This is an automated email from the ASF dual-hosted git repository.
rcordier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
The following commit(s) were added to refs/heads/master by this push:
new 5f8eef6379 JAMES 3897 - Crowdsec integration for Dictionary Attack
(#1764)
5f8eef6379 is described below
commit 5f8eef6379f0a95f77ab73b8292b354ddd41d258
Author: vtbui <[email protected]>
AuthorDate: Wed Nov 8 09:51:20 2023 +0700
JAMES 3897 - Crowdsec integration for Dictionary Attack (#1764)
---
.../sample-configuration/collections/james.yaml | 3 ++-
.../sample-configuration/parsers/james-auth.yaml | 6 +++---
.../parsers/james-dictionary-attack.yaml | 25 ++++++++++++++++++++++
.../scenarios/james-dictionary-attack.yaml | 14 ++++++++++++
4 files changed, 44 insertions(+), 4 deletions(-)
diff --git a/third-party/crowdsec/sample-configuration/collections/james.yaml
b/third-party/crowdsec/sample-configuration/collections/james.yaml
index e5fa2ce6cf..8d1e046dfd 100644
--- a/third-party/crowdsec/sample-configuration/collections/james.yaml
+++ b/third-party/crowdsec/sample-configuration/collections/james.yaml
@@ -1,6 +1,7 @@
parsers:
- crowdsecurity/syslog-logs
- - linagora/james-connect-security-log
+ - linagora/james-auth
+ - linagora/james-dictionary-attack
scenarios:
- apache-james/bf-auth
author: linagora
\ No newline at end of file
diff --git a/third-party/crowdsec/sample-configuration/parsers/james-auth.yaml
b/third-party/crowdsec/sample-configuration/parsers/james-auth.yaml
index f5ed890286..52bea127f1 100644
--- a/third-party/crowdsec/sample-configuration/parsers/james-auth.yaml
+++ b/third-party/crowdsec/sample-configuration/parsers/james-auth.yaml
@@ -1,8 +1,8 @@
onsuccess: next_stage
debug: true
filter: "evt.Parsed.program == 'james'"
-name: linagora/james-connect-security-log
-description: "Parser for James Connect Security Log"
+name: linagora/james-auth
+description: "Parser for James IMAP and SMTP authentication "
pattern_syntax:
IMAP_AUTH_FAIL_BAD_CREDENTIALS: 'IMAP Authentication
failed%{DATA:data}because of bad credentials.'
@@ -72,4 +72,4 @@ nodes:
- meta: source_ip
expression: evt.Parsed.mdc_remoteIP
- meta: user
- expression: evt.Parsed.mdc_username
+ expression: evt.Parsed.mdc_username
\ No newline at end of file
diff --git
a/third-party/crowdsec/sample-configuration/parsers/james-dictionary-attack.yaml
b/third-party/crowdsec/sample-configuration/parsers/james-dictionary-attack.yaml
new file mode 100644
index 0000000000..1d7a5763dc
--- /dev/null
+++
b/third-party/crowdsec/sample-configuration/parsers/james-dictionary-attack.yaml
@@ -0,0 +1,25 @@
+onsuccess: next_stage
+debug: true
+filter: "evt.Parsed.program == 'james'"
+name: linagora/james-dictionary-attack
+description: "Parser for James dictionary attack"
+
+pattern_syntax:
+ DICTIONARY_ATTACK: 'Rejected message. Unknown user: %{EMAILADDRESS:rcpt}'
+nodes:
+ - grok:
+ name: "DICTIONARY_ATTACK"
+ apply_on: message
+ statics:
+ - meta: log_type
+ value: dictionary-attack
+ - meta: timestamp
+ expression: evt.Parsed.timestamp
+ - meta: level
+ expression: evt.Parsed.level
+ - meta: source_ip
+ expression: evt.Parsed.mdc_ip
+ - meta: user
+ expression: evt.Parsed.mdc_user
+ - meta: rcpt
+ expression: evt.Parsed.rcpt
\ No newline at end of file
diff --git
a/third-party/crowdsec/sample-configuration/scenarios/james-dictionary-attack.yaml
b/third-party/crowdsec/sample-configuration/scenarios/james-dictionary-attack.yaml
new file mode 100644
index 0000000000..380b912774
--- /dev/null
+++
b/third-party/crowdsec/sample-configuration/scenarios/james-dictionary-attack.yaml
@@ -0,0 +1,14 @@
+type: leaky
+name: linagora/james-dictionary-attack
+debug: true
+description: "Detect login james bruteforce"
+filter: "evt.Meta.log_type == 'dictionary-attack'"
+leakspeed: "1m"
+capacity: 5
+groupby: evt.Meta.source_ip
+blackhole: 1m
+reprocess: true
+labels:
+ service: ssh
+ type: bruteforce
+ remediation: true
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
