From fb0f905d8ced264f5f86795aa65fee4d327e8615 Mon Sep 17 00:00:00 2001
From: Arthur Lutz <arthur.lutz@zenika.com>
Date: Wed, 3 Sep 2025 10:27:26 +0200
Subject: [PATCH] feat: initial parser & scenario for Postal SMTP bruteforce
 detection

---
 parsers/s01-parse/rca/postal-logs.md   | 15 +++++++++++++++
 parsers/s01-parse/rca/postal-logs.yaml | 23 +++++++++++++++++++++++
 scenarios/rca/postal-bf.md             |  3 +++
 scenarios/rca/postal-bf.yaml           | 19 +++++++++++++++++++
 4 files changed, 60 insertions(+)
 create mode 100644 parsers/s01-parse/rca/postal-logs.md
 create mode 100644 parsers/s01-parse/rca/postal-logs.yaml
 create mode 100644 scenarios/rca/postal-bf.md
 create mode 100644 scenarios/rca/postal-bf.yaml

diff --git a/parsers/s01-parse/rca/postal-logs.md b/parsers/s01-parse/rca/postal-logs.md
new file mode 100644
index 00000000000..2cc0ca784a8
--- /dev/null
+++ b/parsers/s01-parse/rca/postal-logs.md
@@ -0,0 +1,15 @@
+Parser for [Postal](https://github.com/postalserver) logs.
+
+This parser detects authentication errors on the SMTP server. 
+
+If you are using the docker-compose deployment of [Postal](https://docs.postalserver.io/)
+
+```yaml
+---
+source: docker
+container_name:
+  - postal-smtp-1
+labels:
+  type: postal
+  program: postal
+```
\ No newline at end of file
diff --git a/parsers/s01-parse/rca/postal-logs.yaml b/parsers/s01-parse/rca/postal-logs.yaml
new file mode 100644
index 00000000000..fe0195565a7
--- /dev/null
+++ b/parsers/s01-parse/rca/postal-logs.yaml
@@ -0,0 +1,23 @@
+onsuccess: next_stage
+filter: "evt.Parsed.program == 'postal'"
+name: crowdsecurity/postal-logs
+description: "Parse SMTP authentication failure in postal logs"
+debug: false
+# Example log : 
+# smtp-1  | 2025-07-10 15:12:17 +0000 WARN   Authentication failure for 1.2.3.4 trace_id=4M5NHUW8 component=smtp-server
+nodes:
+    - grok:
+          pattern: '%{RAILS_TIMESTAMP:timestamp} WARN   Authentication failure for %{IP:source_ip}'
+          apply_on: message
+          statics:
+              - meta: log_type
+                value: postal_failed_auth
+              - target: evt.StrTime
+                expression: evt.Parsed.timestamp
+statics:
+    - meta: service
+      value: postal
+    - meta: source_ip
+      expression: "evt.Parsed.source_ip"
+    - target: evt.StrTime
+      expression: evt.Parsed.timestamp
diff --git a/scenarios/rca/postal-bf.md b/scenarios/rca/postal-bf.md
new file mode 100644
index 00000000000..a8001eacaaa
--- /dev/null
+++ b/scenarios/rca/postal-bf.md
@@ -0,0 +1,3 @@
+Detect failed authentications on the Postal SMTP server. 
+
+- leakspeed of 60s, capacity of 2 on source ip
diff --git a/scenarios/rca/postal-bf.yaml b/scenarios/rca/postal-bf.yaml
new file mode 100644
index 00000000000..ae2ed6652bc
--- /dev/null
+++ b/scenarios/rca/postal-bf.yaml
@@ -0,0 +1,19 @@
+# postal bruteforce 
+type: leaky
+#debug: true
+name: rca/postal-bf
+description: "Detect Postal brute force"
+filter: "evt.Meta.log_type == 'postal_failed_auth'"
+groupby: evt.Meta.source_ip
+capacity: 2
+leakspeed: "60s"
+blackhole: 1m
+labels:
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "smtp:bruteforce"
+  label: "Postal Bruteforce"
+  remediation: true
+  service: smtp