Support for kerio connect logs

[ToeiRei]

kerio connect lives in /opt/kerio - logs in /opt/kerio/mailserver/store/logs per default

Interesting log is the security log. Sample as follows:

[09/Apr/2022 09:23:20] SPF check failed: The IP address '139.162.185.76' is not in permitted set for sender '4j5ly7@webempresa.com' (FAIL)
[09/Apr/2022 09:23:20] Message from <4j5ly7@webempresa.com> to <sender@domain> rejected by header filter: To address is last.fm@domain
[09/Apr/2022 09:39:07] IP address 159.203.109.199 found in DNS blacklist SpamCop, mail from <dj1167@lycos.co.kr> to <office@domain> rejected
[09/Apr/2022 10:27:11] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender 'w1lpv4@webempresa.com' (FAIL)
[09/Apr/2022 10:33:30] SMTP Spam attack detected from 138.197.173.84, client closed connection before SMTP greeting
[09/Apr/2022 10:46:02] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender '572ncv@webempresa.com' (FAIL)
[09/Apr/2022 10:46:26] Kerio Antivirus database has been successfully updated. Kerio Antivirus engine version/Signature count: (AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)/11294591) is now active.
[09/Apr/2022 10:53:24] SMTP Spam attack detected from 139.162.184.138, client closed connection before SMTP greeting
[09/Apr/2022 10:57:29] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender 'ybuib4@webempresa.com' (FAIL)
[09/Apr/2022 11:01:26] SMTP Spam attack detected from 139.162.184.138, client closed connection before SMTP greeting
[09/Apr/2022 11:05:40] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender 'bk60jy@webempresa.com' (FAIL)
[09/Apr/2022 11:11:38] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender '1z9t5m@webempresa.com' (FAIL)
[09/Apr/2022 11:17:55] SMTP Spam attack detected from 139.162.184.138, client closed connection before SMTP greeting
[09/Apr/2022 11:24:55] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender '3phacv@webempresa.com' (FAIL)
[09/Apr/2022 11:30:56] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender 'hyrknk@webempresa.com' (FAIL)
[09/Apr/2022 11:37:02] SMTP Spam attack detected from 139.162.184.138, client closed connection before SMTP greeting
[09/Apr/2022 11:42:36] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender '17qhb5@webempresa.com' (FAIL)
[09/Apr/2022 11:45:30] SMTP Spam attack detected from 87.215.108.211, client closed connection before SMTP greeting
[09/Apr/2022 11:45:36] SMTP Spam attack detected from 87.215.108.211, client closed connection before SMTP greeting
[09/Apr/2022 11:45:41] SMTP Spam attack detected from unlabelled-211-108.215.87.versatel.net:39876, client sent data before SMTP greeting
[09/Apr/2022 11:49:20] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender 'am9bfw@webempresa.com' (FAIL)
[09/Apr/2022 12:07:54] IP address 118.69.80.92 found in DNS blacklist SpamCop, mail from <hazeln@curriculum.edu.au> to <office@domain> rejected
[09/Apr/2022 12:25:03] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender 'x5qbxl@webempresa.com' (FAIL)
[09/Apr/2022 12:25:58] IP address 209.85.208.54 found in DNS blacklist SORBS DNSBL, mail from <samyuktharajeev22@gmail.com> to <office@domain>
[09/Apr/2022 12:42:52] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender 'wv4n3n@webempresa.com' (FAIL)
[09/Apr/2022 12:46:33] Kerio Antivirus database has been successfully updated. Kerio Antivirus engine version/Signature count: (AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021)/11296253) is now active.
[09/Apr/2022 13:19:35] IP address 62.109.20.191 found in DNS blacklist SpamCop, mail from <fiona.millar@alcatel.com> to <office@domain> rejected
[09/Apr/2022 13:22:05] IP address 159.89.158.32 found in DNS blacklist SpamCop, mail from <dubois@mail2santa.com> to <office@domain> rejected
[09/Apr/2022 13:49:43] SMTP Spam attack detected from 185.2.179.28, client closed connection before SMTP greeting
[09/Apr/2022 14:23:10] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender '63htto@webempresa.com' (FAIL)
[09/Apr/2022 14:29:04] IP address 112.3.205.110 found in DNS blacklist SpamHaus SBL-XBL, mail from <ldodqdege@ilovemonologue.com> to <office@domain> rejected
[09/Apr/2022 14:31:18] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender 'bxk5yl@webempresa.com' (FAIL)
[09/Apr/2022 14:32:45] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender 'ufvs92@webempresa.com' (FAIL)
[09/Apr/2022 14:33:37] SMTP Spam attack detected from 2.56.59.93, client closed connection before SMTP greeting
[09/Apr/2022 15:58:28] SMTP Spam attack detected from 109.237.103.7, client closed connection before SMTP greeting
[09/Apr/2022 15:58:48] SMTP Spam attack detected from 109.237.103.7, client closed connection before SMTP greeting
[09/Apr/2022 16:10:47] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender 'plv7bp@webempresa.com' (FAIL)
[09/Apr/2022 16:16:57] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender 'wzv4yx@webempresa.com' (FAIL)
[09/Apr/2022 16:21:37] IP address 192.241.175.242 found in DNS blacklist SpamCop, mail from <dbutler@magnet.co.uk> to <office@domain> rejected
[09/Apr/2022 16:23:15] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender 'n5x5s7@webempresa.com' (FAIL)
[09/Apr/2022 16:27:50] SPF check failed: The IP address '139.162.184.138' is not in permitted set for sender 'ffqgu6@webempresa.com' (FAIL)
[09/Apr/2022 16:34:52] SMTP Spam attack detected from 139.162.184.138, client closed connection before SMTP greeting

[ToeiRei]

There's the parser I could come up with so far:

/etc/crowdsec/parsers/s01-parse/kerio-connect-security.yaml

name: toeirei/kerio-connect-security-logs
description: "Parse Kerio Connect security logs"
filter: "evt.Parsed.program == 'kerio-connect'"
onsuccess: next_stage
# debug: true
pattern_syntax:
  KERIO_AUTH_FAIL: '\[%{DATA:time}] Failed %{DATA:kerio_service} login from %{IPORHOST:remote_addr}(?::%{POSINT:port})? with SASL method %{NOTSPACE:method}.'
  KERIO_SMTP_CLOSED_GREETING: '\[%{DATA:time}] SMTP Spam attack detected from %{IPORHOST:remote_addr}(?::%{POSINT:port})?, client closed connection before SMTP greeting'
  KERIO_SMTP_DATA_BEFORE_GREETING: '\[%{DATA:time}] SMTP Spam attack detected from %{IPORHOST:remote_addr}(?::%{POSINT:port})?, client sent data before SMTP greeting'
  KERIO_SPAM_FROM: '\[%{DATA:time}] SMTP Spam attack detected from %{IPORHOST:remote_addr}(?::%{POSINT:port})?'
nodes:
 - grok:
     name: "KERIO_AUTH_FAIL"
     apply_on: message
     statics:
       - meta: log_type
         value: kerioconnect_failed_login
       - target: evt.StrTime
         expression: evt.Parsed.time
       - meta: kerio_service
         expression: evt.Parsed.kerio_service
       - meta: source_ip
         expression: evt.Parsed.remote_addr
 - grok:
     name: "KERIO_SMTP_CLOSED_GREETING"
     apply_on: message
     statics:
       - meta: log_type
         value: kerioconnect_closed_before_greeting
       - target: evt.StrTime
         expression: evt.Parsed.time
       - meta: source_ip
         expression: evt.Parsed.remote_addr
 - grok:
     name: "KERIO_SMTP_DATA_BEFORE_GREETING"
     apply_on: message
     statics:
       - meta: log_type
         value: kerioconnect_data_before_greeting
       - target: evt.StrTime
         expression: evt.Parsed.time
       - meta: source_ip
         expression: evt.Parsed.remote_addr
 - grok:
     name: "KERIO_SPAM_FROM"
     apply_on: message
     statics:
       - meta: log_type
         value: kerioconnect_generic_spam
       - target: evt.StrTime
         expression: evt.Parsed.time
       - meta: source_ip
         expression: evt.Parsed.remote_addr
statics:
   - meta: service
     value: kerioconnect
   - meta: source_ip
     expression: evt.Parsed.remote_addr

Update 1: Parser checks out against security.log so far - added data before SMTP Update 2: added more grok patterns

[ToeiRei]

Scenarios:

/etc/crowdsec/scenarios/kerio-connect-bf.yaml

# kero-connect bf
type: leaky
name: toeirei/kerio-connect-bf
description: "Detect kerio-connect bruteforce"
filter: evt.Meta.log_type == 'kerioconnect_failed_login'
leakspeed: 1h
capacity: 4
groupby: evt.Meta.source_ip
blackhole: 1h
labels:
 service: kerio-connect
 type: bruteforce
 remediation: true

/etc/crowdsec/scenarios/kerio-connect-spamdetect.yaml

# kerio-connect smtp close before greening
type: leaky
name: toeirei/kerio-connect-smtp-close-greet
description: "Detect kerio-connect SMTP attacks"
filter: evt.Meta.log_type == 'kerioconnect_closed_before_greeting'
leakspeed: 1h
capacity: 4
groupby: evt.Meta.source_ip
blackhole: 1h
labels:
 service: kerio-connect
 type: scanner
 remediation: true
---
type: leaky
name: toeirei/kerio-connect-smtp-data-greet
description: "Detect kerio-connect SMTP attacks"
filter: evt.Meta.log_type == 'kerioconnect_data_before_greeting'
leakspeed: 1h
capacity: 4
groupby: evt.Meta.source_ip
blackhole: 1h
labels:
 service: kerio-connect
 type: scanner
 remediation: true
---
type: leaky
name: toeirei/kerio-connect-smtp-generic
description: "Detect kerio-connect SMTP attacks"
filter: evt.Meta.log_type == 'kerioconnect_generic_spam'
leakspeed: 1h
capacity: 4
groupby: evt.Meta.source_ip
blackhole: 1h
labels:
 service: kerio-connect
 type: scanner
 remediation: true

[buixor]

thanks, cf. https://github.com/crowdsecurity/hub/pull/467

[bohemtucsok]

Hello

That would be great :) my question is when is it expected to be on the HUB or can I activate it manually if I create the files?

I'm still a beginner in crowdsec.