Skip to content

Add Stalwart mail-server parser/scenarios/collection #1324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Stalwart mail-server parser/scenarios/collection #1324

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .tests/stalwart-bf/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
parsers:
- crowdsecurity/syslog-logs
- ./parsers/s01-parse/ananace/stalwart-logs.yaml
- crowdsecurity/dateparse-enrich
scenarios:
- ./scenarios/hitech95/mail-generic-bf.yaml
postoverflows:
- ""
log_file: stalwart-bf.log
log_type: stalwart
ignore_parsers: true
Empty file added .tests/stalwart-bf/parser.assert
View file
Open in desktop
Empty file.
51 changes: 51 additions & 0 deletions .tests/stalwart-bf/scenario.assert
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
len(results) == 1
"172.31.0.11" in results[0].Overflow.GetSources()
results[0].Overflow.Sources["172.31.0.11"].IP == "172.31.0.11"
results[0].Overflow.Sources["172.31.0.11"].Range == ""
results[0].Overflow.Sources["172.31.0.11"].GetScope() == "Ip"
results[0].Overflow.Sources["172.31.0.11"].GetValue() == "172.31.0.11"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stalwart-bf.log"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "mail_auth"
results[0].Overflow.Alert.Events[0].GetMeta("service") == "stalwart"
results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.31.0.11"
results[0].Overflow.Alert.Events[0].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-20T19:11:31Z"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "stalwart-bf.log"
results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "mail_auth"
results[0].Overflow.Alert.Events[1].GetMeta("service") == "stalwart"
results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "172.31.0.11"
results[0].Overflow.Alert.Events[1].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-03-20T19:11:32Z"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "stalwart-bf.log"
results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "mail_auth"
results[0].Overflow.Alert.Events[2].GetMeta("service") == "stalwart"
results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "172.31.0.11"
results[0].Overflow.Alert.Events[2].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-03-20T19:11:32Z"
results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "stalwart-bf.log"
results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "mail_auth"
results[0].Overflow.Alert.Events[3].GetMeta("service") == "stalwart"
results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "172.31.0.11"
results[0].Overflow.Alert.Events[3].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-03-20T19:11:32Z"
results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "stalwart-bf.log"
results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "mail_auth"
results[0].Overflow.Alert.Events[4].GetMeta("service") == "stalwart"
results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "172.31.0.11"
results[0].Overflow.Alert.Events[4].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-03-20T19:11:32Z"
results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "stalwart-bf.log"
results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "mail_auth"
results[0].Overflow.Alert.Events[5].GetMeta("service") == "stalwart"
results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "172.31.0.11"
results[0].Overflow.Alert.Events[5].GetMeta("sub_type") == "auth_fail"
results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-03-20T19:11:33Z"
results[0].Overflow.Alert.GetScenario() == "hitech95/email-generic-bf"
results[0].Overflow.Alert.Remediation == true
results[0].Overflow.Alert.GetEventsCount() == 6
13 changes: 13 additions & 0 deletions .tests/stalwart-bf/stalwart-bf.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
2025-03-20T19:02:49Z INFO SMTP EHLO command (smtp.ehlo) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.43, remotePort = 42712, domain = "localhost"
2025-03-20T19:11:31Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48712
2025-03-20T19:11:32Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48713
2025-03-20T19:11:32Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48714
2025-03-20T19:11:32Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48715
2025-03-20T19:11:32Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48716
2025-03-20T19:11:33Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48717
2025-03-20T19:11:34Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48718
2025-03-20T19:11:34Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48719
2025-03-20T19:11:34Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48720
2025-03-20T19:11:34Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48721
2025-03-20T19:11:45Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48722
2025-03-20T19:11:45Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 172.31.0.11, remotePort = 48723
11 changes: 11 additions & 0 deletions .tests/stalwart-blocked/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
parsers:
- crowdsecurity/syslog-logs
- ./parsers/s01-parse/ananace/stalwart-logs.yaml
- crowdsecurity/dateparse-enrich
scenarios:
- ./scenarios/ananace/stalwart-blocked.yaml
postoverflows:
- ""
log_file: stalwart-blocked.log
log_type: stalwart
ignore_parsers: true
Empty file added .tests/stalwart-blocked/parser.assert
View file
Open in desktop
Empty file.
85 changes: 85 additions & 0 deletions .tests/stalwart-blocked/scenario.assert
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
len(results) == 6
"192.168.0.67" in results[0].Overflow.GetSources()
results[0].Overflow.Sources["192.168.0.67"].IP == "192.168.0.67"
results[0].Overflow.Sources["192.168.0.67"].Range == ""
results[0].Overflow.Sources["192.168.0.67"].GetScope() == "Ip"
results[0].Overflow.Sources["192.168.0.67"].GetValue() == "192.168.0.67"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stalwart-blocked.log"
results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "stalwart_blocked_ip"
results[0].Overflow.Alert.Events[0].GetMeta("service") == "stalwart"
results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.67"
results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-20T06:00:02Z"
results[0].Overflow.Alert.GetScenario() == "ananace/stalwart-blocked"
results[0].Overflow.Alert.Remediation == true
results[0].Overflow.Alert.GetEventsCount() == 2
"192.168.0.67" in results[1].Overflow.GetSources()
results[1].Overflow.Sources["192.168.0.67"].IP == "192.168.0.67"
results[1].Overflow.Sources["192.168.0.67"].Range == ""
results[1].Overflow.Sources["192.168.0.67"].GetScope() == "Ip"
results[1].Overflow.Sources["192.168.0.67"].GetValue() == "192.168.0.67"
results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stalwart-blocked.log"
results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "stalwart_blocked_ip"
results[1].Overflow.Alert.Events[0].GetMeta("service") == "stalwart"
results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.67"
results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-20T11:25:10Z"
results[1].Overflow.Alert.GetScenario() == "ananace/stalwart-blocked"
results[1].Overflow.Alert.Remediation == true
results[1].Overflow.Alert.GetEventsCount() == 2
"192.168.0.29" in results[2].Overflow.GetSources()
results[2].Overflow.Sources["192.168.0.29"].IP == "192.168.0.29"
results[2].Overflow.Sources["192.168.0.29"].Range == ""
results[2].Overflow.Sources["192.168.0.29"].GetScope() == "Ip"
results[2].Overflow.Sources["192.168.0.29"].GetValue() == "192.168.0.29"
results[2].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stalwart-blocked.log"
results[2].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[2].Overflow.Alert.Events[0].GetMeta("log_type") == "stalwart_blocked_ip"
results[2].Overflow.Alert.Events[0].GetMeta("service") == "stalwart"
results[2].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.29"
results[2].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-20T11:28:30Z"
results[2].Overflow.Alert.GetScenario() == "ananace/stalwart-blocked"
results[2].Overflow.Alert.Remediation == true
results[2].Overflow.Alert.GetEventsCount() == 2
"192.168.0.173" in results[3].Overflow.GetSources()
results[3].Overflow.Sources["192.168.0.173"].IP == "192.168.0.173"
results[3].Overflow.Sources["192.168.0.173"].Range == ""
results[3].Overflow.Sources["192.168.0.173"].GetScope() == "Ip"
results[3].Overflow.Sources["192.168.0.173"].GetValue() == "192.168.0.173"
results[3].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stalwart-blocked.log"
results[3].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[3].Overflow.Alert.Events[0].GetMeta("log_type") == "stalwart_blocked_ip"
results[3].Overflow.Alert.Events[0].GetMeta("service") == "stalwart"
results[3].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.173"
results[3].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-20T11:19:22Z"
results[3].Overflow.Alert.GetScenario() == "ananace/stalwart-blocked"
results[3].Overflow.Alert.Remediation == true
results[3].Overflow.Alert.GetEventsCount() == 2
"192.168.0.153" in results[4].Overflow.GetSources()
results[4].Overflow.Sources["192.168.0.153"].IP == "192.168.0.153"
results[4].Overflow.Sources["192.168.0.153"].Range == ""
results[4].Overflow.Sources["192.168.0.153"].GetScope() == "Ip"
results[4].Overflow.Sources["192.168.0.153"].GetValue() == "192.168.0.153"
results[4].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stalwart-blocked.log"
results[4].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[4].Overflow.Alert.Events[0].GetMeta("log_type") == "stalwart_blocked_ip"
results[4].Overflow.Alert.Events[0].GetMeta("service") == "stalwart"
results[4].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.0.153"
results[4].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-20T11:22:40Z"
results[4].Overflow.Alert.GetScenario() == "ananace/stalwart-blocked"
results[4].Overflow.Alert.Remediation == true
results[4].Overflow.Alert.GetEventsCount() == 2
"172.16.32.13" in results[5].Overflow.GetSources()
results[5].Overflow.Sources["172.16.32.13"].IP == "172.16.32.13"
results[5].Overflow.Sources["172.16.32.13"].Range == ""
results[5].Overflow.Sources["172.16.32.13"].GetScope() == "Ip"
results[5].Overflow.Sources["172.16.32.13"].GetValue() == "172.16.32.13"
results[5].Overflow.Alert.Events[0].GetMeta("datasource_path") == "stalwart-blocked.log"
results[5].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
results[5].Overflow.Alert.Events[0].GetMeta("log_type") == "stalwart_blocked_ip"
results[5].Overflow.Alert.Events[0].GetMeta("service") == "stalwart"
results[5].Overflow.Alert.Events[0].GetMeta("source_ip") == "172.16.32.13"
results[5].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-03-20T11:30:07Z"
results[5].Overflow.Alert.GetScenario() == "ananace/stalwart-blocked"
results[5].Overflow.Alert.Remediation == true
results[5].Overflow.Alert.GetEventsCount() == 2
22 changes: 22 additions & 0 deletions .tests/stalwart-blocked/stalwart-blocked.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
2025-03-20T06:00:02Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.67, remotePort = 25556
2025-03-20T06:04:02Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.67, remotePort = 25556
2025-03-20T06:12:14Z INFO Auth mechanism not supported (smtp.auth-mechanism-not-supported) listenerId = "submission", localPort = 587, remoteIp = 36.213.48.131, remotePort = 63934
2025-03-20T06:33:46Z INFO TLS handshake (tls.handshake) listenerId = "smtp", localPort = 25, remoteIp = 10.0.19.103, remotePort = 32932, listenerId = "smtp", version = "TLSv1_3", details = "TLS13_AES_256_GCM_SHA384"
2025-03-20T11:19:22Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.173, remotePort = 38514
2025-03-20T11:19:23Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.173, remotePort = 38514
2025-03-20T11:22:40Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.153, remotePort = 22008
2025-03-20T11:22:44Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.153, remotePort = 22008
2025-03-20T11:23:11Z INFO Authentication successful (auth.success) listenerId = "imaptls", localPort = 993, remoteIp = a839:f70d:3ed9:bf86:119b:e579:acdd:dce8, remotePort = 34448, accountName = "ace", accountId = 35
2025-03-20T11:25:10Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.67, remotePort = 19756
2025-03-20T11:28:30Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.29, remotePort = 11774
2025-03-20T11:28:35Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.67, remotePort = 19756
2025-03-20T11:28:38Z INFO Blocked IP address (security.ip-blocked) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.29, remotePort = 11774
2025-03-20T11:30:07Z INFO Blocked IP address (security.ip-blocked) listenerId = "smtp", localPort = 25, remoteIp = 172.16.32.13, remotePort = 46700
2025-03-20T11:30:09Z INFO Blocked IP address (security.ip-blocked) listenerId = "smtp", localPort = 25, remoteIp = 172.16.32.13, remotePort = 46716
2025-03-20T16:23:09Z INFO Authentication successful (auth.success) listenerId = "imaptls", localPort = 993, remoteIp = a839:f70d:3ed9:bf86:119b:e579:acdd:dce8, remotePort = 45494, accountName = "ace", accountId = 35
2025-03-20T16:23:59Z INFO Auth mechanism not supported (smtp.auth-mechanism-not-supported) listenerId = "submission", localPort = 587, remoteIp = 36.213.48.131, remotePort = 53664
2025-03-20T15:15:05Z INFO Authentication not allowed (smtp.auth-not-allowed) listenerId = "smtp", localPort = 25, remoteIp = 10.125.22.186, remotePort = 62768
2025-03-20T15:20:55Z INFO TLS handshake (tls.handshake) listenerId = "submission", localPort = 587, remoteIp = 10.0.34.114, remotePort = 40564, listenerId = "submission", version = "TLSv1_3", details = "TLS13_AES_256_GCM_SHA384"
2025-03-20T19:00:42Z INFO SMTP EHLO command (smtp.ehlo) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.159, remotePort = 63722, domain = "localhost"
2025-03-20T19:02:15Z INFO SMTP EHLO command (smtp.ehlo) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.195, remotePort = 8950, domain = "localhost"
2025-03-20T19:02:49Z INFO SMTP EHLO command (smtp.ehlo) listenerId = "submissions", localPort = 465, remoteIp = 192.168.0.43, remotePort = 42712, domain = "localhost"
10 changes: 10 additions & 0 deletions .tests/stalwart-logs/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
parsers:
- crowdsecurity/syslog-logs
- ./parsers/s01-parse/ananace/stalwart-logs.yaml
- crowdsecurity/dateparse-enrich
scenarios:
- ""
postoverflows:
- ""
log_file: stalwart-logs.log
log_type: stalwart
Loading