From 49095278300541276cb4766e92852c3ca3c096a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89tienne=20LEM=C3=89E?= <5785424-etilem@users.noreply.gitlab.com> Date: Sat, 21 Feb 2026 09:34:52 +0100 Subject: [PATCH 1/3] feat: add Postfix slow brute-force and HELO rejection scenarios (melite) Add slow brute-force detection scenarios for Postfix SMTP authentication and evasive HELO rejection attacks: - melite/postfix-slow-bf (leakspeed 900s, capacity 7) - melite/postfix-very-slow-bf (leakspeed 4h, capacity 5) - melite/postfix-submission-very-slow-bf (leakspeed 4h, capacity 5) - melite/postfix-helo-very-slow (leakspeed 4h, capacity 5) Includes parser melite/postfix-submission-auth (s01-parse) for port 587 auth failures invisible to standard parsers, and hub tests. --- .tests/postfix-helo-very-slow/config.yaml | 8 + .tests/postfix-helo-very-slow/parser.assert | 437 ++++++++++++++++++ .../postfix-helo-very-slow.log | 6 + .tests/postfix-helo-very-slow/scenario.assert | 69 +++ .tests/postfix-slow-bf/config.yaml | 8 + .tests/postfix-slow-bf/parser.assert | 389 ++++++++++++++++ .tests/postfix-slow-bf/postfix-slow-bf.log | 8 + .tests/postfix-slow-bf/scenario.assert | 81 ++++ .tests/postfix-submission-auth/config.yaml | 9 + .tests/postfix-submission-auth/parser.assert | 141 ++++++ .../postfix-submission-auth.log | 3 + .../config.yaml | 9 + .../parser.assert | 276 +++++++++++ .../postfix-submission-very-slow-bf.log | 6 + .../scenario.assert | 51 ++ .tests/postfix-very-slow-bf/config.yaml | 8 + .tests/postfix-very-slow-bf/parser.assert | 293 ++++++++++++ .../postfix-very-slow-bf.log | 6 + .tests/postfix-very-slow-bf/scenario.assert | 63 +++ .../melite/postfix-submission-auth.md | 36 ++ .../melite/postfix-submission-auth.yaml | 27 ++ scenarios/melite/postfix-helo-very-slow.md | 30 ++ scenarios/melite/postfix-helo-very-slow.yaml | 27 ++ scenarios/melite/postfix-slow-bf.md | 32 ++ scenarios/melite/postfix-slow-bf.yaml | 44 ++ .../melite/postfix-submission-very-slow-bf.md | 31 ++ .../postfix-submission-very-slow-bf.yaml | 31 ++ scenarios/melite/postfix-very-slow-bf.md | 30 ++ scenarios/melite/postfix-very-slow-bf.yaml | 44 ++ 29 files changed, 2203 insertions(+) create mode 100644 .tests/postfix-helo-very-slow/config.yaml create mode 100644 .tests/postfix-helo-very-slow/parser.assert create mode 100644 .tests/postfix-helo-very-slow/postfix-helo-very-slow.log create mode 100644 .tests/postfix-helo-very-slow/scenario.assert create mode 100644 .tests/postfix-slow-bf/config.yaml create mode 100644 .tests/postfix-slow-bf/parser.assert create mode 100644 .tests/postfix-slow-bf/postfix-slow-bf.log create mode 100644 .tests/postfix-slow-bf/scenario.assert create mode 100644 .tests/postfix-submission-auth/config.yaml create mode 100644 .tests/postfix-submission-auth/parser.assert create mode 100644 .tests/postfix-submission-auth/postfix-submission-auth.log create mode 100644 .tests/postfix-submission-very-slow-bf/config.yaml create mode 100644 .tests/postfix-submission-very-slow-bf/parser.assert create mode 100644 .tests/postfix-submission-very-slow-bf/postfix-submission-very-slow-bf.log create mode 100644 .tests/postfix-submission-very-slow-bf/scenario.assert create mode 100644 .tests/postfix-very-slow-bf/config.yaml create mode 100644 .tests/postfix-very-slow-bf/parser.assert create mode 100644 .tests/postfix-very-slow-bf/postfix-very-slow-bf.log create mode 100644 .tests/postfix-very-slow-bf/scenario.assert create mode 100644 parsers/s01-parse/melite/postfix-submission-auth.md create mode 100644 parsers/s01-parse/melite/postfix-submission-auth.yaml create mode 100644 scenarios/melite/postfix-helo-very-slow.md create mode 100644 scenarios/melite/postfix-helo-very-slow.yaml create mode 100644 scenarios/melite/postfix-slow-bf.md create mode 100644 scenarios/melite/postfix-slow-bf.yaml create mode 100644 scenarios/melite/postfix-submission-very-slow-bf.md create mode 100644 scenarios/melite/postfix-submission-very-slow-bf.yaml create mode 100644 scenarios/melite/postfix-very-slow-bf.md create mode 100644 scenarios/melite/postfix-very-slow-bf.yaml diff --git a/.tests/postfix-helo-very-slow/config.yaml b/.tests/postfix-helo-very-slow/config.yaml new file mode 100644 index 00000000000..2f8c2480901 --- /dev/null +++ b/.tests/postfix-helo-very-slow/config.yaml @@ -0,0 +1,8 @@ +parsers: + - crowdsecurity/syslog-logs + - crowdsecurity/postfix-logs + - crowdsecurity/dateparse-enrich +scenarios: + - scenarios/melite/postfix-helo-very-slow.yaml +log_file: postfix-helo-very-slow.log +log_type: syslog diff --git a/.tests/postfix-helo-very-slow/parser.assert b/.tests/postfix-helo-very-slow/parser.assert new file mode 100644 index 00000000000..120686c7a12 --- /dev/null +++ b/.tests/postfix-helo-very-slow/parser.assert @@ -0,0 +1,437 @@ +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "43001" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 08:00:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "43002" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 08:40:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "43003" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 09:20:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "43004" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "43005" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 10:40:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "43006" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 11:20:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false +len(results["s01-parse"]["crowdsecurity/postfix-logs"]) == 6 +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["action"] == "reject" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["command"] == "RCPT" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["helo"] == "invalid" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["kvItems"] == "from= to= proto=ESMTP helo=" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["pid"] == "43001" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_addr"] == "203.0.113.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["smtp_basic_status_code"] == "504" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["smtp_return_codes"] == "504 5.5.2" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 08:00:00" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["action"] == "reject" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_ip"] == "203.0.113.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Unmarshaled["postfix"]["helo"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Unmarshaled["postfix"]["to"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Unmarshaled["postfix"]["from"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["action"] == "reject" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["command"] == "RCPT" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["helo"] == "invalid" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["kvItems"] == "from= to= proto=ESMTP helo=" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["pid"] == "43002" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_addr"] == "203.0.113.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["smtp_basic_status_code"] == "504" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["smtp_return_codes"] == "504 5.5.2" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 08:40:00" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["action"] == "reject" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_ip"] == "203.0.113.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Unmarshaled["postfix"]["from"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Unmarshaled["postfix"]["helo"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Unmarshaled["postfix"]["to"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["action"] == "reject" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["command"] == "RCPT" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["helo"] == "invalid" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["kvItems"] == "from= to= proto=ESMTP helo=" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["pid"] == "43003" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_addr"] == "203.0.113.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["smtp_basic_status_code"] == "504" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["smtp_return_codes"] == "504 5.5.2" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 09:20:00" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["action"] == "reject" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_ip"] == "203.0.113.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Unmarshaled["postfix"]["from"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Unmarshaled["postfix"]["helo"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Unmarshaled["postfix"]["to"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["action"] == "reject" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["command"] == "RCPT" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["helo"] == "invalid" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["kvItems"] == "from= to= proto=ESMTP helo=" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["pid"] == "43004" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_addr"] == "203.0.113.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["smtp_basic_status_code"] == "504" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["smtp_return_codes"] == "504 5.5.2" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["action"] == "reject" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_ip"] == "203.0.113.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Unmarshaled["postfix"]["from"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Unmarshaled["postfix"]["helo"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Unmarshaled["postfix"]["to"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["action"] == "reject" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["command"] == "RCPT" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["helo"] == "invalid" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["kvItems"] == "from= to= proto=ESMTP helo=" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["pid"] == "43005" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_addr"] == "203.0.113.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["smtp_basic_status_code"] == "504" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["smtp_return_codes"] == "504 5.5.2" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 10:40:00" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["action"] == "reject" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_ip"] == "203.0.113.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Unmarshaled["postfix"]["from"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Unmarshaled["postfix"]["helo"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Unmarshaled["postfix"]["to"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["action"] == "reject" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["command"] == "RCPT" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["helo"] == "invalid" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["kvItems"] == "from= to= proto=ESMTP helo=" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["pid"] == "43006" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_addr"] == "203.0.113.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["smtp_basic_status_code"] == "504" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["smtp_return_codes"] == "504 5.5.2" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 11:20:00" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["action"] == "reject" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_ip"] == "203.0.113.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Unmarshaled["postfix"]["from"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Unmarshaled["postfix"]["helo"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Unmarshaled["postfix"]["to"] == "" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["action"] == "reject" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["command"] == "RCPT" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["helo"] == "invalid" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["kvItems"] == "from= to= proto=ESMTP helo=" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "43001" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "203.0.113.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["smtp_basic_status_code"] == "504" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["smtp_return_codes"] == "504 5.5.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jan 15 08:00:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["action"] == "reject" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "203.0.113.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2026-01-15T08:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2026-01-15T08:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["postfix"]["helo"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["postfix"]["to"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Unmarshaled["postfix"]["from"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["action"] == "reject" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["command"] == "RCPT" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["helo"] == "invalid" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["kvItems"] == "from= to= proto=ESMTP helo=" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "43002" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "203.0.113.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["smtp_basic_status_code"] == "504" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["smtp_return_codes"] == "504 5.5.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jan 15 08:40:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["action"] == "reject" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "203.0.113.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2026-01-15T08:40:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2026-01-15T08:40:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["postfix"]["from"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["postfix"]["helo"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Unmarshaled["postfix"]["to"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["action"] == "reject" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["command"] == "RCPT" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["helo"] == "invalid" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["kvItems"] == "from= to= proto=ESMTP helo=" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "43003" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "203.0.113.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["smtp_basic_status_code"] == "504" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["smtp_return_codes"] == "504 5.5.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jan 15 09:20:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["action"] == "reject" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "203.0.113.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2026-01-15T09:20:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2026-01-15T09:20:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["postfix"]["helo"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["postfix"]["to"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Unmarshaled["postfix"]["from"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["action"] == "reject" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["command"] == "RCPT" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["helo"] == "invalid" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["kvItems"] == "from= to= proto=ESMTP helo=" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "43004" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_addr"] == "203.0.113.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["smtp_basic_status_code"] == "504" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["smtp_return_codes"] == "504 5.5.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["action"] == "reject" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "203.0.113.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2026-01-15T10:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["postfix"]["helo"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["postfix"]["to"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Unmarshaled["postfix"]["from"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["action"] == "reject" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["command"] == "RCPT" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["helo"] == "invalid" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["kvItems"] == "from= to= proto=ESMTP helo=" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "43005" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_addr"] == "203.0.113.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["smtp_basic_status_code"] == "504" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["smtp_return_codes"] == "504 5.5.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Jan 15 10:40:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["action"] == "reject" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "203.0.113.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2026-01-15T10:40:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:40:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["postfix"]["to"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["postfix"]["from"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Unmarshaled["postfix"]["helo"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["action"] == "reject" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["command"] == "RCPT" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["helo"] == "invalid" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["kvItems"] == "from= to= proto=ESMTP helo=" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo=" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "43006" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_addr"] == "203.0.113.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["smtp_basic_status_code"] == "504" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["smtp_enhanced_status_code"] == "5.5.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["smtp_return_codes"] == "504 5.5.2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Jan 15 11:20:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["action"] == "reject" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "postfix-helo-very-slow.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["reason"] == "Helo command rejected: need fully-qualified hostname" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "203.0.113.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2026-01-15T11:20:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2026-01-15T11:20:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["postfix"]["from"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["postfix"]["helo"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["postfix"]["proto"] == "ESMTP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Unmarshaled["postfix"]["to"] == "" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/postfix-helo-very-slow/postfix-helo-very-slow.log b/.tests/postfix-helo-very-slow/postfix-helo-very-slow.log new file mode 100644 index 00000000000..eae750afc8e --- /dev/null +++ b/.tests/postfix-helo-very-slow/postfix-helo-very-slow.log @@ -0,0 +1,6 @@ +Jan 15 08:00:00 server postfix/smtpd[43001]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo= +Jan 15 08:40:00 server postfix/smtpd[43002]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo= +Jan 15 09:20:00 server postfix/smtpd[43003]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo= +Jan 15 10:00:00 server postfix/smtpd[43004]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo= +Jan 15 10:40:00 server postfix/smtpd[43005]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo= +Jan 15 11:20:00 server postfix/smtpd[43006]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo= diff --git a/.tests/postfix-helo-very-slow/scenario.assert b/.tests/postfix-helo-very-slow/scenario.assert new file mode 100644 index 00000000000..514ffa07c75 --- /dev/null +++ b/.tests/postfix-helo-very-slow/scenario.assert @@ -0,0 +1,69 @@ +len(results) == 1 +"203.0.113.1" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["203.0.113.1"].IP == "203.0.113.1" +results[0].Overflow.Sources["203.0.113.1"].Range == "" +results[0].Overflow.Sources["203.0.113.1"].GetScope() == "Ip" +results[0].Overflow.Sources["203.0.113.1"].GetValue() == "203.0.113.1" +results[0].Overflow.Alert.Events[0].GetMeta("action") == "reject" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "postfix-helo-very-slow.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[0].GetMeta("reason") == "Helo command rejected: need fully-qualified hostname" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[0].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "203.0.113.1" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-01-15T08:00:00Z" +results[0].Overflow.Alert.Events[1].GetMeta("action") == "reject" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "postfix-helo-very-slow.log" +results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[1].GetMeta("reason") == "Helo command rejected: need fully-qualified hostname" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[1].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "203.0.113.1" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2026-01-15T08:40:00Z" +results[0].Overflow.Alert.Events[2].GetMeta("action") == "reject" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "postfix-helo-very-slow.log" +results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[2].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[2].GetMeta("reason") == "Helo command rejected: need fully-qualified hostname" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[2].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "203.0.113.1" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2026-01-15T09:20:00Z" +results[0].Overflow.Alert.Events[3].GetMeta("action") == "reject" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "postfix-helo-very-slow.log" +results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[3].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[3].GetMeta("reason") == "Helo command rejected: need fully-qualified hostname" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[3].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "203.0.113.1" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2026-01-15T10:00:00Z" +results[0].Overflow.Alert.Events[4].GetMeta("action") == "reject" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "postfix-helo-very-slow.log" +results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[4].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[4].GetMeta("reason") == "Helo command rejected: need fully-qualified hostname" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[4].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "203.0.113.1" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2026-01-15T10:40:00Z" +results[0].Overflow.Alert.Events[5].GetMeta("action") == "reject" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "postfix-helo-very-slow.log" +results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[5].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[5].GetMeta("reason") == "Helo command rejected: need fully-qualified hostname" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[5].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "203.0.113.1" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2026-01-15T11:20:00Z" +results[0].Overflow.Alert.GetScenario() == "melite/postfix-helo-very-slow" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/postfix-slow-bf/config.yaml b/.tests/postfix-slow-bf/config.yaml new file mode 100644 index 00000000000..be7be08ad6f --- /dev/null +++ b/.tests/postfix-slow-bf/config.yaml @@ -0,0 +1,8 @@ +parsers: + - crowdsecurity/syslog-logs + - crowdsecurity/postfix-logs + - crowdsecurity/dateparse-enrich +scenarios: + - scenarios/melite/postfix-slow-bf.yaml +log_file: postfix-slow-bf.log +log_type: syslog diff --git a/.tests/postfix-slow-bf/parser.assert b/.tests/postfix-slow-bf/parser.assert new file mode 100644 index 00000000000..6c760820f96 --- /dev/null +++ b/.tests/postfix-slow-bf/parser.assert @@ -0,0 +1,389 @@ +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 8 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "40001" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "40002" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 10:01:30" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "40003" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 10:03:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "40004" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 10:04:30" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "40005" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 10:06:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "40006" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 10:07:30" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["pid"] == "40007" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Parsed["timestamp"] == "Jan 15 10:09:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][6].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["pid"] == "40008" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Parsed["timestamp"] == "Jan 15 10:10:30" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][7].Evt.Whitelisted == false +len(results["s01-parse"]["crowdsecurity/postfix-logs"]) == 8 +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message_failure"] == " authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["pid"] == "40001" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message_failure"] == " authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["pid"] == "40002" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 10:01:30" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message_failure"] == " authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["pid"] == "40003" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 10:03:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["message_failure"] == " authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["pid"] == "40004" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 10:04:30" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["message_failure"] == " authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["pid"] == "40005" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 10:06:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["message_failure"] == " authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["pid"] == "40006" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 10:07:30" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["message_failure"] == " authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["pid"] == "40007" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Parsed["timestamp"] == "Jan 15 10:09:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][6].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["message_failure"] == " authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["pid"] == "40008" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Parsed["timestamp"] == "Jan 15 10:10:30" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][7].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 8 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message_failure"] == " authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "40001" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2026-01-15T10:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message_failure"] == " authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "40002" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jan 15 10:01:30" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2026-01-15T10:01:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:01:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message_failure"] == " authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "40003" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jan 15 10:03:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2026-01-15T10:03:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:03:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message_failure"] == " authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "40004" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jan 15 10:04:30" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2026-01-15T10:04:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:04:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message_failure"] == " authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "40005" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Jan 15 10:06:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2026-01-15T10:06:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:06:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message_failure"] == " authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "40006" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Jan 15 10:07:30" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2026-01-15T10:07:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:07:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["message_failure"] == " authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["pid"] == "40007" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Parsed["timestamp"] == "Jan 15 10:09:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Meta["timestamp"] == "2026-01-15T10:09:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:09:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][6].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message"] == "warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["message_failure"] == " authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["pid"] == "40008" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Parsed["timestamp"] == "Jan 15 10:10:30" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_path"]) == "postfix-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Meta["timestamp"] == "2026-01-15T10:10:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:10:30Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][7].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/postfix-slow-bf/postfix-slow-bf.log b/.tests/postfix-slow-bf/postfix-slow-bf.log new file mode 100644 index 00000000000..9e96db4c578 --- /dev/null +++ b/.tests/postfix-slow-bf/postfix-slow-bf.log @@ -0,0 +1,8 @@ +Jan 15 10:00:00 server postfix/smtpd[40001]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:01:30 server postfix/smtpd[40002]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:03:00 server postfix/smtpd[40003]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:04:30 server postfix/smtpd[40004]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:06:00 server postfix/smtpd[40005]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:07:30 server postfix/smtpd[40006]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:09:00 server postfix/smtpd[40007]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:10:30 server postfix/smtpd[40008]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure diff --git a/.tests/postfix-slow-bf/scenario.assert b/.tests/postfix-slow-bf/scenario.assert new file mode 100644 index 00000000000..8d89d303121 --- /dev/null +++ b/.tests/postfix-slow-bf/scenario.assert @@ -0,0 +1,81 @@ +len(results) == 1 +"192.0.2.1" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["192.0.2.1"].IP == "192.0.2.1" +results[0].Overflow.Sources["192.0.2.1"].Range == "" +results[0].Overflow.Sources["192.0.2.1"].GetScope() == "Ip" +results[0].Overflow.Sources["192.0.2.1"].GetValue() == "192.0.2.1" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "postfix-slow-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[0].GetMeta("log_type_enh") == "spam-attempt" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[0].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.0.2.1" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-01-15T10:00:00Z" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "postfix-slow-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[1].GetMeta("log_type_enh") == "spam-attempt" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[1].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.0.2.1" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2026-01-15T10:01:30Z" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "postfix-slow-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[2].GetMeta("log_type_enh") == "spam-attempt" +results[0].Overflow.Alert.Events[2].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[2].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.0.2.1" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2026-01-15T10:03:00Z" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "postfix-slow-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[3].GetMeta("log_type_enh") == "spam-attempt" +results[0].Overflow.Alert.Events[3].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[3].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.0.2.1" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2026-01-15T10:04:30Z" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "postfix-slow-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[4].GetMeta("log_type_enh") == "spam-attempt" +results[0].Overflow.Alert.Events[4].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[4].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.0.2.1" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2026-01-15T10:06:00Z" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "postfix-slow-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[5].GetMeta("log_type_enh") == "spam-attempt" +results[0].Overflow.Alert.Events[5].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[5].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.0.2.1" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2026-01-15T10:07:30Z" +basename(results[0].Overflow.Alert.Events[6].GetMeta("datasource_path")) == "postfix-slow-bf.log" +results[0].Overflow.Alert.Events[6].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[6].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[6].GetMeta("log_type_enh") == "spam-attempt" +results[0].Overflow.Alert.Events[6].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[6].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[6].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[6].GetMeta("source_ip") == "192.0.2.1" +results[0].Overflow.Alert.Events[6].GetMeta("timestamp") == "2026-01-15T10:09:00Z" +basename(results[0].Overflow.Alert.Events[7].GetMeta("datasource_path")) == "postfix-slow-bf.log" +results[0].Overflow.Alert.Events[7].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[7].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[7].GetMeta("log_type_enh") == "spam-attempt" +results[0].Overflow.Alert.Events[7].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[7].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[7].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[7].GetMeta("source_ip") == "192.0.2.1" +results[0].Overflow.Alert.Events[7].GetMeta("timestamp") == "2026-01-15T10:10:30Z" +results[0].Overflow.Alert.GetScenario() == "melite/postfix-slow-bf" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 8 diff --git a/.tests/postfix-submission-auth/config.yaml b/.tests/postfix-submission-auth/config.yaml new file mode 100644 index 00000000000..498a915f010 --- /dev/null +++ b/.tests/postfix-submission-auth/config.yaml @@ -0,0 +1,9 @@ +parsers: + - crowdsecurity/syslog-logs + - crowdsecurity/postfix-logs + - ./parsers/s01-parse/melite/postfix-submission-auth.yaml + - crowdsecurity/dateparse-enrich +scenarios: + - "" +log_file: postfix-submission-auth.log +log_type: syslog diff --git a/.tests/postfix-submission-auth/parser.assert b/.tests/postfix-submission-auth/parser.assert new file mode 100644 index 00000000000..838f05b11ca --- /dev/null +++ b/.tests/postfix-submission-auth/parser.assert @@ -0,0 +1,141 @@ +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "50001" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 10:30:45" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "disconnect from attacker.example[198.51.100.1] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "50002" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 10:31:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "disconnect from scanner.example[203.0.113.50] ehlo=1 auth=0/2 quit=1 commands=2/4" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "50003" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 10:32:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false +len(results["s01-parse"]["crowdsecurity/postfix-logs"]) == 3 +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == false +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == false +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == false +len(results["s01-parse"]["melite/postfix-submission-auth"]) == 3 +results["s01-parse"]["melite/postfix-submission-auth"][0].Success == true +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["auth_attempts"] == "1" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["auth_failed"] == "0" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["pid"] == "50001" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["timestamp"] == "Jan 15 10:30:45" +basename(results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["machine"] == "server" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Whitelisted == false +results["s01-parse"]["melite/postfix-submission-auth"][1].Success == true +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["auth_attempts"] == "3" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["auth_failed"] == "0" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["message"] == "disconnect from attacker.example[198.51.100.1] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["pid"] == "50002" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["timestamp"] == "Jan 15 10:31:00" +basename(results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["machine"] == "server" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["source_ip"] == "198.51.100.1" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Whitelisted == false +results["s01-parse"]["melite/postfix-submission-auth"][2].Success == true +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["auth_attempts"] == "2" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["auth_failed"] == "0" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["message"] == "disconnect from scanner.example[203.0.113.50] ehlo=1 auth=0/2 quit=1 commands=2/4" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["pid"] == "50003" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["remote_addr"] == "203.0.113.50" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["timestamp"] == "Jan 15 10:32:00" +basename(results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["machine"] == "server" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["source_ip"] == "203.0.113.50" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["auth_attempts"] == "1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["auth_failed"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "50001" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jan 15 10:30:45" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2026-01-15T10:30:45Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:30:45Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["auth_attempts"] == "3" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["auth_failed"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "disconnect from attacker.example[198.51.100.1] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "50002" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jan 15 10:31:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2026-01-15T10:31:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:31:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_attempts"] == "2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_failed"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "disconnect from scanner.example[203.0.113.50] ehlo=1 auth=0/2 quit=1 commands=2/4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "50003" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "203.0.113.50" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jan 15 10:32:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "203.0.113.50" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2026-01-15T10:32:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:32:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/postfix-submission-auth/postfix-submission-auth.log b/.tests/postfix-submission-auth/postfix-submission-auth.log new file mode 100644 index 00000000000..a07c849455f --- /dev/null +++ b/.tests/postfix-submission-auth/postfix-submission-auth.log @@ -0,0 +1,3 @@ +Jan 15 10:30:45 server postfix/submission/smtpd[50001]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3 +Jan 15 10:31:00 server postfix/submission/smtpd[50002]: disconnect from attacker.example[198.51.100.1] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7 +Jan 15 10:32:00 server postfix/submission/smtpd[50003]: disconnect from scanner.example[203.0.113.50] ehlo=1 auth=0/2 quit=1 commands=2/4 diff --git a/.tests/postfix-submission-very-slow-bf/config.yaml b/.tests/postfix-submission-very-slow-bf/config.yaml new file mode 100644 index 00000000000..2d0e2ee6cbe --- /dev/null +++ b/.tests/postfix-submission-very-slow-bf/config.yaml @@ -0,0 +1,9 @@ +parsers: + - crowdsecurity/syslog-logs + - crowdsecurity/postfix-logs + - crowdsecurity/dateparse-enrich + - ./parsers/s01-parse/melite/postfix-submission-auth.yaml +scenarios: + - scenarios/melite/postfix-submission-very-slow-bf.yaml +log_file: postfix-submission-very-slow-bf.log +log_type: syslog diff --git a/.tests/postfix-submission-very-slow-bf/parser.assert b/.tests/postfix-submission-very-slow-bf/parser.assert new file mode 100644 index 00000000000..fc4af7a7597 --- /dev/null +++ b/.tests/postfix-submission-very-slow-bf/parser.assert @@ -0,0 +1,276 @@ +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "42001" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "42002" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 10:40:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "42003" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 11:20:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "42004" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 12:00:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "42005" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 12:40:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "42006" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 13:20:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false +len(results["s01-parse"]["crowdsecurity/postfix-logs"]) == 6 +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == false +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == false +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == false +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Success == false +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Success == false +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Success == false +len(results["s01-parse"]["melite/postfix-submission-auth"]) == 6 +results["s01-parse"]["melite/postfix-submission-auth"][0].Success == true +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["auth_attempts"] == "1" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["auth_failed"] == "0" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["pid"] == "42001" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" +basename(results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["machine"] == "server" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Whitelisted == false +results["s01-parse"]["melite/postfix-submission-auth"][1].Success == true +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["auth_attempts"] == "2" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["auth_failed"] == "0" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["pid"] == "42002" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["timestamp"] == "Jan 15 10:40:00" +basename(results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["machine"] == "server" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Whitelisted == false +results["s01-parse"]["melite/postfix-submission-auth"][2].Success == true +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["auth_attempts"] == "1" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["auth_failed"] == "0" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["pid"] == "42003" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["timestamp"] == "Jan 15 11:20:00" +basename(results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["machine"] == "server" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Whitelisted == false +results["s01-parse"]["melite/postfix-submission-auth"][3].Success == true +results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["auth_attempts"] == "1" +results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["auth_failed"] == "0" +results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["pid"] == "42004" +results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["timestamp"] == "Jan 15 12:00:00" +basename(results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Meta["machine"] == "server" +results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Whitelisted == false +results["s01-parse"]["melite/postfix-submission-auth"][4].Success == true +results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["auth_attempts"] == "3" +results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["auth_failed"] == "0" +results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5" +results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["pid"] == "42005" +results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["timestamp"] == "Jan 15 12:40:00" +basename(results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Meta["machine"] == "server" +results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Whitelisted == false +results["s01-parse"]["melite/postfix-submission-auth"][5].Success == true +results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["auth_attempts"] == "1" +results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["auth_failed"] == "0" +results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["pid"] == "42006" +results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["timestamp"] == "Jan 15 13:20:00" +basename(results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Meta["machine"] == "server" +results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["auth_attempts"] == "1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["auth_failed"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "42001" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2026-01-15T10:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["auth_attempts"] == "2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["auth_failed"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "42002" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jan 15 10:40:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2026-01-15T10:40:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:40:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_attempts"] == "1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_failed"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "42003" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jan 15 11:20:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2026-01-15T11:20:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2026-01-15T11:20:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["auth_attempts"] == "1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["auth_failed"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "42004" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jan 15 12:00:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2026-01-15T12:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2026-01-15T12:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["auth_attempts"] == "3" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["auth_failed"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "42005" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Jan 15 12:40:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2026-01-15T12:40:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2026-01-15T12:40:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["auth_attempts"] == "1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["auth_failed"] == "0" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "42006" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Jan 15 13:20:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2026-01-15T13:20:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2026-01-15T13:20:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/postfix-submission-very-slow-bf/postfix-submission-very-slow-bf.log b/.tests/postfix-submission-very-slow-bf/postfix-submission-very-slow-bf.log new file mode 100644 index 00000000000..a7c5c7a14ee --- /dev/null +++ b/.tests/postfix-submission-very-slow-bf/postfix-submission-very-slow-bf.log @@ -0,0 +1,6 @@ +Jan 15 10:00:00 server postfix/submission/smtpd[42001]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3 +Jan 15 10:40:00 server postfix/submission/smtpd[42002]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4 +Jan 15 11:20:00 server postfix/submission/smtpd[42003]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3 +Jan 15 12:00:00 server postfix/submission/smtpd[42004]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3 +Jan 15 12:40:00 server postfix/submission/smtpd[42005]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5 +Jan 15 13:20:00 server postfix/submission/smtpd[42006]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3 diff --git a/.tests/postfix-submission-very-slow-bf/scenario.assert b/.tests/postfix-submission-very-slow-bf/scenario.assert new file mode 100644 index 00000000000..6ef9c6f9d31 --- /dev/null +++ b/.tests/postfix-submission-very-slow-bf/scenario.assert @@ -0,0 +1,51 @@ +len(results) == 1 +"192.0.2.1" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["192.0.2.1"].IP == "192.0.2.1" +results[0].Overflow.Sources["192.0.2.1"].Range == "" +results[0].Overflow.Sources["192.0.2.1"].GetScope() == "Ip" +results[0].Overflow.Sources["192.0.2.1"].GetValue() == "192.0.2.1" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "postfix-submission-very-slow-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[0].GetMeta("log_type_enh") == "submission-auth-failed" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.0.2.1" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-01-15T10:00:00Z" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "postfix-submission-very-slow-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[1].GetMeta("log_type_enh") == "submission-auth-failed" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.0.2.1" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2026-01-15T10:40:00Z" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "postfix-submission-very-slow-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[2].GetMeta("log_type_enh") == "submission-auth-failed" +results[0].Overflow.Alert.Events[2].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.0.2.1" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2026-01-15T11:20:00Z" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "postfix-submission-very-slow-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[3].GetMeta("log_type_enh") == "submission-auth-failed" +results[0].Overflow.Alert.Events[3].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.0.2.1" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2026-01-15T12:00:00Z" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "postfix-submission-very-slow-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[4].GetMeta("log_type_enh") == "submission-auth-failed" +results[0].Overflow.Alert.Events[4].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.0.2.1" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2026-01-15T12:40:00Z" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "postfix-submission-very-slow-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[5].GetMeta("log_type_enh") == "submission-auth-failed" +results[0].Overflow.Alert.Events[5].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.0.2.1" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2026-01-15T13:20:00Z" +results[0].Overflow.Alert.GetScenario() == "melite/postfix-submission-very-slow-bf" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/.tests/postfix-very-slow-bf/config.yaml b/.tests/postfix-very-slow-bf/config.yaml new file mode 100644 index 00000000000..f79896fe355 --- /dev/null +++ b/.tests/postfix-very-slow-bf/config.yaml @@ -0,0 +1,8 @@ +parsers: + - crowdsecurity/syslog-logs + - crowdsecurity/postfix-logs + - crowdsecurity/dateparse-enrich +scenarios: + - scenarios/melite/postfix-very-slow-bf.yaml +log_file: postfix-very-slow-bf.log +log_type: syslog diff --git a/.tests/postfix-very-slow-bf/parser.assert b/.tests/postfix-very-slow-bf/parser.assert new file mode 100644 index 00000000000..09ea2252e24 --- /dev/null +++ b/.tests/postfix-very-slow-bf/parser.assert @@ -0,0 +1,293 @@ +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 6 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "41001" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 08:00:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "41002" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 08:40:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "41003" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 09:20:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["pid"] == "41004" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][3].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["pid"] == "41005" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 10:40:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][4].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["pid"] == "41006" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["program"] == "postfix/smtpd" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 11:20:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "server" +results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false +len(results["s01-parse"]["crowdsecurity/postfix-logs"]) == 6 +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message_failure"] == " authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["pid"] == "41001" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 08:00:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_ip"] == "198.51.100.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message_failure"] == " authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["pid"] == "41002" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 08:40:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_ip"] == "198.51.100.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message_failure"] == " authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["pid"] == "41003" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 09:20:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_ip"] == "198.51.100.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["message_failure"] == " authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["pid"] == "41004" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_ip"] == "198.51.100.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["message_failure"] == " authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["pid"] == "41005" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 10:40:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_ip"] == "198.51.100.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["message_failure"] == " authentication failure" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["pid"] == "41006" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["program"] == "postfix/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 11:20:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_ip"] == "198.51.100.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message_failure"] == " authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "41001" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jan 15 08:00:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2026-01-15T08:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2026-01-15T08:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message_failure"] == " authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "41002" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jan 15 08:40:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2026-01-15T08:40:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2026-01-15T08:40:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message_failure"] == " authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "41003" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jan 15 09:20:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2026-01-15T09:20:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2026-01-15T09:20:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message_failure"] == " authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "41004" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2026-01-15T10:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message_failure"] == " authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "41005" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Jan 15 10:40:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2026-01-15T10:40:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:40:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message_failure"] == " authentication failure" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "41006" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "postfix/smtpd" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_host"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Jan 15 11:20:00" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "postfix-very-slow-bf.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type_enh"] == "spam-attempt" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_hostname"] == "unknown" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2026-01-15T11:20:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2026-01-15T11:20:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/postfix-very-slow-bf/postfix-very-slow-bf.log b/.tests/postfix-very-slow-bf/postfix-very-slow-bf.log new file mode 100644 index 00000000000..5ed1510ce66 --- /dev/null +++ b/.tests/postfix-very-slow-bf/postfix-very-slow-bf.log @@ -0,0 +1,6 @@ +Jan 15 08:00:00 server postfix/smtpd[41001]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 08:40:00 server postfix/smtpd[41002]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 09:20:00 server postfix/smtpd[41003]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:00:00 server postfix/smtpd[41004]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:40:00 server postfix/smtpd[41005]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 11:20:00 server postfix/smtpd[41006]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure diff --git a/.tests/postfix-very-slow-bf/scenario.assert b/.tests/postfix-very-slow-bf/scenario.assert new file mode 100644 index 00000000000..84e0684a5d7 --- /dev/null +++ b/.tests/postfix-very-slow-bf/scenario.assert @@ -0,0 +1,63 @@ +len(results) == 1 +"198.51.100.1" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["198.51.100.1"].IP == "198.51.100.1" +results[0].Overflow.Sources["198.51.100.1"].Range == "" +results[0].Overflow.Sources["198.51.100.1"].GetScope() == "Ip" +results[0].Overflow.Sources["198.51.100.1"].GetValue() == "198.51.100.1" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "postfix-very-slow-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[0].GetMeta("log_type_enh") == "spam-attempt" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[0].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "198.51.100.1" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2026-01-15T08:00:00Z" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "postfix-very-slow-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[1].GetMeta("log_type_enh") == "spam-attempt" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[1].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "198.51.100.1" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2026-01-15T08:40:00Z" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "postfix-very-slow-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[2].GetMeta("log_type_enh") == "spam-attempt" +results[0].Overflow.Alert.Events[2].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[2].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "198.51.100.1" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2026-01-15T09:20:00Z" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "postfix-very-slow-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[3].GetMeta("log_type_enh") == "spam-attempt" +results[0].Overflow.Alert.Events[3].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[3].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[3].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "198.51.100.1" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2026-01-15T10:00:00Z" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "postfix-very-slow-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[4].GetMeta("log_type_enh") == "spam-attempt" +results[0].Overflow.Alert.Events[4].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[4].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[4].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "198.51.100.1" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2026-01-15T10:40:00Z" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "postfix-very-slow-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "postfix" +results[0].Overflow.Alert.Events[5].GetMeta("log_type_enh") == "spam-attempt" +results[0].Overflow.Alert.Events[5].GetMeta("machine") == "server" +results[0].Overflow.Alert.Events[5].GetMeta("service") == "postfix" +results[0].Overflow.Alert.Events[5].GetMeta("source_hostname") == "unknown" +results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "198.51.100.1" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2026-01-15T11:20:00Z" +results[0].Overflow.Alert.GetScenario() == "melite/postfix-very-slow-bf" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 6 diff --git a/parsers/s01-parse/melite/postfix-submission-auth.md b/parsers/s01-parse/melite/postfix-submission-auth.md new file mode 100644 index 00000000000..4e749f1b6c4 --- /dev/null +++ b/parsers/s01-parse/melite/postfix-submission-auth.md @@ -0,0 +1,36 @@ +## Description + +Parse Postfix submission port (587) authentication failures from disconnect log lines. + +When using STARTTLS on port 587, Postfix does **not** log explicit "SASL authentication failed" messages. Auth failures only appear as `auth=0/N` in disconnect summary lines, which standard parsers (`crowdsecurity/postfix-logs`) do not match. + +This parser runs in **s01-parse** because `crowdsecurity/postfix-logs` does not parse disconnect lines at all — they would be dropped before reaching s02-enrich. + +## Detected Pattern + +``` +postfix/submission/smtpd[PID]: disconnect from host[IP] ehlo=1 auth=0/1 quit=1 commands=2/3 +``` + +The `auth=0/N` pattern indicates N authentication attempts with 0 successes. + +## Metadata Set + +- `log_type`: `postfix` +- `log_type_enh`: `submission-auth-failed` +- `source_ip`: extracted from the disconnect line + +## Remediation + +Used by `melite/postfix-submission-very-slow-bf` scenario to detect evasive brute-force attacks on port 587. + +## Example + +``` +Jan 15 10:00:00 mail postfix/submission/smtpd[1234]: disconnect from unknown[203.0.113.1] ehlo=1 auth=0/1 quit=1 commands=2/3 +``` + +## Dependencies + +- `crowdsecurity/syslog-logs` (s00-raw) +- `crowdsecurity/dateparse-enrich` (s02-enrich, for timestamp parsing) diff --git a/parsers/s01-parse/melite/postfix-submission-auth.yaml b/parsers/s01-parse/melite/postfix-submission-auth.yaml new file mode 100644 index 00000000000..937f43c3e8d --- /dev/null +++ b/parsers/s01-parse/melite/postfix-submission-auth.yaml @@ -0,0 +1,27 @@ +# Parser: Postfix submission port (587) auth failures +# Stage: s01-parse +# +# Detects authentication failures from "disconnect" lines on port 587. +# Standard Postfix parsers don't catch these because port 587+STARTTLS +# only shows auth=0/N in disconnect (no explicit "SASL authentication failed"). +# Since crowdsecurity/postfix-logs does not match disconnect lines at all, +# this parser must be in s01-parse (not s02-enrich). +# +# Example log line: +# postfix/submission/smtpd[PID]: disconnect from host[IP] ehlo=1 auth=0/1 quit=1 commands=2/3 +# +# The auth=0/N pattern indicates N authentication attempts with 0 successes. +onsuccess: next_stage +filter: "evt.Parsed.program endsWith '/smtpd' && evt.Parsed.message contains 'disconnect' && evt.Parsed.message contains 'auth=0/'" +name: melite/postfix-submission-auth +description: "Parse submission port auth failures from disconnect lines" +grok: + apply_on: message + pattern: "%{DATA}\\[%{IP:remote_addr}\\].*auth=%{INT:auth_failed}/%{INT:auth_attempts}" +statics: + - meta: log_type + value: postfix + - meta: log_type_enh + value: submission-auth-failed + - meta: source_ip + expression: evt.Parsed.remote_addr diff --git a/scenarios/melite/postfix-helo-very-slow.md b/scenarios/melite/postfix-helo-very-slow.md new file mode 100644 index 00000000000..a997540b1c4 --- /dev/null +++ b/scenarios/melite/postfix-helo-very-slow.md @@ -0,0 +1,30 @@ +## Description + +Detects evasive spammers sending invalid HELO/EHLO commands at a rate of less than 1 attempt per hour. The standard `crowdsecurity/postfix-helo-rejected` scenario has only a ~10-minute detection window, allowing patient spammers to fly under the radar. + +Uses a leaky bucket with a 4-hour leak rate and capacity of 5, creating a 24-hour detection window. Triggers after 6 HELO rejections from the same IP. + +**Note**: Unlike brute-force scenarios, `reprocess` is set to `false` since HELO rejections are a spam indicator, not credential attacks. + +**Detection window**: 24 hours (leakspeed 4h × 6 events) + +## Remediation + +Ban the attacking IP. + +## Example + +A spammer sends invalid HELO commands ~70 minutes apart to avoid detection: + +``` +Jan 15 08:00:00 server postfix/smtpd[1001]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= +Jan 15 09:10:00 server postfix/smtpd[1002]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= +Jan 15 10:20:00 server postfix/smtpd[1003]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= +Jan 15 11:30:00 server postfix/smtpd[1004]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= +Jan 15 12:40:00 server postfix/smtpd[1005]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= +Jan 15 13:50:00 server postfix/smtpd[1006]: NOQUEUE: reject: RCPT from unknown[203.0.113.1]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= +``` + +## Dependencies + +- Parser: `crowdsecurity/postfix-logs` diff --git a/scenarios/melite/postfix-helo-very-slow.yaml b/scenarios/melite/postfix-helo-very-slow.yaml new file mode 100644 index 00000000000..e901b2db61d --- /dev/null +++ b/scenarios/melite/postfix-helo-very-slow.yaml @@ -0,0 +1,27 @@ +# Scenario: Very slow Postfix HELO rejected +# Detects attackers sending invalid HELO commands at < 1 attempt per hour +# Detection window: 4h x 6 = 24 hours (6 failures needed) +# +# Standard crowdsecurity/postfix-helo-rejected has only a 10-minute window. +# Evasive spammers space invalid HELO commands ~70 minutes apart to avoid it. +# +# Real-world example: 31.192.235.95 targeting laportette.fr with ~70min intervals +type: leaky +name: melite/postfix-helo-very-slow +description: "Detect very slow HELO rejection attacks (evasive spammers)" +filter: "evt.Meta.log_type == 'postfix' && evt.Meta.action == 'reject' && evt.Meta.reason startsWith 'Helo command rejected'" +leakspeed: "4h" +capacity: 5 +groupby: evt.Meta.source_ip +blackhole: 5m +reprocess: false +labels: + service: postfix + remediation: true + confidence: 2 + spoofable: 0 + classification: + - attack.T1595 + - attack.T1592 + behavior: "smtp:very-slow-helo-spam" + label: "Postfix Very Slow HELO Rejected" diff --git a/scenarios/melite/postfix-slow-bf.md b/scenarios/melite/postfix-slow-bf.md new file mode 100644 index 00000000000..6a1ab3cde1e --- /dev/null +++ b/scenarios/melite/postfix-slow-bf.md @@ -0,0 +1,32 @@ +## Description + +Detects slow Postfix SMTP AUTH brute-force attacks where distributed botnets or patient attackers test SASL credentials with 2-5 minute intervals on port 25. + +Uses a leaky bucket with a 15-minute (900s) leak rate and capacity of 7, creating a 2-hour detection window. Triggers after 8 failed SASL authentication attempts from the same IP. + +Includes a `_user-enum` variant that triggers when the same IP tries different SASL usernames. + +**Detection window**: 2 hours (leakspeed 900s × 8 events) + +## Remediation + +Ban the attacking IP. + +## Example + +A distributed botnet tests SMTP credentials with 2-5 minute intervals: + +``` +Jan 15 10:00:00 server postfix/smtpd[1001]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:03:00 server postfix/smtpd[1002]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:06:00 server postfix/smtpd[1003]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:10:00 server postfix/smtpd[1004]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:14:00 server postfix/smtpd[1005]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:18:00 server postfix/smtpd[1006]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:22:00 server postfix/smtpd[1007]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:26:00 server postfix/smtpd[1008]: warning: unknown[192.0.2.1]: SASL LOGIN authentication failed: authentication failure +``` + +## Dependencies + +- Parser: `crowdsecurity/postfix-logs` diff --git a/scenarios/melite/postfix-slow-bf.yaml b/scenarios/melite/postfix-slow-bf.yaml new file mode 100644 index 00000000000..8bebba6d696 --- /dev/null +++ b/scenarios/melite/postfix-slow-bf.yaml @@ -0,0 +1,44 @@ +# Scenario: Slow Postfix SMTP AUTH bruteforce +# Detects distributed or slow SASL authentication attacks on port 25 +# Detection window: 15min x 8 = 2 hours (8 failures needed) +# +# Real-world example: Distributed botnets testing SMTP credentials +# with 2-5 minute intervals to avoid standard detection. +type: leaky +name: melite/postfix-slow-bf +description: "Detect slow Postfix SMTP AUTH bruteforce (distributed attacks)" +filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'" +leakspeed: "900s" +capacity: 7 +groupby: evt.Meta.source_ip +blackhole: 5m +reprocess: true +labels: + service: postfix + remediation: true + confidence: 3 + spoofable: 0 + classification: + - attack.T1110 + behavior: "smtp:slow-bruteforce" + label: "Postfix Slow Bruteforce" +--- +# SASL username enumeration variant +type: leaky +name: melite/postfix-slow-bf_user-enum +description: "Detect slow Postfix SASL user enumeration" +filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'" +groupby: evt.Meta.source_ip +distinct: evt.Meta.sasl_username +leakspeed: "900s" +capacity: 7 +blackhole: 5m +labels: + service: postfix + remediation: true + confidence: 3 + spoofable: 0 + classification: + - attack.T1110 + behavior: "smtp:user-enumeration" + label: "Postfix Slow User Enumeration" diff --git a/scenarios/melite/postfix-submission-very-slow-bf.md b/scenarios/melite/postfix-submission-very-slow-bf.md new file mode 100644 index 00000000000..d8a810fac6a --- /dev/null +++ b/scenarios/melite/postfix-submission-very-slow-bf.md @@ -0,0 +1,31 @@ +## Description + +Detects very slow brute-force attacks on the Postfix submission port (587). These attacks are invisible to standard Postfix scenarios because port 587 with STARTTLS does not log explicit "SASL authentication failed" messages — failures only appear as `auth=0/N` in disconnect lines. + +Uses a leaky bucket with a 4-hour leak rate and capacity of 5, creating a 24-hour detection window. Triggers after 6 failed submission auth attempts from the same IP. + +**Requires** the `melite/postfix-submission-auth` parser (s02-enrich) to extract auth failure information from disconnect lines. + +**Detection window**: 24 hours (leakspeed 4h × 6 events) + +## Remediation + +Ban the attacking IP. + +## Example + +An attacker targets the submission port with STARTTLS, auth failures only visible in disconnect lines: + +``` +Jan 15 10:00:00 server postfix/submission/smtpd[1001]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3 +Jan 15 11:30:00 server postfix/submission/smtpd[1002]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4 +Jan 15 13:00:00 server postfix/submission/smtpd[1003]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3 +Jan 15 14:30:00 server postfix/submission/smtpd[1004]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3 +Jan 15 16:00:00 server postfix/submission/smtpd[1005]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5 +Jan 15 17:30:00 server postfix/submission/smtpd[1006]: disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3 +``` + +## Dependencies + +- Parser: `crowdsecurity/postfix-logs` (s01-parse) +- Parser: `melite/postfix-submission-auth` (s02-enrich, **required**) diff --git a/scenarios/melite/postfix-submission-very-slow-bf.yaml b/scenarios/melite/postfix-submission-very-slow-bf.yaml new file mode 100644 index 00000000000..bfee6aa83eb --- /dev/null +++ b/scenarios/melite/postfix-submission-very-slow-bf.yaml @@ -0,0 +1,31 @@ +# Scenario: Very slow bruteforce on Postfix submission port (587) +# Detects evasive attacks that space attempts to evade standard scenarios +# Detection window: 4h x 6 = 24 hours (6 failures needed) +# +# Key insight: Attackers targeting port 587 (submission+STARTTLS) often +# do 1 attempt every ~30-60 minutes to evade detection. +# Standard postfix scenarios don't catch these because: +# 1. They rely on explicit "SASL authentication failed" logs +# 2. Port 587 only shows auth failures in disconnect lines (auth=0/N) +# +# Requires: melite/postfix-submission-auth parser (s02-enrich) +# +# Real-world example: 62.60.130.220 did 135 attempts over 20 hours (~1/9min average) +type: leaky +name: melite/postfix-submission-very-slow-bf +description: "Detect very slow Postfix submission auth bruteforce (evasive attacks)" +filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'submission-auth-failed'" +leakspeed: "4h" +capacity: 5 +groupby: evt.Meta.source_ip +blackhole: 5m +reprocess: true +labels: + service: postfix + remediation: true + confidence: 3 + spoofable: 0 + classification: + - attack.T1110 + behavior: "smtp:evasive-bruteforce" + label: "Postfix Submission Very Slow Bruteforce" diff --git a/scenarios/melite/postfix-very-slow-bf.md b/scenarios/melite/postfix-very-slow-bf.md new file mode 100644 index 00000000000..5c8a26bd7ee --- /dev/null +++ b/scenarios/melite/postfix-very-slow-bf.md @@ -0,0 +1,30 @@ +## Description + +Detects very slow Postfix SMTP AUTH brute-force attacks where attackers space SASL authentication attempts ~30+ minutes apart to evade the standard `melite/postfix-slow-bf` scenario (15-minute leak rate). + +Uses a leaky bucket with a 4-hour leak rate and capacity of 5, creating a 24-hour detection window. Triggers after 6 failed SASL authentication attempts from the same IP. + +Includes a `_user-enum` variant for slow SASL username enumeration. + +**Detection window**: 24 hours (leakspeed 4h × 6 events) + +## Remediation + +Ban the attacking IP. + +## Example + +An attacker spaces SMTP auth attempts ~45 minutes apart: + +``` +Jan 15 08:00:00 server postfix/smtpd[1001]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 08:45:00 server postfix/smtpd[1002]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 09:30:00 server postfix/smtpd[1003]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 10:15:00 server postfix/smtpd[1004]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 11:00:00 server postfix/smtpd[1005]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure +Jan 15 11:45:00 server postfix/smtpd[1006]: warning: unknown[198.51.100.1]: SASL LOGIN authentication failed: authentication failure +``` + +## Dependencies + +- Parser: `crowdsecurity/postfix-logs` diff --git a/scenarios/melite/postfix-very-slow-bf.yaml b/scenarios/melite/postfix-very-slow-bf.yaml new file mode 100644 index 00000000000..7768ccb20bb --- /dev/null +++ b/scenarios/melite/postfix-very-slow-bf.yaml @@ -0,0 +1,44 @@ +# Scenario: Very slow Postfix SMTP AUTH bruteforce +# Detects attackers doing < 1 attempt per 30 minutes to evade standard detection +# Detection window: 4h x 6 = 24 hours (6 failures needed) +# +# Catches attackers spacing SASL auth attempts ~30min apart to evade +# the standard postfix-slow-bf which has a 15min leakspeed. +type: leaky +name: melite/postfix-very-slow-bf +description: "Detect very slow Postfix SMTP AUTH bruteforce (evasive attacks)" +filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'" +leakspeed: "4h" +capacity: 5 +groupby: evt.Meta.source_ip +blackhole: 5m +reprocess: true +labels: + service: postfix + remediation: true + confidence: 2 + spoofable: 0 + classification: + - attack.T1110 + behavior: "smtp:very-slow-bruteforce" + label: "Postfix Very Slow Bruteforce" +--- +# SASL username enumeration variant +type: leaky +name: melite/postfix-very-slow-bf_user-enum +description: "Detect very slow Postfix SASL user enumeration" +filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'" +groupby: evt.Meta.source_ip +distinct: evt.Meta.sasl_username +leakspeed: "4h" +capacity: 5 +blackhole: 5m +labels: + service: postfix + remediation: true + confidence: 2 + spoofable: 0 + classification: + - attack.T1110 + behavior: "smtp:user-enumeration" + label: "Postfix Very Slow User Enumeration" From 5e1ed8338dd8154f9f961c97de976fa7c8ec2655 Mon Sep 17 00:00:00 2001 From: Etilem Date: Fri, 27 Mar 2026 08:23:44 +0100 Subject: [PATCH 2/3] refactor: extend crowdsecurity/postfix-logs instead of custom parser Address reviewer feedback: add disconnect auth failure detection directly to crowdsecurity/postfix-logs instead of a separate melite/postfix-submission-auth parser. - Add grok node for 'disconnect from ... auth=0/N' pattern - Remove melite/postfix-submission-auth parser and markdown - Update test configs to reference modified parser - Rewrite parser assertions for new pipeline structure All 5 hubtest tests pass (parser + 4 scenarios). --- .tests/postfix-submission-auth/config.yaml | 3 +- .tests/postfix-submission-auth/parser.assert | 118 +++++---- .../config.yaml | 3 +- .../parser.assert | 235 ++++++++++-------- .../s01-parse/crowdsecurity/postfix-logs.yaml | 7 +- .../melite/postfix-submission-auth.md | 36 --- .../melite/postfix-submission-auth.yaml | 27 -- 7 files changed, 197 insertions(+), 232 deletions(-) delete mode 100644 parsers/s01-parse/melite/postfix-submission-auth.md delete mode 100644 parsers/s01-parse/melite/postfix-submission-auth.yaml diff --git a/.tests/postfix-submission-auth/config.yaml b/.tests/postfix-submission-auth/config.yaml index 498a915f010..76cb9ba1fcb 100644 --- a/.tests/postfix-submission-auth/config.yaml +++ b/.tests/postfix-submission-auth/config.yaml @@ -1,7 +1,6 @@ parsers: - crowdsecurity/syslog-logs - - crowdsecurity/postfix-logs - - ./parsers/s01-parse/melite/postfix-submission-auth.yaml + - ./parsers/s01-parse/crowdsecurity/postfix-logs.yaml - crowdsecurity/dateparse-enrich scenarios: - "" diff --git a/.tests/postfix-submission-auth/parser.assert b/.tests/postfix-submission-auth/parser.assert index 838f05b11ca..74e71e2de98 100644 --- a/.tests/postfix-submission-auth/parser.assert +++ b/.tests/postfix-submission-auth/parser.assert @@ -31,109 +31,117 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] = results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "server" results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false len(results["s01-parse"]["crowdsecurity/postfix-logs"]) == 3 -results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == false -results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == false -results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == false -len(results["s01-parse"]["melite/postfix-submission-auth"]) == 3 -results["s01-parse"]["melite/postfix-submission-auth"][0].Success == true -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["auth_attempts"] == "1" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["auth_failed"] == "0" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["pid"] == "50001" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["program"] == "postfix/submission/smtpd" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["remote_addr"] == "192.0.2.1" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["timestamp"] == "Jan 15 10:30:45" -basename(results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["log_type"] == "postfix" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["log_type_enh"] == "submission-auth-failed" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["machine"] == "server" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["source_ip"] == "192.0.2.1" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Whitelisted == false -results["s01-parse"]["melite/postfix-submission-auth"][1].Success == true -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["auth_attempts"] == "3" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["auth_failed"] == "0" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["message"] == "disconnect from attacker.example[198.51.100.1] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["pid"] == "50002" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["program"] == "postfix/submission/smtpd" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["remote_addr"] == "198.51.100.1" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["timestamp"] == "Jan 15 10:31:00" -basename(results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["log_type"] == "postfix" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["log_type_enh"] == "submission-auth-failed" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["machine"] == "server" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["source_ip"] == "198.51.100.1" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Whitelisted == false -results["s01-parse"]["melite/postfix-submission-auth"][2].Success == true -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["auth_attempts"] == "2" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["auth_failed"] == "0" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["message"] == "disconnect from scanner.example[203.0.113.50] ehlo=1 auth=0/2 quit=1 commands=2/4" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["pid"] == "50003" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["program"] == "postfix/submission/smtpd" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["remote_addr"] == "203.0.113.50" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["timestamp"] == "Jan 15 10:32:00" -basename(results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["log_type"] == "postfix" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["log_type_enh"] == "submission-auth-failed" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["machine"] == "server" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["source_ip"] == "203.0.113.50" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["auth_attempts"] == "1" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["pid"] == "50001" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 10:30:45" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["auth_attempts"] == "3" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message"] == "disconnect from attacker.example[198.51.100.1] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["pid"] == "50002" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_host"] == "attacker.example" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 10:31:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_hostname"] == "attacker.example" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_ip"] == "198.51.100.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["auth_attempts"] == "2" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message"] == "disconnect from scanner.example[203.0.113.50] ehlo=1 auth=0/2 quit=1 commands=2/4" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["pid"] == "50003" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_addr"] == "203.0.113.50" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_host"] == "scanner.example" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 10:32:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_hostname"] == "scanner.example" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_ip"] == "203.0.113.50" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["auth_attempts"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["auth_failed"] == "0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "50001" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postfix/submission/smtpd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_host"] == "unknown" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jan 15 10:30:45" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "postfix" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type_enh"] == "submission-auth-failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_hostname"] == "unknown" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.0.2.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2026-01-15T10:30:45Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:30:45Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["auth_attempts"] == "3" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["auth_failed"] == "0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "disconnect from attacker.example[198.51.100.1] ehlo=2 starttls=1 auth=0/3 quit=1 commands=4/7" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "50002" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postfix/submission/smtpd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "198.51.100.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_host"] == "attacker.example" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jan 15 10:31:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "postfix" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type_enh"] == "submission-auth-failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_hostname"] == "attacker.example" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "198.51.100.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2026-01-15T10:31:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:31:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_attempts"] == "2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_failed"] == "0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "disconnect from scanner.example[203.0.113.50] ehlo=1 auth=0/2 quit=1 commands=2/4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "50003" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postfix/submission/smtpd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "203.0.113.50" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_host"] == "scanner.example" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jan 15 10:32:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "postfix-submission-auth.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "postfix" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type_enh"] == "submission-auth-failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_hostname"] == "scanner.example" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "203.0.113.50" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2026-01-15T10:32:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:32:00Z" diff --git a/.tests/postfix-submission-very-slow-bf/config.yaml b/.tests/postfix-submission-very-slow-bf/config.yaml index 2d0e2ee6cbe..8e941ba808c 100644 --- a/.tests/postfix-submission-very-slow-bf/config.yaml +++ b/.tests/postfix-submission-very-slow-bf/config.yaml @@ -1,8 +1,7 @@ parsers: - crowdsecurity/syslog-logs - - crowdsecurity/postfix-logs + - ./parsers/s01-parse/crowdsecurity/postfix-logs.yaml - crowdsecurity/dateparse-enrich - - ./parsers/s01-parse/melite/postfix-submission-auth.yaml scenarios: - scenarios/melite/postfix-submission-very-slow-bf.yaml log_file: postfix-submission-very-slow-bf.log diff --git a/.tests/postfix-submission-very-slow-bf/parser.assert b/.tests/postfix-submission-very-slow-bf/parser.assert index fc4af7a7597..21aa8701ecb 100644 --- a/.tests/postfix-submission-very-slow-bf/parser.assert +++ b/.tests/postfix-submission-very-slow-bf/parser.assert @@ -61,214 +61,231 @@ results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["datasource_type"] = results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Meta["machine"] == "server" results["s00-raw"]["crowdsecurity/syslog-logs"][5].Evt.Whitelisted == false len(results["s01-parse"]["crowdsecurity/postfix-logs"]) == 6 -results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == false -results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == false -results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == false -results["s01-parse"]["crowdsecurity/postfix-logs"][3].Success == false -results["s01-parse"]["crowdsecurity/postfix-logs"][4].Success == false -results["s01-parse"]["crowdsecurity/postfix-logs"][5].Success == false -len(results["s01-parse"]["melite/postfix-submission-auth"]) == 6 -results["s01-parse"]["melite/postfix-submission-auth"][0].Success == true -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["auth_attempts"] == "1" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["auth_failed"] == "0" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["pid"] == "42001" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["program"] == "postfix/submission/smtpd" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["remote_addr"] == "192.0.2.1" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" -basename(results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["log_type"] == "postfix" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["log_type_enh"] == "submission-auth-failed" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["machine"] == "server" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Meta["source_ip"] == "192.0.2.1" -results["s01-parse"]["melite/postfix-submission-auth"][0].Evt.Whitelisted == false -results["s01-parse"]["melite/postfix-submission-auth"][1].Success == true -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["auth_attempts"] == "2" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["auth_failed"] == "0" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["pid"] == "42002" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["program"] == "postfix/submission/smtpd" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["remote_addr"] == "192.0.2.1" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Parsed["timestamp"] == "Jan 15 10:40:00" -basename(results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["log_type"] == "postfix" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["log_type_enh"] == "submission-auth-failed" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["machine"] == "server" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Meta["source_ip"] == "192.0.2.1" -results["s01-parse"]["melite/postfix-submission-auth"][1].Evt.Whitelisted == false -results["s01-parse"]["melite/postfix-submission-auth"][2].Success == true -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["auth_attempts"] == "1" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["auth_failed"] == "0" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["pid"] == "42003" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["program"] == "postfix/submission/smtpd" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["remote_addr"] == "192.0.2.1" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Parsed["timestamp"] == "Jan 15 11:20:00" -basename(results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["log_type"] == "postfix" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["log_type_enh"] == "submission-auth-failed" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["machine"] == "server" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Meta["source_ip"] == "192.0.2.1" -results["s01-parse"]["melite/postfix-submission-auth"][2].Evt.Whitelisted == false -results["s01-parse"]["melite/postfix-submission-auth"][3].Success == true -results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["auth_attempts"] == "1" -results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["auth_failed"] == "0" -results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" -results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["pid"] == "42004" -results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["program"] == "postfix/submission/smtpd" -results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["remote_addr"] == "192.0.2.1" -results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Parsed["timestamp"] == "Jan 15 12:00:00" -basename(results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" -results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Meta["log_type"] == "postfix" -results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Meta["log_type_enh"] == "submission-auth-failed" -results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Meta["machine"] == "server" -results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Meta["source_ip"] == "192.0.2.1" -results["s01-parse"]["melite/postfix-submission-auth"][3].Evt.Whitelisted == false -results["s01-parse"]["melite/postfix-submission-auth"][4].Success == true -results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["auth_attempts"] == "3" -results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["auth_failed"] == "0" -results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5" -results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["pid"] == "42005" -results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["program"] == "postfix/submission/smtpd" -results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["remote_addr"] == "192.0.2.1" -results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Parsed["timestamp"] == "Jan 15 12:40:00" -basename(results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" -results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Meta["log_type"] == "postfix" -results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Meta["log_type_enh"] == "submission-auth-failed" -results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Meta["machine"] == "server" -results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Meta["source_ip"] == "192.0.2.1" -results["s01-parse"]["melite/postfix-submission-auth"][4].Evt.Whitelisted == false -results["s01-parse"]["melite/postfix-submission-auth"][5].Success == true -results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["auth_attempts"] == "1" -results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["auth_failed"] == "0" -results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["logsource"] == "syslog" -results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" -results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["pid"] == "42006" -results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["program"] == "postfix/submission/smtpd" -results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["remote_addr"] == "192.0.2.1" -results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Parsed["timestamp"] == "Jan 15 13:20:00" -basename(results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" -results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Meta["datasource_type"] == "file" -results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Meta["log_type"] == "postfix" -results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Meta["log_type_enh"] == "submission-auth-failed" -results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Meta["machine"] == "server" -results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Meta["source_ip"] == "192.0.2.1" -results["s01-parse"]["melite/postfix-submission-auth"][5].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["auth_attempts"] == "1" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["pid"] == "42001" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][0].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["auth_attempts"] == "2" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["pid"] == "42002" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Parsed["timestamp"] == "Jan 15 10:40:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["auth_attempts"] == "1" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["pid"] == "42003" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Parsed["timestamp"] == "Jan 15 11:20:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][2].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["auth_attempts"] == "1" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["pid"] == "42004" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Parsed["timestamp"] == "Jan 15 12:00:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][3].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["auth_attempts"] == "3" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["pid"] == "42005" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Parsed["timestamp"] == "Jan 15 12:40:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][4].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Success == true +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["auth_attempts"] == "1" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["pid"] == "42006" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["program"] == "postfix/submission/smtpd" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["remote_host"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Parsed["timestamp"] == "Jan 15 13:20:00" +basename(results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["log_type"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["log_type_enh"] == "submission-auth-failed" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["machine"] == "server" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["service"] == "postfix" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_hostname"] == "unknown" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Meta["source_ip"] == "192.0.2.1" +results["s01-parse"]["crowdsecurity/postfix-logs"][5].Evt.Whitelisted == false len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 6 results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["auth_attempts"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["auth_failed"] == "0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "42001" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "postfix/submission/smtpd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_host"] == "unknown" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Jan 15 10:00:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "postfix" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type_enh"] == "submission-auth-failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_hostname"] == "unknown" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.0.2.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2026-01-15T10:00:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:00:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["auth_attempts"] == "2" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["auth_failed"] == "0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/2 quit=1 commands=2/4" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "42002" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "postfix/submission/smtpd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["remote_host"] == "unknown" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Jan 15 10:40:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "postfix" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type_enh"] == "submission-auth-failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_hostname"] == "unknown" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.0.2.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2026-01-15T10:40:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2026-01-15T10:40:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_attempts"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["auth_failed"] == "0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "42003" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "postfix/submission/smtpd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["remote_host"] == "unknown" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Jan 15 11:20:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "postfix" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type_enh"] == "submission-auth-failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_hostname"] == "unknown" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.0.2.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2026-01-15T11:20:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2026-01-15T11:20:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["auth_attempts"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["auth_failed"] == "0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["pid"] == "42004" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["program"] == "postfix/submission/smtpd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["remote_host"] == "unknown" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Parsed["timestamp"] == "Jan 15 12:00:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type"] == "postfix" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["log_type_enh"] == "submission-auth-failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_hostname"] == "unknown" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["source_ip"] == "192.0.2.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Meta["timestamp"] == "2026-01-15T12:00:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Enriched["MarshaledTime"] == "2026-01-15T12:00:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["auth_attempts"] == "3" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["auth_failed"] == "0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/3 quit=1 commands=2/5" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["pid"] == "42005" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["program"] == "postfix/submission/smtpd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["remote_host"] == "unknown" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Parsed["timestamp"] == "Jan 15 12:40:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type"] == "postfix" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["log_type_enh"] == "submission-auth-failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_hostname"] == "unknown" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["source_ip"] == "192.0.2.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Meta["timestamp"] == "2026-01-15T12:40:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Enriched["MarshaledTime"] == "2026-01-15T12:40:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][4].Evt.Whitelisted == false results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Success == true results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["auth_attempts"] == "1" -results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["auth_failed"] == "0" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["logsource"] == "syslog" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["message"] == "disconnect from unknown[192.0.2.1] ehlo=1 auth=0/1 quit=1 commands=2/3" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["pid"] == "42006" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["program"] == "postfix/submission/smtpd" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_addr"] == "192.0.2.1" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["remote_host"] == "unknown" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Parsed["timestamp"] == "Jan 15 13:20:00" basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_path"]) == "postfix-submission-very-slow-bf.log" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["datasource_type"] == "file" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type"] == "postfix" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["log_type_enh"] == "submission-auth-failed" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["machine"] == "server" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["service"] == "postfix" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_hostname"] == "unknown" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["source_ip"] == "192.0.2.1" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Meta["timestamp"] == "2026-01-15T13:20:00Z" results["s02-enrich"]["crowdsecurity/dateparse-enrich"][5].Evt.Enriched["MarshaledTime"] == "2026-01-15T13:20:00Z" diff --git a/parsers/s01-parse/crowdsecurity/postfix-logs.yaml b/parsers/s01-parse/crowdsecurity/postfix-logs.yaml index 3be4bf4bbec..b7b901aec2c 100644 --- a/parsers/s01-parse/crowdsecurity/postfix-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/postfix-logs.yaml @@ -52,6 +52,12 @@ nodes: statics: - meta: log_type_enh value: non-smtp-command + - grok: + apply_on: message + pattern: 'disconnect from %{RELAY} %{DATA}auth=0/%{INT:auth_attempts}' + statics: + - meta: log_type_enh + value: submission-auth-failed - grok: apply_on: message pattern: 'NOQUEUE: %{POSTFIX_ACTION:action}: %{DATA:command} from %{RELAY}: %{SMTP_RETURN_CODES:smtp_return_codes} %{GREEDYDATA:reason}' @@ -78,4 +84,3 @@ statics: expression: "evt.Parsed.remote_host" - meta: log_type value: postfix - diff --git a/parsers/s01-parse/melite/postfix-submission-auth.md b/parsers/s01-parse/melite/postfix-submission-auth.md deleted file mode 100644 index 4e749f1b6c4..00000000000 --- a/parsers/s01-parse/melite/postfix-submission-auth.md +++ /dev/null @@ -1,36 +0,0 @@ -## Description - -Parse Postfix submission port (587) authentication failures from disconnect log lines. - -When using STARTTLS on port 587, Postfix does **not** log explicit "SASL authentication failed" messages. Auth failures only appear as `auth=0/N` in disconnect summary lines, which standard parsers (`crowdsecurity/postfix-logs`) do not match. - -This parser runs in **s01-parse** because `crowdsecurity/postfix-logs` does not parse disconnect lines at all — they would be dropped before reaching s02-enrich. - -## Detected Pattern - -``` -postfix/submission/smtpd[PID]: disconnect from host[IP] ehlo=1 auth=0/1 quit=1 commands=2/3 -``` - -The `auth=0/N` pattern indicates N authentication attempts with 0 successes. - -## Metadata Set - -- `log_type`: `postfix` -- `log_type_enh`: `submission-auth-failed` -- `source_ip`: extracted from the disconnect line - -## Remediation - -Used by `melite/postfix-submission-very-slow-bf` scenario to detect evasive brute-force attacks on port 587. - -## Example - -``` -Jan 15 10:00:00 mail postfix/submission/smtpd[1234]: disconnect from unknown[203.0.113.1] ehlo=1 auth=0/1 quit=1 commands=2/3 -``` - -## Dependencies - -- `crowdsecurity/syslog-logs` (s00-raw) -- `crowdsecurity/dateparse-enrich` (s02-enrich, for timestamp parsing) diff --git a/parsers/s01-parse/melite/postfix-submission-auth.yaml b/parsers/s01-parse/melite/postfix-submission-auth.yaml deleted file mode 100644 index 937f43c3e8d..00000000000 --- a/parsers/s01-parse/melite/postfix-submission-auth.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Parser: Postfix submission port (587) auth failures -# Stage: s01-parse -# -# Detects authentication failures from "disconnect" lines on port 587. -# Standard Postfix parsers don't catch these because port 587+STARTTLS -# only shows auth=0/N in disconnect (no explicit "SASL authentication failed"). -# Since crowdsecurity/postfix-logs does not match disconnect lines at all, -# this parser must be in s01-parse (not s02-enrich). -# -# Example log line: -# postfix/submission/smtpd[PID]: disconnect from host[IP] ehlo=1 auth=0/1 quit=1 commands=2/3 -# -# The auth=0/N pattern indicates N authentication attempts with 0 successes. -onsuccess: next_stage -filter: "evt.Parsed.program endsWith '/smtpd' && evt.Parsed.message contains 'disconnect' && evt.Parsed.message contains 'auth=0/'" -name: melite/postfix-submission-auth -description: "Parse submission port auth failures from disconnect lines" -grok: - apply_on: message - pattern: "%{DATA}\\[%{IP:remote_addr}\\].*auth=%{INT:auth_failed}/%{INT:auth_attempts}" -statics: - - meta: log_type - value: postfix - - meta: log_type_enh - value: submission-auth-failed - - meta: source_ip - expression: evt.Parsed.remote_addr From 1a0f909866d36777103c9459bbd5fe85e17eaf7a Mon Sep 17 00:00:00 2001 From: Etilem Date: Fri, 27 Mar 2026 09:26:44 +0100 Subject: [PATCH 3/3] docs: update submission scenario to reference crowdsecurity/postfix-logs Remove stale reference to deleted melite/postfix-submission-auth parser. The submission auth pattern is now part of crowdsecurity/postfix-logs. --- scenarios/melite/postfix-submission-very-slow-bf.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/scenarios/melite/postfix-submission-very-slow-bf.md b/scenarios/melite/postfix-submission-very-slow-bf.md index d8a810fac6a..260869e54e9 100644 --- a/scenarios/melite/postfix-submission-very-slow-bf.md +++ b/scenarios/melite/postfix-submission-very-slow-bf.md @@ -4,7 +4,7 @@ Detects very slow brute-force attacks on the Postfix submission port (587). Thes Uses a leaky bucket with a 4-hour leak rate and capacity of 5, creating a 24-hour detection window. Triggers after 6 failed submission auth attempts from the same IP. -**Requires** the `melite/postfix-submission-auth` parser (s02-enrich) to extract auth failure information from disconnect lines. +**Requires** the `crowdsecurity/postfix-logs` parser which extracts `auth=0/N` patterns from disconnect lines (added in this PR). **Detection window**: 24 hours (leakspeed 4h × 6 events) @@ -27,5 +27,4 @@ Jan 15 17:30:00 server postfix/submission/smtpd[1006]: disconnect from unknown[1 ## Dependencies -- Parser: `crowdsecurity/postfix-logs` (s01-parse) -- Parser: `melite/postfix-submission-auth` (s02-enrich, **required**) +- Parser: `crowdsecurity/postfix-logs` (s01-parse, extended with `submission-auth-failed` pattern)