Skip to content

Remove ineffective distinct from postfix-very-slow-bf_user-enum#1812

Draft
Copilot wants to merge 7 commits into
masterfrom
copilot/fix-remove-distinct
Draft

Remove ineffective distinct from postfix-very-slow-bf_user-enum#1812
Copilot wants to merge 7 commits into
masterfrom
copilot/fix-remove-distinct

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 27, 2026
edited
Loading

Description

The review flagged that evt.Meta.sasl_username is not populated by crowdsecurity/postfix-logs, so the distinct condition made the user-enum variant effectively non-functional. This PR applies the requested minimal fix by removing only that distinct directive.

  • Scope
    • Update scenarios/melite/postfix-very-slow-bf.yaml only.
  • Change
    • In melite/postfix-very-slow-bf_user-enum, remove: 
      distinct: evt.Meta.sasl_username
  • Resulting rule fragment 
    type: leaky
name: melite/postfix-very-slow-bf_user-enum
filter: "evt.Meta.log_type == 'postfix' && evt.Meta.log_type_enh == 'spam-attempt'"
groupby: evt.Meta.source_ip
leakspeed: "4h"
capacity: 5

Checklist

  • I have read the contributing guide
  • I have tested my changes locally
  • For new parsers or scenarios, tests have been added
  • I have run the hub linter and no issues were reported (see contributing guide)
  • Automated tests are passing
  • AI was used to generate any/all content of this PR

Étienne LEMÉE and others added 6 commits May 27, 2026 14:18
feat: add Postfix slow brute-force and HELO rejection scenarios (melite)
7feb18d 
Add slow brute-force detection scenarios for Postfix SMTP authentication
and evasive HELO rejection attacks:
- melite/postfix-slow-bf (leakspeed 900s, capacity 7)
- melite/postfix-very-slow-bf (leakspeed 4h, capacity 5)
- melite/postfix-submission-very-slow-bf (leakspeed 4h, capacity 5)
- melite/postfix-helo-very-slow (leakspeed 4h, capacity 5)

Includes parser melite/postfix-submission-auth (s01-parse) for port 587
auth failures invisible to standard parsers, and hub tests.
@Etilem
refactor: extend crowdsecurity/postfix-logs instead of custom parser
9c720f2 
Address reviewer feedback: add disconnect auth failure detection
directly to crowdsecurity/postfix-logs instead of a separate
melite/postfix-submission-auth parser.

 - Add grok node for 'disconnect from ... auth=0/N' pattern
 - Remove melite/postfix-submission-auth parser and markdown
 - Update test configs to reference modified parser
 - Rewrite parser assertions for new pipeline structure

   All 5 hubtest tests pass (parser + 4 scenarios).
@Etilem
docs: update submission scenario to reference crowdsecurity/postfix-logs
2516ffe 
Remove stale reference to deleted melite/postfix-submission-auth parser.
The submission auth pattern is now part of crowdsecurity/postfix-logs.
@sabban
Potential fix for pull request finding
e05e3c6 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@sabban
Potential fix for pull request finding
2daa995 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Remove distinct from postfix very slow user-enum scenario
a004904
Copilot AI changed the title [WIP] Fix code by removing distinct as per review comment Remove ineffective distinct from postfix-very-slow-bf_user-enum May 27, 2026
Copilot finished work on behalf of sabban May 27, 2026 14:21
Copilot AI requested a review from sabban May 27, 2026 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sabban sabban Awaiting requested review from sabban

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

@sabban sabban

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sabban @Etilem