Skip to content

fix(postfix-very-slow-bf): remove distinct on sasl_username in user-enum variant#1813

Draft
Copilot wants to merge 8 commits into
masterfrom
copilot/fix-remove-distinct-again
Draft

fix(postfix-very-slow-bf): remove distinct on sasl_username in user-enum variant#1813
Copilot wants to merge 8 commits into
masterfrom
copilot/fix-remove-distinct-again

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 27, 2026
edited
Loading

Description

evt.Meta.sasl_username is never populated by crowdsecurity/postfix-logs, so the distinct on that field in the postfix-very-slow-bf_user-enum variant would always evaluate against an empty value, making the bucket never overflow as intended.

Fix: Remove distinct: evt.Meta.sasl_username from the user-enum variant in scenarios/melite/postfix-very-slow-bf.yaml.

# Before
groupby: evt.Meta.source_ip
distinct: evt.Meta.sasl_username  # removed — field never set by parser
leakspeed: "4h"

# After
groupby: evt.Meta.source_ip
leakspeed: "4h"

Checklist

  • I have read the contributing guide
  • I have tested my changes locally
  • For new parsers or scenarios, tests have been added
  • I have run the hub linter and no issues were reported (see contributing guide)
  • Automated tests are passing
  • AI was used to generate any/all content of this PR

Étienne LEMÉE and others added 6 commits March 27, 2026 07:44
@Etilem
feat: add Postfix slow brute-force and HELO rejection scenarios (melite)
4909527 
Add slow brute-force detection scenarios for Postfix SMTP authentication
and evasive HELO rejection attacks:
- melite/postfix-slow-bf (leakspeed 900s, capacity 7)
- melite/postfix-very-slow-bf (leakspeed 4h, capacity 5)
- melite/postfix-submission-very-slow-bf (leakspeed 4h, capacity 5)
- melite/postfix-helo-very-slow (leakspeed 4h, capacity 5)

Includes parser melite/postfix-submission-auth (s01-parse) for port 587
auth failures invisible to standard parsers, and hub tests.
@Etilem
refactor: extend crowdsecurity/postfix-logs instead of custom parser
5e1ed83 
Address reviewer feedback: add disconnect auth failure detection
directly to crowdsecurity/postfix-logs instead of a separate
melite/postfix-submission-auth parser.

 - Add grok node for 'disconnect from ... auth=0/N' pattern
 - Remove melite/postfix-submission-auth parser and markdown
 - Update test configs to reference modified parser
 - Rewrite parser assertions for new pipeline structure

   All 5 hubtest tests pass (parser + 4 scenarios).
@Etilem
docs: update submission scenario to reference crowdsecurity/postfix-logs
1a0f909 
Remove stale reference to deleted melite/postfix-submission-auth parser.
The submission auth pattern is now part of crowdsecurity/postfix-logs.
@sabban
Potential fix for pull request finding
15d45a0 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@sabban
Potential fix for pull request finding
5b3eb7c 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Initial plan
75e892c
Copilot AI changed the title [WIP] Fix code by removing distinct as suggested fix(postfix-very-slow-bf): remove distinct on sasl_username in user-enum variant May 27, 2026
Copilot finished work on behalf of sabban May 27, 2026 15:03
Copilot AI requested a review from sabban May 27, 2026 15:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sabban sabban Awaiting requested review from sabban

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

@sabban sabban

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sabban @Etilem