Dovecot Decoder Addition

[sangdrax8]

I am working on a new install, and found that my dovecot rules are not currently being correctly decoded. It appears mine is adding the "session" to the end of the log line, which is only decoded in failed attempts but apparently was not done in succesful ones. I CAN make my own and comment this one out, but hopefully this change can be rolled into the officially maintained ones so I can stay with that (once it is released)

My Log line that causes issues

Aug 25 08:08:34 mail dovecot[48879]: imap-login: Login: user=<test@fake.com>, method=CRAM-MD5, rip=16.17.3.5, lip=24.9.4.7, mpid=16110, TLS, session=<LmGLHGHKd1Cmqh8z>

The current ruleset in my decoders for dovecot has a $ at the end of the success match, which excludes this from working

<decoder name="dovecot-success">
  <parent>dovecot</parent>
  <prematch offset="after_parent">^\w\w\w\w-login: Login: </prematch>
  <regex offset="after_prematch">^user=\p(\S+)\p, method=\S+, rip=(\S+), lip=(\S+), mpid=\S+, (\S*)$</regex>
  <order>user, srcip, dstip, protocol</order>
</decoder>

My edited success section with session add to the end:

<decoder name="dovecot-success">        
  <parent>dovecot</parent>                                                                              
  <prematch offset="after_parent">^\w\w\w\w-login: Login: </prematch>                                                                
  <regex offset="after_prematch" type="pcre2">^user=(?:\<)?(\w*(?:\W\w+)*)(?:\>)?, method=\S+, rip=(\S+), lip=(\S+), mpid=\S+, (\w*)(?:,)?</regex>
  <order>user, srcip, dstip, protocol</order>
</decoder>                  

<decoder name="dovecot-success">                                                                                                        
  <parent>dovecot</parent>                                                              
  <regex offset="after_regex"> session=\p(\S+\S)></regex>                                                   
  <order>session</order>                                                                
</decoder>   

[sangdrax8]

As a secondary fix, I am also seeing issues with the failed logins parsing. There are two things here I am looking to fix, 1st the "method" section isn't present in all logs which match the current dovecot-disconnected-user decoder, and therefore it fails to match when method is missing. To fix that I made the method section optional and a non-matching group.

When fixing that, I noticed my user field is showing with the "<>" around the username. I am going to assume if this worked for someone that perhaps there is a dovecot that logs with out the "<>" around the user. I had to switch to pcre2 regex, but I was able to create a match that will correctly pull out the user from both cases.

Multiple failure attempts that hit the same decode rule (one without method)

Aug 25 08:17:03 mail dovecot[48879]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<user>, method=CRAM-MD5, rip=1.1.1.1, lip=2.2.2.2, TLS, session=<mu6OKsAv/BCD>
Aug 25 08:17:03 mail dovecot[48879]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<user@test.com>, method=CRAM-MD5, rip=1.1.1.1, lip=2.2.2.2, TLS, session=<mu6OKsAv/BCD>
Aug 25 08:17:03 mail dovecot[48879]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=user, method=CRAM-MD5, rip=1.1.1.1, lip=2.2.2.2, TLS, session=<mu6OKsAv/BCD>
Aug 25 08:17:03 mail dovecot[48879]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=user@test.com, method=CRAM-MD5, rip=1.1.1.1, lip=2.2.2.2, TLS, session=<mu6OKsAv/BCD>
Aug 24 17:18:23 mail dovecot[48879]: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=1.1.1.1, lip=2.2.2.2, TLS, session=<R7uAFKNKWMmH>
Aug 24 17:18:23 mail dovecot[48879]: imap-login: Disconnected: Inactivity (no auth attempts in 180 secs): user=, rip=1.1.1.1, lip=2.2.2.2, TLS, session=<R7uAFKNKWMmH>

Original syntax

 <decoder name="dovecot-disconnect-user">
   <parent>dovecot</parent>
   <prematch offset="after_parent">^\w\w\w\w-login: Disconnected\.+user=</prematch>
   <regex offset="after_parent">user=(\S+), method=\S+, rip=(\S+), lip=(\S+),</regex>
   <order>srcuser, srcip, dstip</order>
 </decoder>

What I needed to get it to decode

<decoder name="dovecot-disconnect-user">
   <parent>dovecot</parent>
   <prematch offset="after_parent">^\w\w\w\w-login: Disconnected\.+user=</prematch>
   <regex offset="after_parent" type="pcre2">user=(?:\<)?(\w*(?:\W\w+)*)(?:\>)?,(?: method=\S+,)? rip=(\S+), lip=(\S+),</regex>
   <order>user, srcip, dstip</order>
</decoder>

[sangdrax8]

Another Issue that I can't really figure out what the correct value should be here. It seems ONLY the dovecot-disconnect-user section users the "srcuser" syntax in the order section. All other references in this decoder simply use "user". I am therefore altering it to be just "user" as that is what the rest of the file is doing. I will edit my previous comment with that change.

[sangdrax8]

I have created a pull request with the above changes for review. I think I lack permissions to actually link it, so I am leaving this note here. https://github.com/wazuh/wazuh-ruleset/pull/844

[fabamatic]

Hi @sangdrax8, great work! Could you reopen the PR in the main Wazuh repo? (we are in the process of closing this one as all decoder/rule work will be done on Wazuh/Wazuh repo). Add me as a reviewer in the new PR so we can move forward to merge this work.

[fabamatic]

I will be closing your PR in this repo

[sangdrax8]

Created new pull request, although I couldn't find how to add you as the reviewer. I did comment and mention you though.