diff --git a/.tests/smb-bf/scenario.assert b/.tests/smb-bf/scenario.assert index ba9e9fe1fba..4eefb66a03d 100644 --- a/.tests/smb-bf/scenario.assert +++ b/.tests/smb-bf/scenario.assert @@ -1,40 +1,57 @@ len(results) == 1 -"1.2.3.4" in results[0].Overflow.GetSources() -results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" -results[0].Overflow.Sources["1.2.3.4"].Range == "" -results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" -results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" -results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "smb-bf.log" +"192.168.1.100" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["192.168.1.100"].IP == "192.168.1.100" +results[0].Overflow.Sources["192.168.1.100"].Range == "" +results[0].Overflow.Sources["192.168.1.100"].GetScope() == "Ip" +results[0].Overflow.Sources["192.168.1.100"].GetValue() == "192.168.1.100" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "smb-bf.log" results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "smb_failed_auth" -results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[0].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-09-24T10:04:52Z" results[0].Overflow.Alert.Events[0].GetMeta("user") == "toto" -results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "smb-bf.log" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "smb-bf.log" results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "smb_failed_auth" -results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[1].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-09-24T10:04:53Z" results[0].Overflow.Alert.Events[1].GetMeta("user") == "toto" -results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "smb-bf.log" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "smb-bf.log" results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "smb_failed_auth" -results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[2].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[2].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-09-24T10:04:54Z" results[0].Overflow.Alert.Events[2].GetMeta("user") == "toto" -results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "smb-bf.log" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "smb-bf.log" results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "smb_failed_auth" -results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[3].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[3].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-09-24T10:04:55Z" results[0].Overflow.Alert.Events[3].GetMeta("user") == "toto" -results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "smb-bf.log" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "smb-bf.log" results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "smb_failed_auth" -results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[4].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[4].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-09-24T10:04:55Z" results[0].Overflow.Alert.Events[4].GetMeta("user") == "toto" -results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "smb-bf.log" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "smb-bf.log" results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "smb_failed_auth" -results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[5].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[5].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-09-24T10:04:57Z" results[0].Overflow.Alert.Events[5].GetMeta("user") == "toto" results[0].Overflow.Alert.GetScenario() == "crowdsecurity/smb-bf" results[0].Overflow.Alert.Remediation == true results[0].Overflow.Alert.GetEventsCount() == 6 - diff --git a/.tests/smb-bf/smb-bf.log b/.tests/smb-bf/smb-bf.log index 19ef294ea1b..04e7498abf1 100644 --- a/.tests/smb-bf/smb-bf.log +++ b/.tests/smb-bf/smb-bf.log @@ -1,6 +1,6 @@ -Sep 24 10:04:52 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:52.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:1.2.3.4:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 -Sep 24 10:04:53 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:53.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:1.2.3.4:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 -Sep 24 10:04:54 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:54.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:1.2.3.4:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 -Sep 24 10:04:55 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:55.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:1.2.3.4:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 -Sep 24 10:04:55 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:55.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:1.2.3.4:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 -Sep 24 10:04:57 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:57.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:1.2.3.4:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:04:52 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:52.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:04:53 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:53.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:04:54 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:54.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:04:55 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:55.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:04:55 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:55.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:04:57 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:57.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 diff --git a/.tests/smb-impossible-travel/config.yaml b/.tests/smb-impossible-travel/config.yaml new file mode 100644 index 00000000000..7cd0627c6d7 --- /dev/null +++ b/.tests/smb-impossible-travel/config.yaml @@ -0,0 +1,11 @@ +parsers: +- crowdsecurity/syslog-logs +- crowdsecurity/dateparse-enrich +- crowdsecurity/geoip-enrich +- ./parsers/s01-parse/crowdsecurity/smb-success-logs.yaml +scenarios: +- "./scenarios/crowdsecurity/impossible-travel.yaml" +log_file: smb-success-logs.log +log_type: syslog +ignore_parsers: true + diff --git a/.tests/smb-impossible-travel/scenario.assert b/.tests/smb-impossible-travel/scenario.assert new file mode 100644 index 00000000000..1c64d44d4a4 --- /dev/null +++ b/.tests/smb-impossible-travel/scenario.assert @@ -0,0 +1,36 @@ +len(results) == 1 +"9.8.8.8" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["9.8.8.8"].IP == "9.8.8.8" +results[0].Overflow.Sources["9.8.8.8"].Range == "" +results[0].Overflow.Sources["9.8.8.8"].GetScope() == "Ip" +results[0].Overflow.Sources["9.8.8.8"].GetValue() == "9.8.8.8" +"1.2.3.4" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" +results[0].Overflow.Sources["1.2.3.4"].Range == "" +results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" +results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" +results[0].Overflow.Alert.Events[0].GetMeta("ASNNumber") == "0" +results[0].Overflow.Alert.Events[0].GetMeta("IsInEU") == "false" +results[0].Overflow.Alert.Events[0].GetMeta("IsoCode") == "AU" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "smb-success-logs.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_success" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "smb" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-09-24T10:00:00Z" +results[0].Overflow.Alert.Events[0].GetMeta("user") == "vagrant" +results[0].Overflow.Alert.Events[1].GetMeta("ASNNumber") == "0" +results[0].Overflow.Alert.Events[1].GetMeta("IsInEU") == "false" +results[0].Overflow.Alert.Events[1].GetMeta("IsoCode") == "US" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "smb-success-logs.log" +results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_success" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "smb" +results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "9.8.8.8" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-09-24T10:01:00Z" +results[0].Overflow.Alert.Events[1].GetMeta("user") == "vagrant" +results[0].Overflow.Alert.GetScenario() == "crowdsecurity/impossible-travel" +results[0].Overflow.Alert.Remediation == false +results[0].Overflow.Alert.GetEventsCount() == 2 diff --git a/.tests/smb-impossible-travel/smb-success-logs.log b/.tests/smb-impossible-travel/smb-success-logs.log new file mode 100644 index 00000000000..fe7648ce77b --- /dev/null +++ b/.tests/smb-impossible-travel/smb-success-logs.log @@ -0,0 +1,3 @@ +Sep 24 10:00:00 host2 smb[2725]: Auth: [SMB2,(null)] user [WORKGROUP]\[vagrant] at [Fri, 24 Sep 2021 10:00:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT1] remote host [ipv4:1.2.3.4:62419] mapped to [WORKGROUP]\[vagrant]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:01:00 host2 smb[2726]: Auth: [SMB2,(null)] user [WORKGROUP]\[vagrant] at [Fri, 24 Sep 2021 10:01:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT2] remote host [ipv4:9.8.8.8:62420] mapped to [WORKGROUP]\[vagrant]. local host [ipv4:10.1.1.1:445] #015 + diff --git a/.tests/smb-logs/parser.assert b/.tests/smb-logs/parser.assert index f8a84828d8b..09759384d03 100644 --- a/.tests/smb-logs/parser.assert +++ b/.tests/smb-logs/parser.assert @@ -1,26 +1,47 @@ len(results) == 3 +len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2 +results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[root] at [Thu, 14 Oct 2021 15:24:12.023984 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MANTIS] remote host [ipv4:172.17.0.1:44890] mapped to [WORKGROUP]\\[root]. local host [ipv4:172.17.0.2:445] " +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "smb" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "smb-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[administrator] at [Thu, 14 Oct 2021 15:24:16.248504 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MANTIS] remote host [ipv4:172.17.0.1:44896] mapped to [WORKGROUP]\\[administrator]. local host [ipv4:172.17.0.2:445] " +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "smb" +basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "smb-logs.log" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false len(results["s01-parse"]["crowdsecurity/smb-logs"]) == 2 results["s01-parse"]["crowdsecurity/smb-logs"][0].Success == true +results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["ip_source"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[root] at [Thu, 14 Oct 2021 15:24:12.023984 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MANTIS] remote host [ipv4:172.17.0.1:44890] mapped to [WORKGROUP]\\[root]. local host [ipv4:172.17.0.2:445] " results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["program"] == "smb" results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["smb_domain"] == "WORKGROUP" results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["user"] == "root" -results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["ip_source"] == "172.17.0.1" +basename(results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["datasource_path"]) == "smb-logs.log" +results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["log_type"] == "smb_failed_auth" +results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["service"] == "smb" results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["source_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["subtype"] == "smb_bad_user" results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["user"] == "root" -results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["datasource_path"] == "smb-logs.log" -results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Whitelisted == false results["s01-parse"]["crowdsecurity/smb-logs"][1].Success == true results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["ip_source"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[administrator] at [Thu, 14 Oct 2021 15:24:16.248504 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MANTIS] remote host [ipv4:172.17.0.1:44896] mapped to [WORKGROUP]\\[administrator]. local host [ipv4:172.17.0.2:445] " results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["program"] == "smb" results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["smb_domain"] == "WORKGROUP" results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["user"] == "administrator" -results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["datasource_path"] == "smb-logs.log" +basename(results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["datasource_path"]) == "smb-logs.log" results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["datasource_type"] == "file" results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["log_type"] == "smb_failed_auth" +results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["service"] == "smb" results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["source_ip"] == "172.17.0.1" results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["subtype"] == "smb_bad_password" results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["user"] == "administrator" +results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/smb-slow-bf/config.yaml b/.tests/smb-slow-bf/config.yaml new file mode 100644 index 00000000000..b8d879f1e15 --- /dev/null +++ b/.tests/smb-slow-bf/config.yaml @@ -0,0 +1,11 @@ +parsers: +- crowdsecurity/smb-logs +- crowdsecurity/syslog-logs +- crowdsecurity/dateparse-enrich +scenarios: +- ./scenarios/crowdsecurity/smb-slow-bf.yaml +postoverflows: +- "" +log_file: smb-slow-bf.log +log_type: syslog +ignore_parsers: true diff --git a/.tests/smb-slow-bf/scenario.assert b/.tests/smb-slow-bf/scenario.assert new file mode 100644 index 00000000000..2de4fd11cff --- /dev/null +++ b/.tests/smb-slow-bf/scenario.assert @@ -0,0 +1,97 @@ +len(results) == 1 +"192.168.1.100" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["192.168.1.100"].IP == "192.168.1.100" +results[0].Overflow.Sources["192.168.1.100"].Range == "" +results[0].Overflow.Sources["192.168.1.100"].GetScope() == "Ip" +results[0].Overflow.Sources["192.168.1.100"].GetValue() == "192.168.1.100" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "smb-slow-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[0].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-09-24T10:00:45Z" +results[0].Overflow.Alert.Events[0].GetMeta("user") == "toto" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "smb-slow-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[1].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-09-24T10:01:00Z" +results[0].Overflow.Alert.Events[1].GetMeta("user") == "toto" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "smb-slow-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[2].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-09-24T10:01:15Z" +results[0].Overflow.Alert.Events[2].GetMeta("user") == "toto" +basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "smb-slow-bf.log" +results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[3].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[3].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-09-24T10:01:30Z" +results[0].Overflow.Alert.Events[3].GetMeta("user") == "toto" +basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "smb-slow-bf.log" +results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[4].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[4].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-09-24T10:01:45Z" +results[0].Overflow.Alert.Events[4].GetMeta("user") == "toto" +basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "smb-slow-bf.log" +results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[5].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[5].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-09-24T10:02:00Z" +results[0].Overflow.Alert.Events[5].GetMeta("user") == "toto" +basename(results[0].Overflow.Alert.Events[6].GetMeta("datasource_path")) == "smb-slow-bf.log" +results[0].Overflow.Alert.Events[6].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[6].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[6].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[6].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[6].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[6].GetMeta("timestamp") == "2025-09-24T10:02:15Z" +results[0].Overflow.Alert.Events[6].GetMeta("user") == "toto" +basename(results[0].Overflow.Alert.Events[7].GetMeta("datasource_path")) == "smb-slow-bf.log" +results[0].Overflow.Alert.Events[7].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[7].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[7].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[7].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[7].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[7].GetMeta("timestamp") == "2025-09-24T10:02:30Z" +results[0].Overflow.Alert.Events[7].GetMeta("user") == "toto" +basename(results[0].Overflow.Alert.Events[8].GetMeta("datasource_path")) == "smb-slow-bf.log" +results[0].Overflow.Alert.Events[8].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[8].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[8].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[8].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[8].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[8].GetMeta("timestamp") == "2025-09-24T10:02:45Z" +results[0].Overflow.Alert.Events[8].GetMeta("user") == "toto" +basename(results[0].Overflow.Alert.Events[9].GetMeta("datasource_path")) == "smb-slow-bf.log" +results[0].Overflow.Alert.Events[9].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[9].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[9].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[9].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[9].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[9].GetMeta("timestamp") == "2025-09-24T10:03:00Z" +results[0].Overflow.Alert.Events[9].GetMeta("user") == "toto" +basename(results[0].Overflow.Alert.Events[10].GetMeta("datasource_path")) == "smb-slow-bf.log" +results[0].Overflow.Alert.Events[10].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[10].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[10].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[10].GetMeta("source_ip") == "192.168.1.100" +results[0].Overflow.Alert.Events[10].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[10].GetMeta("timestamp") == "2025-09-24T10:03:15Z" +results[0].Overflow.Alert.Events[10].GetMeta("user") == "toto" +results[0].Overflow.Alert.GetScenario() == "crowdsecurity/smb-slow-bf" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 14 diff --git a/.tests/smb-slow-bf/smb-slow-bf.log b/.tests/smb-slow-bf/smb-slow-bf.log new file mode 100644 index 00000000000..2802937f23a --- /dev/null +++ b/.tests/smb-slow-bf/smb-slow-bf.log @@ -0,0 +1,16 @@ +Sep 24 10:00:00 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:00:00.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:00:15 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:00:15.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:00:30 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:00:30.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:00:45 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:00:45.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:01:00 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:01:00.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:01:15 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:01:15.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:01:30 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:01:30.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:01:45 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:01:45.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:02:00 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:02:00.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:02:15 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:02:15.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:02:30 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:02:30.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:02:45 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:02:45.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:03:00 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:03:00.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:03:15 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:03:15.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:03:30 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:03:30.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:03:45 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:03:45.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 diff --git a/.tests/smb-success-logs/config.yaml b/.tests/smb-success-logs/config.yaml new file mode 100644 index 00000000000..07692cfa08f --- /dev/null +++ b/.tests/smb-success-logs/config.yaml @@ -0,0 +1,9 @@ +parsers: +- crowdsecurity/syslog-logs +- crowdsecurity/dateparse-enrich +- ./parsers/s01-parse/crowdsecurity/smb-success-logs.yaml +scenarios: +- "" +log_file: smb-success-logs.log +log_type: syslog + diff --git a/.tests/smb-success-logs/parser.assert b/.tests/smb-success-logs/parser.assert new file mode 100644 index 00000000000..2ab4abb91d2 --- /dev/null +++ b/.tests/smb-success-logs/parser.assert @@ -0,0 +1,143 @@ +len(results) == 4 +len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 3 +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[vagrant] at [Fri, 24 Sep 2021 10:00:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT1] remote host [ipv4:192.168.1.100:62419] mapped to [WORKGROUP]\\[vagrant]. local host [ipv4:10.1.1.1:445] #015" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["pid"] == "2725" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["program"] == "smb" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Parsed["timestamp"] == "Sep 24 10:00:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_path"]) == "smb-success-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Meta["machine"] == "host2" +results["s00-raw"]["crowdsecurity/syslog-logs"][0].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [DOMAIN]\\[admin] at [Fri, 24 Sep 2021 10:01:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT2] remote host [ipv4:192.168.1.200:62420] mapped to [DOMAIN]\\[admin]. local host [ipv4:10.1.1.1:445] #015" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["pid"] == "2726" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["program"] == "smb" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Parsed["timestamp"] == "Sep 24 10:01:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_path"]) == "smb-success-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Meta["machine"] == "host2" +results["s00-raw"]["crowdsecurity/syslog-logs"][1].Evt.Whitelisted == false +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == true +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[testuser] at [Fri, 24 Sep 2021 10:02:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT3] remote host [ipv4:192.168.1.150:62421] mapped to [WORKGROUP]\\[testuser]. local host [ipv4:10.1.1.1:445] #015" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["pid"] == "2727" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["program"] == "smb" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Parsed["timestamp"] == "Sep 24 10:02:00" +basename(results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_path"]) == "smb-success-logs.log" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Meta["machine"] == "host2" +results["s00-raw"]["crowdsecurity/syslog-logs"][2].Evt.Whitelisted == false +len(results["s01-parse"]["crowdsecurity/smb-success-logs"]) == 3 +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Success == true +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Parsed["ip_source"] == "192.168.1.100" +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[vagrant] at [Fri, 24 Sep 2021 10:00:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT1] remote host [ipv4:192.168.1.100:62419] mapped to [WORKGROUP]\\[vagrant]. local host [ipv4:10.1.1.1:445] #015" +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Parsed["pid"] == "2725" +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Parsed["program"] == "smb" +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Parsed["smb_domain"] == "WORKGROUP" +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Parsed["timestamp"] == "Sep 24 10:00:00" +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Parsed["user"] == "vagrant" +basename(results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Meta["datasource_path"]) == "smb-success-logs.log" +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Meta["log_type"] == "auth_success" +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Meta["machine"] == "host2" +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Meta["service"] == "smb" +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Meta["source_ip"] == "192.168.1.100" +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Meta["user"] == "vagrant" +results["s01-parse"]["crowdsecurity/smb-success-logs"][0].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Success == true +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Parsed["ip_source"] == "192.168.1.200" +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [DOMAIN]\\[admin] at [Fri, 24 Sep 2021 10:01:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT2] remote host [ipv4:192.168.1.200:62420] mapped to [DOMAIN]\\[admin]. local host [ipv4:10.1.1.1:445] #015" +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Parsed["pid"] == "2726" +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Parsed["program"] == "smb" +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Parsed["smb_domain"] == "DOMAIN" +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Parsed["timestamp"] == "Sep 24 10:01:00" +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Parsed["user"] == "admin" +basename(results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Meta["datasource_path"]) == "smb-success-logs.log" +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Meta["log_type"] == "auth_success" +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Meta["machine"] == "host2" +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Meta["service"] == "smb" +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Meta["source_ip"] == "192.168.1.200" +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Meta["user"] == "admin" +results["s01-parse"]["crowdsecurity/smb-success-logs"][1].Evt.Whitelisted == false +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Success == true +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Parsed["ip_source"] == "192.168.1.150" +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Parsed["logsource"] == "syslog" +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[testuser] at [Fri, 24 Sep 2021 10:02:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT3] remote host [ipv4:192.168.1.150:62421] mapped to [WORKGROUP]\\[testuser]. local host [ipv4:10.1.1.1:445] #015" +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Parsed["pid"] == "2727" +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Parsed["program"] == "smb" +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Parsed["smb_domain"] == "WORKGROUP" +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Parsed["timestamp"] == "Sep 24 10:02:00" +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Parsed["user"] == "testuser" +basename(results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Meta["datasource_path"]) == "smb-success-logs.log" +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Meta["datasource_type"] == "file" +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Meta["log_type"] == "auth_success" +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Meta["machine"] == "host2" +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Meta["service"] == "smb" +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Meta["source_ip"] == "192.168.1.150" +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Meta["user"] == "testuser" +results["s01-parse"]["crowdsecurity/smb-success-logs"][2].Evt.Whitelisted == false +len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 3 +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["ip_source"] == "192.168.1.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[vagrant] at [Fri, 24 Sep 2021 10:00:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT1] remote host [ipv4:192.168.1.100:62419] mapped to [WORKGROUP]\\[vagrant]. local host [ipv4:10.1.1.1:445] #015" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["pid"] == "2725" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "smb" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["smb_domain"] == "WORKGROUP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "Sep 24 10:00:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["user"] == "vagrant" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"]) == "smb-success-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "auth_success" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["machine"] == "host2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "smb" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "192.168.1.100" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2025-09-24T10:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["user"] == "vagrant" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2025-09-24T10:00:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["ip_source"] == "192.168.1.200" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [DOMAIN]\\[admin] at [Fri, 24 Sep 2021 10:01:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT2] remote host [ipv4:192.168.1.200:62420] mapped to [DOMAIN]\\[admin]. local host [ipv4:10.1.1.1:445] #015" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["pid"] == "2726" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["program"] == "smb" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["smb_domain"] == "DOMAIN" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["timestamp"] == "Sep 24 10:01:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Parsed["user"] == "admin" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_path"]) == "smb-success-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["log_type"] == "auth_success" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["machine"] == "host2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["service"] == "smb" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["source_ip"] == "192.168.1.200" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["timestamp"] == "2025-09-24T10:01:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Meta["user"] == "admin" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Enriched["MarshaledTime"] == "2025-09-24T10:01:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Evt.Whitelisted == false +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["ip_source"] == "192.168.1.150" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["logsource"] == "syslog" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[testuser] at [Fri, 24 Sep 2021 10:02:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT3] remote host [ipv4:192.168.1.150:62421] mapped to [WORKGROUP]\\[testuser]. local host [ipv4:10.1.1.1:445] #015" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["pid"] == "2727" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["program"] == "smb" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["smb_domain"] == "WORKGROUP" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["timestamp"] == "Sep 24 10:02:00" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Parsed["user"] == "testuser" +basename(results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_path"]) == "smb-success-logs.log" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["datasource_type"] == "file" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["log_type"] == "auth_success" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["machine"] == "host2" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["service"] == "smb" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["source_ip"] == "192.168.1.150" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["timestamp"] == "2025-09-24T10:02:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Meta["user"] == "testuser" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Enriched["MarshaledTime"] == "2025-09-24T10:02:00Z" +results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Evt.Whitelisted == false +len(results["success"][""]) == 0 diff --git a/.tests/smb-success-logs/scenario.assert b/.tests/smb-success-logs/scenario.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/.tests/smb-success-logs/smb-success-logs.log b/.tests/smb-success-logs/smb-success-logs.log new file mode 100644 index 00000000000..4254a0e1065 --- /dev/null +++ b/.tests/smb-success-logs/smb-success-logs.log @@ -0,0 +1,4 @@ +Sep 24 10:00:00 host2 smb[2725]: Auth: [SMB2,(null)] user [WORKGROUP]\[vagrant] at [Fri, 24 Sep 2021 10:00:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT1] remote host [ipv4:192.168.1.100:62419] mapped to [WORKGROUP]\[vagrant]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:01:00 host2 smb[2726]: Auth: [SMB2,(null)] user [DOMAIN]\[admin] at [Fri, 24 Sep 2021 10:01:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT2] remote host [ipv4:192.168.1.200:62420] mapped to [DOMAIN]\[admin]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:02:00 host2 smb[2727]: Auth: [SMB2,(null)] user [WORKGROUP]\[testuser] at [Fri, 24 Sep 2021 10:02:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT3] remote host [ipv4:192.168.1.150:62421] mapped to [WORKGROUP]\[testuser]. local host [ipv4:10.1.1.1:445] #015 + diff --git a/.tests/smb-time-based-bf/config.yaml b/.tests/smb-time-based-bf/config.yaml new file mode 100644 index 00000000000..12bec28251b --- /dev/null +++ b/.tests/smb-time-based-bf/config.yaml @@ -0,0 +1,12 @@ +parsers: +- crowdsecurity/smb-logs +- crowdsecurity/syslog-logs +- crowdsecurity/dateparse-enrich +scenarios: +- ./scenarios/crowdsecurity/smb-time-based-bf.yaml +postoverflows: +- "" +log_file: smb-time-based-bf.log +log_type: syslog +ignore_parsers: true + diff --git a/.tests/smb-time-based-bf/scenario.assert b/.tests/smb-time-based-bf/scenario.assert new file mode 100644 index 00000000000..1b755d8d715 --- /dev/null +++ b/.tests/smb-time-based-bf/scenario.assert @@ -0,0 +1,71 @@ +len(results) == 2 +"192.168.1.200" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["192.168.1.200"].IP == "192.168.1.200" +results[0].Overflow.Sources["192.168.1.200"].Range == "" +results[0].Overflow.Sources["192.168.1.200"].GetScope() == "Ip" +results[0].Overflow.Sources["192.168.1.200"].GetValue() == "192.168.1.200" +basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "smb-time-based-bf.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[0].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "smb" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.200" +results[0].Overflow.Alert.Events[0].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-09-24T11:00:00Z" +results[0].Overflow.Alert.Events[0].GetMeta("user") == "admin" +basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "smb-time-based-bf.log" +results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[1].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[1].GetMeta("service") == "smb" +results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.200" +results[0].Overflow.Alert.Events[1].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-09-24T11:04:00Z" +results[0].Overflow.Alert.Events[1].GetMeta("user") == "admin" +basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "smb-time-based-bf.log" +results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "smb_failed_auth" +results[0].Overflow.Alert.Events[2].GetMeta("machine") == "host2" +results[0].Overflow.Alert.Events[2].GetMeta("service") == "smb" +results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.200" +results[0].Overflow.Alert.Events[2].GetMeta("subtype") == "smb_bad_user" +results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-09-24T11:08:00Z" +results[0].Overflow.Alert.Events[2].GetMeta("user") == "admin" +results[0].Overflow.Alert.GetScenario() == "crowdsecurity/smb-time-based-bf" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 3 +"192.168.1.100" in results[1].Overflow.GetSources() +results[1].Overflow.Sources["192.168.1.100"].IP == "192.168.1.100" +results[1].Overflow.Sources["192.168.1.100"].Range == "" +results[1].Overflow.Sources["192.168.1.100"].GetScope() == "Ip" +results[1].Overflow.Sources["192.168.1.100"].GetValue() == "192.168.1.100" +basename(results[1].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "smb-time-based-bf.log" +results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "smb_failed_auth" +results[1].Overflow.Alert.Events[0].GetMeta("machine") == "host2" +results[1].Overflow.Alert.Events[0].GetMeta("service") == "smb" +results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.100" +results[1].Overflow.Alert.Events[0].GetMeta("subtype") == "smb_bad_user" +results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-09-24T10:00:00Z" +results[1].Overflow.Alert.Events[0].GetMeta("user") == "toto" +basename(results[1].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "smb-time-based-bf.log" +results[1].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[1].GetMeta("log_type") == "smb_failed_auth" +results[1].Overflow.Alert.Events[1].GetMeta("machine") == "host2" +results[1].Overflow.Alert.Events[1].GetMeta("service") == "smb" +results[1].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.100" +results[1].Overflow.Alert.Events[1].GetMeta("subtype") == "smb_bad_user" +results[1].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-09-24T10:03:30Z" +results[1].Overflow.Alert.Events[1].GetMeta("user") == "toto" +basename(results[1].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "smb-time-based-bf.log" +results[1].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[2].GetMeta("log_type") == "smb_failed_auth" +results[1].Overflow.Alert.Events[2].GetMeta("machine") == "host2" +results[1].Overflow.Alert.Events[2].GetMeta("service") == "smb" +results[1].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.100" +results[1].Overflow.Alert.Events[2].GetMeta("subtype") == "smb_bad_user" +results[1].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-09-24T10:07:00Z" +results[1].Overflow.Alert.Events[2].GetMeta("user") == "toto" +results[1].Overflow.Alert.GetScenario() == "crowdsecurity/smb-time-based-bf" +results[1].Overflow.Alert.Remediation == true +results[1].Overflow.Alert.GetEventsCount() == 3 diff --git a/.tests/smb-time-based-bf/smb-time-based-bf.log b/.tests/smb-time-based-bf/smb-time-based-bf.log new file mode 100644 index 00000000000..83cba5e419b --- /dev/null +++ b/.tests/smb-time-based-bf/smb-time-based-bf.log @@ -0,0 +1,6 @@ +Sep 24 10:00:00 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:00:00.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:03:30 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:03:30.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 10:07:00 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:07:00.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 11:00:00 host2 smb[2725]: Auth: [SMB2,(null)] user []\[admin] at [Fri, 24 Sep 2021 11:00:00.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.200:62420] mapped to []\[admin]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 11:04:00 host2 smb[2725]: Auth: [SMB2,(null)] user []\[admin] at [Fri, 24 Sep 2021 11:04:00.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.200:62420] mapped to []\[admin]. local host [ipv4:10.1.1.1:445] #015 +Sep 24 11:08:00 host2 smb[2725]: Auth: [SMB2,(null)] user []\[admin] at [Fri, 24 Sep 2021 11:08:00.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.200:62420] mapped to []\[admin]. local host [ipv4:10.1.1.1:445] #015 diff --git a/collections/crowdsecurity/smb-impossible-travel.md b/collections/crowdsecurity/smb-impossible-travel.md new file mode 100644 index 00000000000..ec4c8d31672 --- /dev/null +++ b/collections/crowdsecurity/smb-impossible-travel.md @@ -0,0 +1,37 @@ +## SMB Impossible Travel collection + +This collection detects impossible travel scenarios for SMB authentications - when a user successfully authenticates from geographically distant locations within a timeframe that makes physical travel impossible. + +**Components:** + - SMB successful authentication parser + - Impossible travel detection (by IP) + - Impossible travel detection (by user) + +**Use Cases:** + - Detect compromised credentials being used from multiple locations + - Identify potential account takeover attempts + - Monitor for insider threats and credential sharing + +**Requirements:** + - GeoIP enrichment must be enabled + - SMB logging must capture successful authentications with `NT_STATUS_OK` + - Samba `log level` must be set to capture authentication events + +## Acquisition template + +Example acquisition for this collection: + +```yaml +filenames: + - /var/log/samba/log.* +labels: + type: smb +``` + +**Notes:** + - You may target a more specific log, usually log. + - Be sure to have the appropriate log level in your smb.conf + - If you are using `syslog`, set type to `syslog` instead + - Depending on your distribution/OS, paths to log files might change + - Only relevant if you are manually installing collection + diff --git a/collections/crowdsecurity/smb-impossible-travel.yaml b/collections/crowdsecurity/smb-impossible-travel.yaml new file mode 100644 index 00000000000..8a160e94069 --- /dev/null +++ b/collections/crowdsecurity/smb-impossible-travel.yaml @@ -0,0 +1,13 @@ +parsers: + - crowdsecurity/smb-success-logs +scenarios: + - crowdsecurity/impossible-travel + - crowdsecurity/impossible-travel-user +description: "smb success: parser and impossible travel detection" +author: crowdsecurity +tags: + - linux + - smb + - inside-threat + - impossible-travel + diff --git a/collections/crowdsecurity/smb.md b/collections/crowdsecurity/smb.md index a84b904a913..d41953f138d 100644 --- a/collections/crowdsecurity/smb.md +++ b/collections/crowdsecurity/smb.md @@ -1,8 +1,11 @@ ## SMB collection A collection to defend smb against common attacks: - - smb parser - - detect bruteforce + - smb failed authentication parser + - smb successful authentication parser + - detect bruteforce (fast attacks: 5 failures in ~50s) + - detect slow bruteforce (slower attacks: 10 failures in ~10min) + - detect time-based bruteforce (time-spaced attacks: 3 failures with >2min median interval, includes false positive reduction) ## Acquisition template diff --git a/collections/crowdsecurity/smb.yaml b/collections/crowdsecurity/smb.yaml index cdcb842946f..de2cd08f065 100644 --- a/collections/crowdsecurity/smb.yaml +++ b/collections/crowdsecurity/smb.yaml @@ -1,8 +1,11 @@ parsers: - crowdsecurity/smb-logs + - crowdsecurity/smb-success-logs scenarios: - crowdsecurity/smb-bf -description: "smb support : parser and brute-force scenario" + - crowdsecurity/smb-slow-bf + - crowdsecurity/smb-time-based-bf +description: "smb support : parsers and brute-force scenarios" author: crowdsecurity tags: - linux diff --git a/parsers/s01-parse/crowdsecurity/smb-logs.yaml b/parsers/s01-parse/crowdsecurity/smb-logs.yaml index 01fea439a98..f9eb8790d28 100644 --- a/parsers/s01-parse/crowdsecurity/smb-logs.yaml +++ b/parsers/s01-parse/crowdsecurity/smb-logs.yaml @@ -20,6 +20,8 @@ nodes: statics: - meta: log_type value: smb_failed_auth + - meta: service + value: smb - meta: source_ip expression: "evt.Parsed.ip_source" - meta: user diff --git a/parsers/s01-parse/crowdsecurity/smb-success-logs.yaml b/parsers/s01-parse/crowdsecurity/smb-success-logs.yaml new file mode 100644 index 00000000000..3d55aa122c9 --- /dev/null +++ b/parsers/s01-parse/crowdsecurity/smb-success-logs.yaml @@ -0,0 +1,20 @@ +onsuccess: next_stage +name: crowdsecurity/smb-success-logs +filter: evt.Parsed.program == 'smb' +description: "Parse successful SMB authentications" +pattern_syntax: + SMB_AUTH_SUCCESS: "Auth:%{GREEDYDATA} user \\[%{DATA:smb_domain}\\]\\\\\\[%{DATA:user}\\]%{GREEDYDATA} status \\[NT_STATUS_OK\\]%{GREEDYDATA} remote host \\[ipv4:%{IP:ip_source}" +nodes: + - grok: + name: "SMB_AUTH_SUCCESS" + apply_on: message +statics: + - meta: log_type + value: auth_success + - meta: service + value: smb + - meta: source_ip + expression: "evt.Parsed.ip_source" + - meta: user + expression: "evt.Parsed.user" + diff --git a/scenarios/crowdsecurity/smb-slow-bf.md b/scenarios/crowdsecurity/smb-slow-bf.md new file mode 100644 index 00000000000..9b6f140da04 --- /dev/null +++ b/scenarios/crowdsecurity/smb-slow-bf.md @@ -0,0 +1,7 @@ +Detect slow SMB bruteforce attempts: + + - leakspeed of 60s, capacity of 10 + +This scenario complements the standard smb-bf scenario (capacity 5, leakspeed 10s) by catching slower attacks. The standard scenario catches 5 failures within ~50 seconds, while this catches 10 failures over ~10 minutes. + +SMB is a common target for lateral movement in enterprise environments, and attackers may slow their attempts to avoid detection. diff --git a/scenarios/crowdsecurity/smb-slow-bf.yaml b/scenarios/crowdsecurity/smb-slow-bf.yaml new file mode 100644 index 00000000000..a743a46a7e5 --- /dev/null +++ b/scenarios/crowdsecurity/smb-slow-bf.yaml @@ -0,0 +1,19 @@ +# smb slow bruteforce +type: leaky +name: crowdsecurity/smb-slow-bf +description: "Detect slow SMB bruteforce" +filter: "evt.Meta.log_type == 'smb_failed_auth'" +leakspeed: "60s" +capacity: 10 +groupby: evt.Meta.source_ip +blackhole: 1m +reprocess: true +labels: + service: smb + remediation: true + confidence: 3 + spoofable: 0 + classification: + - attack.T1110 + behavior: "smb:bruteforce" + label: "SMB Slow Bruteforce" diff --git a/scenarios/crowdsecurity/smb-time-based-bf.md b/scenarios/crowdsecurity/smb-time-based-bf.md new file mode 100644 index 00000000000..40dcd2aa914 --- /dev/null +++ b/scenarios/crowdsecurity/smb-time-based-bf.md @@ -0,0 +1,18 @@ +Detect time-based SMB bruteforce attempts that evade traditional rate limiting (with false positive reduction): + + - Uses conditional type with capacity -1 (unlimited) + - Triggers when at least 3 failed authentication attempts occur + - Median interval between attempts exceeds 2 minutes + - Leakspeed of 2h naturally caps maximum interval (~40-60 minutes for 3 events) + - Uses `MedianInterval()` helper to detect consistent timing patterns (more robust against outliers) + - Includes `cancel_on` to cancel detection if successful authentication occurs (reduces false positives) + +This scenario complements the standard smb-bf scenario (capacity 5, leakspeed 10s) and smb-slow-bf scenario (capacity 10, leakspeed 60s) by catching attackers who deliberately use time-based attacks to avoid detection. The standard scenario catches 5 failures within ~50 seconds, the slow-bf catches 10 failures within ~10 minutes, while this catches 3 failures with median interval >2 minutes (naturally capped by 2h leakspeed). + +Coverage analysis: +- smb-bf: 0-10s intervals (fast attacks) +- smb-slow-bf: 10-60s intervals (slow attacks) +- smb-time-based-bf: >120s intervals (time-spaced attacks) + +SMB is a common target for lateral movement in enterprise environments, and sophisticated adversaries often use slow bruteforce techniques to evade detection and avoid account lockouts. + diff --git a/scenarios/crowdsecurity/smb-time-based-bf.yaml b/scenarios/crowdsecurity/smb-time-based-bf.yaml new file mode 100644 index 00000000000..342819cbd59 --- /dev/null +++ b/scenarios/crowdsecurity/smb-time-based-bf.yaml @@ -0,0 +1,25 @@ +# smb time-based bruteforce with false positive reduction +type: conditional +name: crowdsecurity/smb-time-based-bf +description: "Detect time-based SMB bruteforce attempts that evade rate limiting (with false positive reduction)" +filter: "evt.Meta.service == 'smb' && evt.Meta.log_type in ['smb_failed_auth', 'auth_success']" +groupby: evt.Meta.source_ip +capacity: -1 +cancel_on: "evt.Meta.log_type == 'auth_success'" +condition: | + let failedAuths = filter(queue.Queue, {#.Meta.log_type == 'smb_failed_auth'}); + len(failedAuths) >= 3 && + MedianInterval(map(failedAuths[-3:], {#.Time})) > duration("2m") +leakspeed: 2h +blackhole: 5m +reprocess: true +labels: + service: smb + behavior: "smb:bruteforce" + spoofable: 0 + confidence: 3 + classification: + - attack.T1110 + label: "SMB Time-Based Bruteforce" + remediation: true +