Incorrect regular expression in crowdsecurity/exim-logs

[MATPOCKuH]

What happened?

exim does not store "(set_id=target_user)" information in our log entry in some cases.
It's happens when server_set_id is not specified for some reasons, or when exim can't parse authentication data.
But pattern in exim-logs.yaml requires this parameter:
pattern: '%{EXIM_OPT_DATE}%{EXIM_AUTH:exim_auth} authenticator failed for %{EXIM_SOURCE}:(?:%{POSINT:source_port}:)? 535 Incorrect authentication data (set_id=%{NO_END_PAR:target_user})'

What did you expect to happen?

I expected a ban for IP on following log entries:
2024-02-15 03:49:17 login authenticator failed for (U8kjDR) [same-spam-IP]: 535 Incorrect authentication data
2024-02-15 03:49:17 login authenticator failed for (M1CPT5) [same-spam-IP]: 535 Incorrect authentication data
2024-02-15 03:49:29 login authenticator failed for (76U6My) [same-spam-IP]: 535 Incorrect authentication data
2024-02-15 03:49:29 login authenticator failed for (2skypH69b) [same-spam-IP]: 535 Incorrect authentication data
2024-02-15 03:49:40 login authenticator failed for (LUu8iT4) [same-spam-IP]: 535 Incorrect authentication data

How can we reproduce it (as minimally and precisely as possible)?

Remove or comment out server_set_id entry in exim's configuration file and try to brutforce authentication data.

Anything else we need to know?

No response

Crowdsec version

2024/02/19 10:16:30 version: v1.6.0-freebsd-4b8e6cd7 2024/02/19 10:16:30 Codename: alphaga 2024/02/19 10:16:30 BuildDate: 2024-01-31_12:39:15 2024/02/19 10:16:30 GoVersion: 1.21.5 2024/02/19 10:16:30 Platform: freebsd 2024/02/19 10:16:30 libre2: C++ 2024/02/19 10:16:30 Constraint_parser: >= 1.0, <= 3.0 2024/02/19 10:16:30 Constraint_scenario: >= 1.0, <= 3.0 2024/02/19 10:16:30 Constraint_api: v1 2024/02/19 10:16:30 Constraint_acquis: >= 1.0, < 2.0

OS version

FreeBSD xxx.xxx.xxx 13.2-STABLE FreeBSD 13.2-STABLE c79831b38 amd64 amd64

Enabled collections and parsers

name,status,version,description,type crowdsecurity/dateparse-enrich,enabled,0.2,,parsers crowdsecurity/dovecot-logs,enabled,0.8,Parse dovecot logs,parsers crowdsecurity/exim-logs,enabled,0.3,Parse exim logs,parsers crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers crowdsecurity/http-logs,enabled,1.2,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers crowdsecurity/nginx-logs,enabled,1.5,Parse nginx access and error logs,parsers crowdsecurity/sshd-logs,"enabled,update-available",2.2,Parse openSSH logs,parsers crowdsecurity/syslog-logs,enabled,0.8,,parsers local/exim-bf,"enabled,local",,,parsers local/whitelist,"enabled,local",,,parsers crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.5,Detect cve-2021-44228 exploitation attemps,scenarios crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios crowdsecurity/CVE-2022-26134,enabled,0.2,Detect CVE-2022-26134 exploits,scenarios crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios crowdsecurity/CVE-2023-22518,enabled,0.2,Detect CVE-2023-22518 exploits,scenarios crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios crowdsecurity/dovecot-spam,enabled,0.5,detect errors on dovecot,scenarios crowdsecurity/exim-bf,enabled,0.3,Detect Exim brute force,scenarios crowdsecurity/exim-spam,enabled,0.3,Detect spam on Exim,scenarios crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.2,Detect cve-2020-5902 exploitation attemps,scenarios crowdsecurity/fortinet-cve-2018-13379,enabled,0.3,Detect cve-2018-13379 exploitation attemps,scenarios crowdsecurity/grafana-cve-2021-43798,enabled,0.2,Detect cve-2021-43798 exploitation attemps,scenarios crowdsecurity/http-admin-interface-probing,enabled,0.3,Detect generic HTTP admin interface probing,scenarios crowdsecurity/http-backdoors-attempts,enabled,0.5,Detect attempt to common backdoors,scenarios crowdsecurity/http-bad-user-agent,enabled,1.1,Detect usage of bad User Agent,scenarios crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios crowdsecurity/http-cve-2021-41773,enabled,0.2,cve-2021-41773,scenarios crowdsecurity/http-cve-2021-42013,enabled,0.2,cve-2021-42013,scenarios crowdsecurity/http-generic-bf,enabled,0.6,Detect generic http brute force,scenarios crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios crowdsecurity/http-path-traversal-probing,enabled,0.3,Detect path traversal attempt,scenarios crowdsecurity/http-probing,enabled,0.3,Detect site scanning/probing from a single ip,scenarios crowdsecurity/http-sensitive-files,enabled,0.3,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios crowdsecurity/http-sqli-probing,enabled,0.3,A scenario that detects SQL injection probing with minimal false positives,scenarios crowdsecurity/http-xss-probing,enabled,0.3,A scenario that detects XSS probing with minimal false positives,scenarios crowdsecurity/jira_cve-2021-26086,enabled,0.2,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios crowdsecurity/netgear_rce,enabled,0.3,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios crowdsecurity/nginx-req-limit-exceeded,enabled,0.3,Detects IPs which violate nginx's user set request limit.,scenarios crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.3,Detect cve-2019-11510 exploitation attemps,scenarios crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios crowdsecurity/thinkphp-cve-2018-20062,enabled,0.4,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.2,Detect VMSA-2021-0027 exploitation attemps,scenarios ltsich/http-w00tw00t,enabled,0.2,detect w00tw00t,scenarios crowdsecurity/bf_base,enabled,0.1,,contexts crowdsecurity/http_base,enabled,0.2,,contexts crowdsecurity/base-http-scenarios,enabled,0.8,http common : scanners detection,collections crowdsecurity/dovecot,enabled,0.1,dovecot support : parser and spammer detection,collections crowdsecurity/exim,enabled,0.1,exim support : parser and bruteforce/spam detection,collections crowdsecurity/freebsd,enabled,0.1,core freebsd support : syslog+geoip+ssh,collections crowdsecurity/http-cve,enabled,2.5,Detect CVE exploitation in http logs,collections crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections crowdsecurity/sshd,"enabled,update-available",0.3,sshd support : parser and brute-force detection,collections

Acquisition config

No response

Config show

No response

Prometheus metrics

No response

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

I'm using this parses as workaround:

onsuccess: next_stage #debug: true filter: "evt.Parsed.program == 'exim'" name: local/exim-bf description: "Parse exim logs" pattern_syntax: NO_DOUBLE_QUOTE: '[^"]+' NO_END_BRACKET: '[^\]]+' NO_END_PAR: '[^\)]+' EXIM_AUTH: '(?:dovecot_)?(?:login|plain)' EXIM_SOURCE: '(?:%{HOSTNAME:source_dns} )?(?:\(%{NO_END_PAR:source_helo}\) )?\[%{IP:source_ip}\]' EXIM_OPT_DATE: '(:?%{EXIM_DATE:date} )?' EXIM_SOURCE_TLS: 'H=%{EXIM_SOURCE}(?::%{POSINT:source_port})? (:?X=%{NOTSPACE:tls_cipher} CV=(:?yes|no) )?' nodes: - grok: pattern: '%{EXIM_OPT_DATE}%{EXIM_AUTH:exim_auth} authenticator failed for %{EXIM_SOURCE}:(?:%{POSINT:source_port}:)? 535 Incorrect authentication data' apply_on: message statics: - meta: log_type value: exim_failed_auth statics: - meta: service value: exim - target: evt.StrTime expression: evt.Parsed.date - meta: source_ip expression: evt.Parsed.source_ip - meta: source_dns expression: evt.Parsed.source_dns - meta: source_helo expression: evt.Parsed.source_helo - meta: username expression: evt.Parsed.target_user

But I'm not sure, is it correct.

[github-actions]

@MATPOCKuH: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[LaurenceJJones]

Transferring to the hub