Add Guezli/postfix-sasl-bf scenario#1794
Open
Guezli wants to merge 1 commit into
Open
Conversation
Detects slow/distributed SASL LOGIN bruteforce against postfix. Covers the gap left by crowdsecurity/postfix-spam, which is tuned for fast spam waves and misses distributed low-rate attackers. Threshold: 3 SASL failures from the same IP within ~2h.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a new scenario
Guezli/postfix-sasl-bfthat detects slow / distributedSASL LOGIN bruteforce attempts against postfix.
The existing
crowdsecurity/postfix-spamscenario is tuned for fast spamwaves (capacity 5 / leakspeed 10s) and does not trigger on distributed
low-rate attackers (e.g. /24 networks where each IP attempts 1-2 SASL
logins per hour). This scenario closes that gap with capacity 2 /
leakspeed 7200s, triggering on 3 failures within ~2h.
Built and validated against Mailcow on a VPS seeing ~30 distinct slow-BF
IPs per day.
The
behaviorlabel is set topop3/imap:bruteforcebecause the hubtaxonomy has no dedicated
smtp:bruteforceentry yet; this follows theprecedent set by
hitech95/email-generic-bf.Checklist
.mddocumentation with acquisition example.tests/postfix-sasl-bf/passing locally (cscli hubtest run postfix-sasl-bf --clean-> all tests passed)hublint checkclean (0 warnings, 0 errors)crowdsecurity/postfix-logsparser, no new parser neededAI assistance
Claude Code was used to port the scenario from my personal repo
(https://github.com/Guezli/postfix-sasl-bf) into Hub format, generate
the hubtest assertions, and structure the documentation. The detection
logic, threshold tuning, and field-of-use research are my own work; I
can explain every part of the contribution.