What do i wrong? Im new to crowdsec. I have a windows agent an parse a log, icewarp_alert is set to true but scenario does not trigger an alert. Please check my configs. And yes, 1 wrong smtp auth and instant ban!
acquis.xaml:
---
## ICEWARP
source: file
filenames:
- C:\Program Files\IceWarp\logs\auth\*.log
labels:
type: icewarp-auth
program: icewarp-auth
Parser
name: crowdsecurity/icewarp-auth
description: Parse IceWarp auth failures (Result=0 & Method=0)
stage: s01-parse
onsuccess: next_stage
filter: "evt.Parsed.program == 'icewarp-auth'"
debug: true
nodes:
- grok:
pattern: '%{IP:source_ip}\s+\[%{DATA}\]\s+%{TIME:timestamp} Authentication \[%{WORD:protocol}\] - Result=%{INT:auth_result}, User=%{DATA:user}, Method=%{INT:method}'
apply_on: message
statics:
- meta: program
value: icewarp-auth
- parsed: source_ip
expression: evt.Parsed.source_ip
- parsed: auth_result
expression: evt.Parsed.auth_result
- parsed: method
expression: evt.Parsed.method
- parsed: protocol
expression: evt.Parsed.protocol
- parsed: icewarp_alert
expression: >
(evt.Parsed.auth_result == "0" &&
evt.Parsed.method == "0" &&
(evt.Parsed.protocol == "SMTP" || evt.Parsed.protocol == "IMAP" || evt.Parsed.protocol == "GW" || evt.Parsed.protocol == "IM") &&
evt.Parsed.source_ip != "SYSTEM" &&
evt.Parsed.source_ip != "127.0.0.1") ? "true" : "false"
labels:
type: icewarp-auth
service: icewarp
Scenario:
type: leaky
debug: true
name: crowdsecurity/icewarp-auth
description: "Detect failed SMTP/IMAP logins in IceWarp"
filter: |
evt.Parsed.icewarp_alert == "true" || evt.Unmarshaled.icewarp_alert == "true"
groupby: evt.Parsed.source_ip
leakspeed: 1s
blackhole: 5h
capacity: 1
reprocess: true
labels:
type: icewarp-auth
service: icewarp