +2025-03-20T19:02:15Z INFO SMTP EHLO command (smtp.ehlo) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.195, remotePort = 8950, domain = "localhost" +2025-03-20T19:02:49Z INFO SMTP EHLO command (smtp.ehlo) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.43, remotePort = 42712, domain = "localhost" +2025-03-20T19:03:51Z INFO Relay not allowed (smtp.relay-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 10.7.1.175, remotePort = 52177, to = "garbage@example.com" diff --git a/.tests/stalwart-relay-denied/config.yaml b/.tests/stalwart-relay-denied/config.yaml new file mode 100644 index 00000000000..cafccb4efdb --- /dev/null +++ b/.tests/stalwart-relay-denied/config.yaml @@ -0,0 +1,11 @@ +parsers: + - crowdsecurity/syslog-logs + - ./parsers/s01-parse/ananace/stalwart-logs.yaml + - crowdsecurity/dateparse-enrich +scenarios: + - ./scenarios/ananace/stalwart-relay-denied.yaml +postoverflows: + - "" +log_file: stalwart-relay-denied.log +log_type: stalwart +ignore_parsers: true diff --git a/.tests/stalwart-relay-denied/parser.assert b/.tests/stalwart-relay-denied/parser.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/.tests/stalwart-relay-denied/scenario.assert b/.tests/stalwart-relay-denied/scenario.assert new file mode 100644 index 00000000000..668f3325c15 --- /dev/null +++ b/.tests/stalwart-relay-denied/scenario.assert @@ -0,0 +1,23 @@ +len(results) == 1 +"10.2.14.175" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["10.2.14.175"].IP == "10.2.14.175" +results[0].Overflow.Sources["10.2.14.175"].Range == "" +results[0].Overflow.Sources["10.2.14.175"].GetScope() == "Ip" +results[0].Overflow.Sources["10.2.14.175"].GetValue() == "10.2.14.175" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "stalwart-relay-denied.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "smtp" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "stalwart" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "10.2.14.175" +results[0].Overflow.Alert.Events[0].GetMeta("sub_type") == "relay_denied" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-04-08T16:01:51Z" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "stalwart-relay-denied.log" +results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "smtp" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "stalwart" +results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "10.2.14.175" +results[0].Overflow.Alert.Events[1].GetMeta("sub_type") == "relay_denied" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-04-08T16:01:51Z" +results[0].Overflow.Alert.GetScenario() == "ananace/stalwart-relay-denied" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 2 diff --git a/.tests/stalwart-relay-denied/stalwart-relay-denied.log b/.tests/stalwart-relay-denied/stalwart-relay-denied.log new file mode 100644 index 00000000000..e4b50354aa9 --- /dev/null +++ b/.tests/stalwart-relay-denied/stalwart-relay-denied.log @@ -0,0 +1,10 @@ +2025-04-08T16:01:51Z INFO SMTP EHLO command (smtp.ehlo) listenerId = "smtp", localPort = 25, remoteIp = 10.2.14.175, remotePort = 52177, domain = "smtp.example.com" +2025-04-08T16:01:51Z INFO SPF EHLO check failed (smtp.spf-ehlo-fail) listenerId = "smtp", localPort = 25, remoteIp = 10.2.14.175, remotePort = 52177, domain = "smtp.example.com", result = No SPF record (spf.none), elapsed = 6ms +2025-04-08T16:01:51Z INFO IPREV check failed (smtp.iprev-fail) listenerId = "smtp", localPort = 25, remoteIp = 10.2.14.175, remotePort = 52176, domain = "mail.example.com", result = IPREV permanent error (iprev.perm-error) { causedBy = DNS record not found (mail-auth.dns-record-not-found) { code = Non-Existent Domain } }, elapsed = 3ms +2025-04-08T16:01:51Z INFO SPF From check failed (smtp.spf-from-fail) listenerId = "smtp", localPort = 25, remoteIp = 10.2.14.175, remotePort = 52176, domain = "mail.example.com", from = "ckqlsqperlw@example.com", result = SPF check failed (spf.fail), elapsed = 20ms +2025-04-08T16:01:51Z INFO SMTP MAIL FROM command (smtp.mail-from) listenerId = "smtp", localPort = 25, remoteIp = 10.2.14.175, remotePort = 52176, from = "ckqlsqperlw@example.com" +2025-04-08T16:01:51Z INFO IPREV check failed (smtp.iprev-fail) listenerId = "smtp", localPort = 25, remoteIp = 10.2.14.175, remotePort = 52177, domain = "smtp.example.com", result = IPREV permanent error (iprev.perm-error) { causedBy = DNS record not found (mail-auth.dns-record-not-found) { code = Non-Existent Domain } }, elapsed = 2ms +2025-04-08T16:01:51Z INFO SPF From check failed (smtp.spf-from-fail) listenerId = "smtp", localPort = 25, remoteIp = 10.2.14.175, remotePort = 52177, domain = "smtp.example.com", from = "soadcoakyj@example.com", result = SPF check failed (spf.fail), elapsed = 0ms +2025-04-08T16:01:51Z INFO SMTP MAIL FROM command (smtp.mail-from) listenerId = "smtp", localPort = 25, remoteIp = 10.2.14.175, remotePort = 52177, from = "soadcoakyj@example.com" +2025-04-08T16:01:51Z INFO Relay not allowed (smtp.relay-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 10.2.14.175, remotePort = 52176, to = "validxxx@gmailhotmail.com.br" +2025-04-08T16:01:51Z INFO Relay not allowed (smtp.relay-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 10.2.14.175, remotePort = 52177, to = "validxxx@gmailhotmail.com.br" diff --git a/collections/ananace/stalwart.md b/collections/ananace/stalwart.md new file mode 100644 index 00000000000..dd19375f018 --- /dev/null +++ b/collections/ananace/stalwart.md @@ -0,0 +1,32 @@ +## Stalwart Mail collection + +A collection for the Stalwart mail server + - Stalwart log parser + - Scenarios for relay denies, internal IP blocking + +## Acquisition template + +Example acquisition for this collection : + +```yaml +filenames: + - /opt/stalwart-mail/logs/stalwart-mail.log +labels: + type: stalwart +``` + +If you are running Stalwart [in a container](https://stalw.art/docs/install/docker/). + +```yaml +--- +source: docker +container_name: + - stalwart-mail +labels: + type: stalwart +``` + +notes : + - If you are using `journal`/`syslog`, set type to `syslog` instead + - Depending on your distribution/OS/install method, paths to log files might change + - Only relevant if you are manually installing collection diff --git a/collections/ananace/stalwart.yaml b/collections/ananace/stalwart.yaml new file mode 100644 index 00000000000..a1fe30388f7 --- /dev/null +++ b/collections/ananace/stalwart.yaml @@ -0,0 +1,13 @@ +parsers: + - ananace/stalwart-logs +scenarios: + - ananace/stalwart-blocked + - ananace/stalwart-relay-denied + - hitech95/mail-generic-bf +description: "Stalwart email core : parser and spammer detection" +author: ananace +tags: + - linux + - spam + - bruteforce + - email diff --git a/parsers/s01-parse/ananace/stalwart-logs.yaml b/parsers/s01-parse/ananace/stalwart-logs.yaml new file mode 100644 index 00000000000..970c1afb8ed --- /dev/null +++ b/parsers/s01-parse/ananace/stalwart-logs.yaml @@ -0,0 +1,58 @@ +onsuccess: next_stage +debug: true +filter: "evt.Parsed.program matches 'stalwart'" +name: ananace/stalwart-logs +description: "Parse Stalwart logs" +pattern_syntax: + STALWART_LOG: '%{TIMESTAMP_ISO8601:date} %{WORD:log_level} %{DATA:event_description} \(%{DATA:event_type}\) listenerId = "%{DATA:listener}", localPort = %{INT:local_port}, remoteIp = %{IP:remote_ip}, remotePort = %{INT:remote_port}' +grok: + name: STALWART_LOG + apply_on: message +nodes: + # 2025-03-20T15:40:10Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 10.4.5.6, remotePort = 35740 + - filter: evt.Parsed.event_type == 'security.ip-blocked' + statics: + - meta: log_type + value: stalwart_blocked_ip + # 2025-03-20T15:41:34Z INFO Auth mechanism not supported (smtp.auth-mechanism-not-supported) listenerId = "submission", localPort = 587, remoteIp = 10.3.4.5, remotePort = 59532 + - filter: evt.Parsed.event_type == 'smtp.auth-mechanism-not-supported' + statics: + - meta: log_type + value: mail_auth + - meta: sub_type + value: auth_fail + # 2025-03-20T16:09:17Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 10.2.3.4, remotePort = 61687 + - filter: evt.Parsed.event_type == 'smtp.auth-not-allowed' + statics: + - meta: log_type + value: mail_auth + - meta: sub_type + value: auth_fail + # 2025-04-08T16:01:51Z INFO Relay not allowed (smtp.relay-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 10.2.3.4, remotePort = 52176, to = "user@example.com" + - filter: evt.Parsed.event_type == 'smtp.relay-not-allowed' + statics: + - meta: log_type + value: smtp + - meta: sub_type + value: relay_denied + # 2025-03-20T19:11:24Z INFO Authentication successful (auth.success) listenerId = "imaptls", localPort = 993, remoteIp = 192.168.0.1, remotePort = 45088, accountName = "ace", accountId = 35 + - filter: evt.Parsed.event_type == 'auth.success' + statics: + - meta: log_type + value: mail_auth + - meta: sub_type + value: auth_success + # 2025-03-20T19:00:42Z INFO SMTP EHLO command (smtp.ehlo) listenerId = "submissions", localPort = 465, remoteIp = 10.1.2.3, remotePort = 63722, domain = "localhost" + - filter: evt.Parsed.event_type == 'smtp.ehlo' + statics: + - meta: log_type + value: smtp + - meta: sub_type + value: ehlo +statics: + - target: evt.StrTime + expression: 'evt.Parsed.date' + - meta: service + value: stalwart + - meta: source_ip + expression: 'evt.Parsed.remote_ip' diff --git a/scenarios/ananace/stalwart-blocked.yaml b/scenarios/ananace/stalwart-blocked.yaml new file mode 100644 index 00000000000..76456326203 --- /dev/null +++ b/scenarios/ananace/stalwart-blocked.yaml @@ -0,0 +1,22 @@ +name: ananace/stalwart-blocked +description: Detect IPs blocked by Stalwart +#debug: true +type: leaky +filter: evt.Meta.log_type == 'stalwart_blocked_ip' +references: + - https://stalw.art/docs/server/auto-ban +groupby: evt.Meta.source_ip +capacity: 1 +leakspeed: 600s +blackhole: 1m +reprocess: false +labels: + service: stalwart + confidence: 3 + spoofable: 0 + classification: + - attack.T1595 + - attack.T1190 + behavior: "smtp:spam" + label: "Stalwart IP Blocked" + remediation: true diff --git a/scenarios/ananace/stalwart-relay-denied.yaml b/scenarios/ananace/stalwart-relay-denied.yaml new file mode 100644 index 00000000000..8d0222714ed --- /dev/null +++ b/scenarios/ananace/stalwart-relay-denied.yaml @@ -0,0 +1,22 @@ +name: ananace/stalwart-relay-denied +description: Detect failed relay attempts +#debug: true +type: leaky +filter: evt.Meta.log_type == 'smtp' && evt.Meta.sub_type == 'relay_denied' +references: + - https://en.wikipedia.org/wiki/Open_mail_relay +groupby: evt.Meta.source_ip +capacity: 1 +leakspeed: 600s +blackhole: 1m +reprocess: false +labels: + service: stalwart + remediation: true + confidence: 3 + spoofable: 0 + classification: + - attack.T1595 + - attack.T1190 + behavior: "smtp:spam" + label: "Stalwart Relay Denied"