-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect regular expression in crowdsecurity/exim-logs #978
Labels
good first issue
Good for newcomers
Comments
@MATPOCKuH: Thanks for opening an issue, it is currently awaiting triage. In the meantime, you can:
DetailsI am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository. |
Transferring to the hub |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened?
exim does not store "(set_id=target_user)" information in our log entry in some cases.
It's happens when server_set_id is not specified for some reasons, or when exim can't parse authentication data.
But pattern in exim-logs.yaml requires this parameter:
pattern: '%{EXIM_OPT_DATE}%{EXIM_AUTH:exim_auth} authenticator failed for %{EXIM_SOURCE}:(?:%{POSINT:source_port}:)? 535 Incorrect authentication data (set_id=%{NO_END_PAR:target_user})'
What did you expect to happen?
I expected a ban for IP on following log entries:
2024-02-15 03:49:17 login authenticator failed for (U8kjDR) [same-spam-IP]: 535 Incorrect authentication data
2024-02-15 03:49:17 login authenticator failed for (M1CPT5) [same-spam-IP]: 535 Incorrect authentication data
2024-02-15 03:49:29 login authenticator failed for (76U6My) [same-spam-IP]: 535 Incorrect authentication data
2024-02-15 03:49:29 login authenticator failed for (2skypH69b) [same-spam-IP]: 535 Incorrect authentication data
2024-02-15 03:49:40 login authenticator failed for (LUu8iT4) [same-spam-IP]: 535 Incorrect authentication data
How can we reproduce it (as minimally and precisely as possible)?
Remove or comment out server_set_id entry in exim's configuration file and try to brutforce authentication data.
Anything else we need to know?
No response
Crowdsec version
OS version
Enabled collections and parsers
Acquisition config
No response
Config show
No response
Prometheus metrics
No response
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
I'm using this parses as workaround:
The text was updated successfully, but these errors were encountered: