Dev/new pattern sshd logs for synology

[lachapette]

Description

Add Synology-specific patterns and tests for invalid user authentication (SSH and DSM logs API)

Impact: Enhances detection of brute force attacks on Synology devices (SSH and DSM API) with patterns specific to Synology DSM 7.x log formats.

1. SSH Parser (sshd-logs.yaml)

New pattern for Synology DSM 7.x:

• Added Pattern: SSHD_INVALID_USER_SYNO: 'pam_%{DATA:pam_type}(sshd:auth): Can.t get user uid (%{USERNAME: sshd_invalid_user})'
  • Associated grok node with metadata:
    • log_type: ssh_failed-auth
    • target_user: evt.Parsed.sshd_invalid_user
  • Example log covered:
    • pam_syno_log_fail(sshd:auth): Can't get user uid (zm)

2. DSM Parser (synology-dsm-logs.yaml)

Updated Pattern:

• Old: AUTH_LOG_FAIL: 'pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=%{IP_WORKAROUND:src_ip}'
• New: Added (\s+user=%{USERNAME:sshd_invalid_user})? to capture the username
• Example log covered:
  • pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.4.2.116 user=admin

3. New Scenario

synology-dsm-bf-slow-1h.yaml:

• Type: leaky
• Filter: evt.Meta.log_type == 'synology-dsm_failed_auth'
• Strategy: Slow detection over 1 hour (leakspeed: "1h", capacity: 10)
• Group by: source_ip
• Blackhole: 10h
• Added to the crowdsecurity/synology-dsm collection

4. Tests Added

Component	Files created	Lines
SSH BF Tests	config.yaml, parser.assert (760 lines), scenario.assert, synology-dsm-ssh-bf.log (21 lines)	802+
DSM Slow Tests	config.yaml, parser.assert (829 lines), scenario.assert (49 lines), synology-dsm-logs-bf-slow.log (61 lines)	952+
Existing DSM Tests	Updated parser.assert (+65 lines) and synology-dsm-logs.log (+5 lines)	71+

Checklist

• I have read the contributing guide
• I have tested my changes locally
• For new parsers or scenarios, tests have been added
• I have run the hub linter and no issues were reported (see contributing guide)
• Automated tests are passing
• AI was used to generate any/all content of this PR

[lachapette]

@crowdsecurity/team-hub , @dimatha , @maximelouet , @buixor , @sabban Could you please review this PR ?

[blotus]

Unrelated change ?

[lachapette]

Yes. Due to a taxonomy check inherited from https://github.com/lachapette/crowdsecurity-hub/tree/dependabot/uv/uv-c30c77f42d
I don't know how to bypass it.

[blotus]

Unrelated change ?

[lachapette]

Yes. Due to a taxonomy check inherited from https://github.com/lachapette/crowdsecurity-hub/tree/dependabot/uv/uv-c30c77f42d
I don't know how to bypass it.

[blotus]

This file being empty for a scenario test likely means your scenario did not work as expected.

[lachapette]

It works on runtime but i can't push it with scenario success due slow bruteforce in logs above several hours. It does not work in tests scenarios. If there is a way tell me i will rework it.

[blotus]

Looks like there's a typo in the pattern: can.t vs can't.

The logs you provided for the tests are using can't.

[lachapette]

i didn't succeeded to escape ' character in the regex as it is enclosed by 2 ' characters so i match it with a dot. There is not impact.

[blotus]

Don't move the statics, if we ever add another pattern in the file, we would need to move them back on top level

[lachapette]

Ok i will put it back.

[blotus]

Don't use the crowdsecurity namespace.

[lachapette]

Ok i can create a new namespace but it will be duplicated for further maintainability ?

[blotus]

Unrelated changes

[lachapette]

Same reason as above due to classification error string expected instead of list when running tests.

[blotus]

Unrelated changes

[lachapette]

This is automated style fixing IDE (IntelliJ). i can revert it.

[blotus]

Unrelated changes

[lachapette]

Yes same root cause due to taxonomy MR with dependency bot.

[blotus]

Unrelated change

[lachapette]

is a mistake i guess. You want it reverted or in another MR ?