feat: add Postfix slow brute-force and HELO rejection scenarios#1695
Open
Etilem wants to merge 5 commits into
Open
feat: add Postfix slow brute-force and HELO rejection scenarios#1695Etilem wants to merge 5 commits into
Etilem wants to merge 5 commits into
Conversation
Etilem
force-pushed
the
feat/postfix-slow-bf
branch
from
8dabf51 to
11bd514
Compare
Contributor
|
Hi, Thanks for your contribution! |
Add slow brute-force detection scenarios for Postfix SMTP authentication and evasive HELO rejection attacks: - melite/postfix-slow-bf (leakspeed 900s, capacity 7) - melite/postfix-very-slow-bf (leakspeed 4h, capacity 5) - melite/postfix-submission-very-slow-bf (leakspeed 4h, capacity 5) - melite/postfix-helo-very-slow (leakspeed 4h, capacity 5) Includes parser melite/postfix-submission-auth (s01-parse) for port 587 auth failures invisible to standard parsers, and hub tests.
Address reviewer feedback: add disconnect auth failure detection directly to crowdsecurity/postfix-logs instead of a separate melite/postfix-submission-auth parser. - Add grok node for 'disconnect from ... auth=0/N' pattern - Remove melite/postfix-submission-auth parser and markdown - Update test configs to reference modified parser - Rewrite parser assertions for new pipeline structure All 5 hubtest tests pass (parser + 4 scenarios).
Etilem
force-pushed
the
feat/postfix-slow-bf
branch
from
11bd514 to
5e1ed83
Compare
Remove stale reference to deleted melite/postfix-submission-auth parser. The submission auth pattern is now part of crowdsecurity/postfix-logs.
Contributor
Author
|
Hi @sabban, thanks for the feedback ! I've removed the custom melite/postfix-submission-auth parser and extended crowdsecurity/postfix-logs instead. The new grok pattern extracts auth=0/N from Postfix disconnect lines and tags them with log_type_enh : submission-auth-failed. Changes in commits 5e1ed83 and 1a0f909. The submission scenarios now reference crowdsecurity/postfix-logs as their dependency. Let me know if anything else needs adjusting ! |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds new CrowdSec Postfix scenarios to detect evasive/slow SMTP AUTH brute-force activity (including submission/587 cases where failures only appear in disconnect summaries) and very-slow HELO rejection spam behavior, along with parser and hubtest updates to support/validate these detections.
Changes:
- Add new
melite/leaky-bucket scenarios for slow/very-slow Postfix AUTH brute-force and very-slow HELO rejections (plus_user-enumvariants where applicable). - Extend
crowdsecurity/postfix-logsto extractauth=0/Nfrom disconnect lines and tag aslog_type_enh: submission-auth-failed. - Add hubtests (scenario + parser assertions) for the new scenarios and the new submission disconnect parsing.
Reviewed changes
Copilot reviewed 23 out of 28 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
scenarios/melite/postfix-very-slow-bf.yaml |
Adds a 24h-window Postfix AUTH brute-force scenario and _user-enum variant. |
scenarios/melite/postfix-very-slow-bf.md |
Documents the very-slow AUTH brute-force scenario behavior and dependencies. |
scenarios/melite/postfix-submission-very-slow-bf.yaml |
Adds a 24h-window submission/587 brute-force scenario based on disconnect summary auth counters. |
scenarios/melite/postfix-submission-very-slow-bf.md |
Documents the submission/587 scenario and its parser dependency. |
scenarios/melite/postfix-slow-bf.yaml |
Adds a 2h-window “slow” Postfix AUTH brute-force scenario and _user-enum variant. |
scenarios/melite/postfix-slow-bf.md |
Documents the slow AUTH brute-force scenario behavior and dependencies. |
scenarios/melite/postfix-helo-very-slow.yaml |
Adds a 24h-window HELO rejection scenario for very slow spammer behavior. |
scenarios/melite/postfix-helo-very-slow.md |
Documents the very-slow HELO rejection scenario behavior and dependencies. |
parsers/s01-parse/crowdsecurity/postfix-logs.yaml |
Extends Postfix parsing to detect auth=0/N in disconnect lines and tag events accordingly. |
.tests/postfix-very-slow-bf/scenario.assert |
Verifies the melite/postfix-very-slow-bf scenario triggers as expected. |
.tests/postfix-very-slow-bf/postfix-very-slow-bf.log |
Test fixture log for very-slow AUTH failures. |
.tests/postfix-very-slow-bf/parser.assert |
Verifies parser output used by the very-slow AUTH scenario. |
.tests/postfix-very-slow-bf/config.yaml |
Hubtest configuration for the very-slow AUTH scenario. |
.tests/postfix-submission-very-slow-bf/scenario.assert |
Verifies the submission/587 very-slow scenario triggers as expected. |
.tests/postfix-submission-very-slow-bf/postfix-submission-very-slow-bf.log |
Test fixture log with disconnect summary auth=0/N lines. |
.tests/postfix-submission-very-slow-bf/parser.assert |
Verifies parsing of auth_attempts and submission-auth-failed tagging. |
.tests/postfix-submission-very-slow-bf/config.yaml |
Hubtest configuration for the submission/587 scenario. |
.tests/postfix-submission-auth/postfix-submission-auth.log |
Parser-focused fixture to validate auth=0/N extraction across hosts. |
.tests/postfix-submission-auth/parser.assert |
Assertions for the submission disconnect parsing behavior. |
.tests/postfix-submission-auth/config.yaml |
Hubtest configuration for the parser-only submission auth extraction test. |
.tests/postfix-slow-bf/scenario.assert |
Verifies the slow AUTH scenario triggers as expected. |
.tests/postfix-slow-bf/postfix-slow-bf.log |
Test fixture log for slow AUTH failures. |
.tests/postfix-slow-bf/parser.assert |
Verifies parser output used by the slow AUTH scenario. |
.tests/postfix-slow-bf/config.yaml |
Hubtest configuration for the slow AUTH scenario. |
.tests/postfix-helo-very-slow/scenario.assert |
Verifies the very-slow HELO rejection scenario triggers as expected. |
.tests/postfix-helo-very-slow/postfix-helo-very-slow.log |
Test fixture log for HELO rejection events. |
.tests/postfix-helo-very-slow/parser.assert |
Verifies parser output used by the very-slow HELO scenario. |
.tests/postfix-helo-very-slow/config.yaml |
Hubtest configuration for the very-slow HELO scenario. |
Comment on lines
+55
to
+60
| - grok: | ||
| apply_on: message | ||
| pattern: 'disconnect from %{RELAY} %{DATA}auth=0/%{INT:auth_attempts}' | ||
| statics: | ||
| - meta: log_type_enh | ||
| value: submission-auth-failed |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Contributor
|
@copilot review |
Copilot stopped reviewing on behalf of
sabban due to an error
May 27, 2026 11:57
Comment on lines
+55
to
+60
| - grok: | ||
| apply_on: message | ||
| pattern: 'disconnect from %{RELAY} %{DATA}auth=0/%{INT:auth_attempts}' | ||
| statics: | ||
| - meta: log_type_enh | ||
| value: submission-auth-failed |
| type: leaky | ||
| name: melite/postfix-slow-bf | ||
| description: "Detect slow Postfix SMTP AUTH bruteforce (distributed attacks)" | ||
| filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'" |
| type: leaky | ||
| name: melite/postfix-slow-bf_user-enum | ||
| description: "Detect slow Postfix SASL user enumeration" | ||
| filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'" |
| description: "Detect slow Postfix SASL user enumeration" | ||
| filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'" | ||
| groupby: evt.Meta.source_ip | ||
| distinct: evt.Meta.sasl_username |
| type: leaky | ||
| name: melite/postfix-very-slow-bf | ||
| description: "Detect very slow Postfix SMTP AUTH bruteforce (evasive attacks)" | ||
| filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'" |
| type: leaky | ||
| name: melite/postfix-very-slow-bf_user-enum | ||
| description: "Detect very slow Postfix SASL user enumeration" | ||
| filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'" |
| description: "Detect very slow Postfix SASL user enumeration" | ||
| filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'" | ||
| groupby: evt.Meta.source_ip | ||
| distinct: evt.Meta.sasl_username |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add slow brute-force detection scenarios for Postfix SMTP authentication (port 25 and port 587) and evasive HELO rejection attacks.
Extends the existing
crowdsecurity/postfix-logsparser for submission port auth failures that are invisible to standard parsers.Developed and tested on a production mail server handling 17 domains, where these scenarios detected persistent evasive attacks that standard Postfix scenarios missed entirely.
Problem
Standard CrowdSec Postfix detection has two major gaps:
Slow SASL brute-force on port 25:
crowdsecurity/postfix-bfhas a short detection window. Attackers spacing attempts 15+ minutes apart evade it completely.Port 587 (submission) auth failures are invisible: When using STARTTLS on port 587, Postfix does NOT log explicit "SASL authentication failed" messages. Auth failures only appear as
auth=0/Nin disconnect summary lines — no standard parser extracts this information.Slow HELO rejection attacks:
crowdsecurity/postfix-helo-rejectedhas a ~10 minute window. Evasive spammers sending invalid HELO commands ~70 minutes apart go undetected.Scenarios
melite/postfix-slow-bfmelite/postfix-very-slow-bfmelite/postfix-submission-very-slow-bfmelite/postfix-helo-very-slowThe first two scenarios include
_user-enumvariants (usingdistinctonsasl_username).Parser change
crowdsecurity/postfix-logs(s01-parse): Extended with a new grok pattern that extractsauth=0/Nfrom Postfix disconnect lines. Tags matching lines withlog_type_enh: submission-auth-failed.Example log that was previously invisible:
postfix/submission/smtpd[1234]: disconnect from unknown[IP] ehlo=1 auth=0/1 quit=1 commands=2/3
Testing