feat: initial parser & scenario for Postal SMTP bruteforce detection #1456

parsers/s01-parse/rca/postal-logs.md

@@ -0,0 +1,15 @@
+Parser for [Postal](https://github.com/postalserver) logs.
+
+This parser detects authentication errors on the SMTP server. 
+
+If you are using the docker-compose deployment of [Postal](https://docs.postalserver.io/)
+
+```yaml
+---
+source: docker
+container_name:
+  - postal-smtp-1
+labels:
+  type: postal
+  program: postal
+```

parsers/s01-parse/rca/postal-logs.yaml

@@ -0,0 +1,23 @@
+onsuccess: next_stage
+filter: "evt.Parsed.program == 'postal'"
+name: crowdsecurity/postal-logs
+description: "Parse SMTP authentication failure in postal logs"
+debug: false
+# Example log : 
+# smtp-1  | 2025-07-10 15:12:17 +0000 WARN   Authentication failure for 1.2.3.4 trace_id=4M5NHUW8 component=smtp-server
+nodes:
+    - grok:
+          pattern: '%{RAILS_TIMESTAMP:timestamp} WARN   Authentication failure for %{IP:source_ip}'
+          apply_on: message
+          statics:
+              - meta: log_type
+                value: postal_failed_auth
+              - target: evt.StrTime
+                expression: evt.Parsed.timestamp
+statics:
+    - meta: service
+      value: postal
+    - meta: source_ip
+      expression: "evt.Parsed.source_ip"
+    - target: evt.StrTime
+      expression: evt.Parsed.timestamp

scenarios/rca/postal-bf.md

@@ -0,0 +1,3 @@
+Detect failed authentications on the Postal SMTP server. 
+
+- leakspeed of 60s, capacity of 2 on source ip

scenarios/rca/postal-bf.yaml

@@ -0,0 +1,19 @@
+# postal bruteforce 
+type: leaky
+#debug: true
+name: rca/postal-bf
+description: "Detect Postal brute force"
+filter: "evt.Meta.log_type == 'postal_failed_auth'"
+groupby: evt.Meta.source_ip
+capacity: 2
+leakspeed: "60s"
+blackhole: 1m
+labels:
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "smtp:bruteforce"
+  label: "Postal Bruteforce"
+  remediation: true
+  service: smtp