Add Guezli/mailcow-f2b-feed parser + scenario#1807
Open
Guezli wants to merge 1 commit into
Open
Conversation
Propagates Mailcow's internal F2B bans (from the netfilter-mailcow container) into the local Crowdsec LAPI so the host-side nftables-bouncer acts on SOGo/rspamd/admin-UI bans that Crowdsec wouldn't catch on its own. Two artefacts in one PR: - parsers/s01-parse/Guezli/mailcow-f2b-bans.yaml Parses both "Banning <IP>/<N> for <M> minutes" (auto-ban) and "Added host/network <IP> to denylist" (manual F2B_BLACKLIST entry) log lines, extracting source_ip plus ban_duration_min and the ISO-8601 timestamp as evt.StrTime. - scenarios/Guezli/mailcow-f2b-feed.yaml Trigger-style scenario keyed off log_type=mailcow_f2b_ban produced by the parser, blackhole 1h to dedupe ban-renew lines. Acquisition is the netfilter-mailcow docker container with labels.type=mailcow-f2b; see the rendered .md files for snippets.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a parser + scenario pair that propagates Mailcow's internal F2B bans
(from the
netfilter-mailcowcontainer) into the local Crowdsec LAPI, so thehost-side nftables-bouncer sees and acts on bans that Crowdsec wouldn't catch
on its own (SOGo webmail UI, rspamd admin UI, Mailcow-specific dovecot/postfix
patterns).
Two artefacts in one PR:
parsers/s01-parse/Guezli/mailcow-f2b-bans.yaml— parses both auto-bans(
Banning <IP>/<N> for <M> minutes) and manual perm-bans(
Added host/network <IP> to denylist) from the netfilter-mailcow stdout.scenarios/Guezli/mailcow-f2b-feed.yaml— trigger-style scenario that turnseach parsed ban into a Crowdsec LAPI decision.
Acquisition:
netfilter-mailcowdocker container withlabels.type: mailcow-f2b(snippet in the rendered
.md).Checklist
pattern_syntax+ grok extraction (source_ip, ban_duration_min, evt.StrTime).mddocumentation for both parser and scenario, including acquisition example.tests/mailcow-f2b-feed/passing locally (cscli hubtest run mailcow-f2b-feed --clean-> all tests passed)hublint checkclean (0 warnings, 0 errors)198.51.100.0/24,203.0.113.0/24)AI assistance
Claude Code was used to port the parser + scenario from my personal repo
(https://github.com/Guezli/crowdsec-mailcow-f2b-feed) into Hub format, add the
timestamp extraction needed for hubtest forensic mode, generate the hubtest
assertions, and structure the documentation. The detection logic and
Mailcow-internal-F2B mapping are my own work; I can explain every part of the
contribution.