Skip to content

Instantly share code, notes, and snippets.

@bdeshi

bdeshi/collections:maddy.yaml

Last active January 15, 2025 21:43
Show Gist options
  • Save bdeshi/9c0e33c66ac24474fb6e5c106b4d1c51 to your computer and use it in GitHub Desktop.
Save bdeshi/9c0e33c66ac24474fb6e5c106b4d1c51 to your computer and use it in GitHub Desktop.
Download ZIP
maddy crowdsec
Raw
collections:maddy.yaml
parsers:
- bdeshi/maddy-logs
scenarios:
- bdeshi/maddy-bad-auth
- bdeshi/maddy-scan
# - bdeshi/maddy-probe
description: "maddy log support: basic parser and scenarios"
author: bdeshi
Raw
parsers:s01-parse:maddy-logs.yaml
name: bdeshi/maddy-logs
description: "Parse Maddy logs"
filter: "Upper(evt.Parsed.program) == 'MADDY'"
# based on <https://github.com/foxcpp/maddy/tree/master/dist/fail2ban/filter.d/>
pattern_syntax:
PROTOCOL: '.+'
SUMMARY_BAD_AUTH: 'authentication failed'
SUMMARY_SCAN_MAIL_FROM: 'MAIL FROM error repeated a lot, possible dictionary attack'
SUMMARY_SCAN_RCPT_ERR: 'too many RCPT errors, possible dictonary attack'
JSON_MESSAGE: '\{.*\}'
nodes:
- grok:
pattern: '^%{TIMESTAMP_ISO8601:log_time}\s+%{PROTOCOL:protocol}:\s+%{SUMMARY_BAD_AUTH:summary}\s+%{JSON_MESSAGE:json_message}'
apply_on: message
statics:
- meta: log_type
value: maddy_bad-auth
- grok:
pattern: '^%{TIMESTAMP_ISO8601:log_time}\s+%{PROTOCOL:protocol}:\s+%{SUMMARY_SCAN_RCPT_ERR:summary}\s+%{JSON_MESSAGE:json_message}'
apply_on: message
statics:
- meta: log_type
value: maddy_scan
- grok:
pattern: '^%{TIMESTAMP_ISO8601:log_time}\s+%{PROTOCOL:protocol}:\s+%{SUMMARY_SCAN_MAIL_FROM:summary}\s+%{JSON_MESSAGE:json_string}'
apply_on: message
statics:
- meta: log_type
value: maddy_scan
statics:
- meta: service
value: maddy
- target: evt.StrTime
expression: evt.Parsed.log_time
- meta: summary
expression: evt.Parsed.summary
- meta: protocol
expression: evt.Parsed.protocol
- parsed: json_message
expression: UnmarshalJSON(evt.Parsed.json, evt.Unmarshaled, "message")
- meta: username
expression: 'evt.Unmarshaled.message.username ?? ""'
- meta: count
expression: 'evt.Unmarshaled.message.count ?? 0'
- meta: state
value: root_done
---
name: bdeshi/maddy-logs-post
filter: "Upper(evt.Parsed.program) == 'MADDY' && evt.Meta.state == 'root_done'"
onsuccess: next_stage
debug: true
pattern_syntax:
IP_ADDRESS_PART: '.*'
nodes:
- grok:
pattern: '%{IP_ADDRESS_PART:src_ip}\:\d+$'
apply_on: evt.Unmarshaled.src_ip
statics:
- meta: source_ip
expression: evt.Parsed.src_ip
Raw
scenarios:maddy-bad-auth.yaml
name: bdeshi/maddy-bad-auth
description: "Detect bad authentication in Maddy"
type: leaky
filter: "evt.Meta.service == 'maddy' && evt.Meta.log_type == 'maddy_bad-auth'"
leakspeed: 3m
capacity: 3
groupby: evt.Meta.source_ip
blackhole: 10m
labels:
service: maddy
remediation: true
confidence: 3
spoofable: 0
classification:
- attack.T1110
behavior: "generic:bruteforce"
label: "Maddy bad auth"
Raw
scenarios:maddy-scan.yaml
name: bdeshi/maddy-scan
description: "Detect Maddy email address scan"
type: trigger
filter: "evt.Meta.service == 'maddy' && evt.Meta.log_type == 'maddy_scan'"
groupby: evt.Meta.source_ip
blackhole: 1m
labels:
confidence: 2
spoofable: 0
remediation: true
classification:
- attack.T1595
- attack.T1589.002
behavior: "generic:scan"
service: maddy
label: "Maddy address scan"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment