Open ToeiRei opened 2 years ago
There's the parser I could come up with so far:
/etc/crowdsec/parsers/s01-parse/kerio-connect-security.yaml
name: toeirei/kerio-connect-security-logs
description: "Parse Kerio Connect security logs"
filter: "evt.Parsed.program == 'kerio-connect'"
onsuccess: next_stage
# debug: true
pattern_syntax:
KERIO_AUTH_FAIL: '\[%{DATA:time}] Failed %{DATA:kerio_service} login from %{IPORHOST:remote_addr}(?::%{POSINT:port})? with SASL method %{NOTSPACE:method}.'
KERIO_SMTP_CLOSED_GREETING: '\[%{DATA:time}] SMTP Spam attack detected from %{IPORHOST:remote_addr}(?::%{POSINT:port})?, client closed connection before SMTP greeting'
KERIO_SMTP_DATA_BEFORE_GREETING: '\[%{DATA:time}] SMTP Spam attack detected from %{IPORHOST:remote_addr}(?::%{POSINT:port})?, client sent data before SMTP greeting'
KERIO_SPAM_FROM: '\[%{DATA:time}] SMTP Spam attack detected from %{IPORHOST:remote_addr}(?::%{POSINT:port})?'
nodes:
- grok:
name: "KERIO_AUTH_FAIL"
apply_on: message
statics:
- meta: log_type
value: kerioconnect_failed_login
- target: evt.StrTime
expression: evt.Parsed.time
- meta: kerio_service
expression: evt.Parsed.kerio_service
- meta: source_ip
expression: evt.Parsed.remote_addr
- grok:
name: "KERIO_SMTP_CLOSED_GREETING"
apply_on: message
statics:
- meta: log_type
value: kerioconnect_closed_before_greeting
- target: evt.StrTime
expression: evt.Parsed.time
- meta: source_ip
expression: evt.Parsed.remote_addr
- grok:
name: "KERIO_SMTP_DATA_BEFORE_GREETING"
apply_on: message
statics:
- meta: log_type
value: kerioconnect_data_before_greeting
- target: evt.StrTime
expression: evt.Parsed.time
- meta: source_ip
expression: evt.Parsed.remote_addr
- grok:
name: "KERIO_SPAM_FROM"
apply_on: message
statics:
- meta: log_type
value: kerioconnect_generic_spam
- target: evt.StrTime
expression: evt.Parsed.time
- meta: source_ip
expression: evt.Parsed.remote_addr
statics:
- meta: service
value: kerioconnect
- meta: source_ip
expression: evt.Parsed.remote_addr
Update 1: Parser checks out against security.log so far - added data before SMTP Update 2: added more grok patterns
Scenarios:
/etc/crowdsec/scenarios/kerio-connect-bf.yaml
# kero-connect bf
type: leaky
name: toeirei/kerio-connect-bf
description: "Detect kerio-connect bruteforce"
filter: evt.Meta.log_type == 'kerioconnect_failed_login'
leakspeed: 1h
capacity: 4
groupby: evt.Meta.source_ip
blackhole: 1h
labels:
service: kerio-connect
type: bruteforce
remediation: true
/etc/crowdsec/scenarios/kerio-connect-spamdetect.yaml
# kerio-connect smtp close before greening
type: leaky
name: toeirei/kerio-connect-smtp-close-greet
description: "Detect kerio-connect SMTP attacks"
filter: evt.Meta.log_type == 'kerioconnect_closed_before_greeting'
leakspeed: 1h
capacity: 4
groupby: evt.Meta.source_ip
blackhole: 1h
labels:
service: kerio-connect
type: scanner
remediation: true
---
type: leaky
name: toeirei/kerio-connect-smtp-data-greet
description: "Detect kerio-connect SMTP attacks"
filter: evt.Meta.log_type == 'kerioconnect_data_before_greeting'
leakspeed: 1h
capacity: 4
groupby: evt.Meta.source_ip
blackhole: 1h
labels:
service: kerio-connect
type: scanner
remediation: true
---
type: leaky
name: toeirei/kerio-connect-smtp-generic
description: "Detect kerio-connect SMTP attacks"
filter: evt.Meta.log_type == 'kerioconnect_generic_spam'
leakspeed: 1h
capacity: 4
groupby: evt.Meta.source_ip
blackhole: 1h
labels:
service: kerio-connect
type: scanner
remediation: true
thanks, cf. https://github.com/crowdsecurity/hub/pull/467
Hello
That would be great :) my question is when is it expected to be on the HUB or can I activate it manually if I create the files?
I'm still a beginner in crowdsec.
kerio connect lives in /opt/kerio - logs in /opt/kerio/mailserver/store/logs per default
Interesting log is the security log. Sample as follows: