1onsuccess: next_stage
2#debug: true
3filter: "evt.Parsed.program == 'exim'"
4name: crowdsecurity/exim-logs
5description: "Parse exim logs"
6pattern_syntax:
7  NO_DOUBLE_QUOTE: '[^"]+'
8  NO_END_BRACKET: '[^\]]+'
9  NO_END_PAR: '[^\)]+'
10  EXIM_AUTH: '(?:dovecot_)?(?:login|plain)'
11  EXIM_SOURCE: '(?:%{HOSTNAME:source_dns} )?(?:\(%{NO_END_PAR:source_helo}\) )?\[%{IP:source_ip}\]'
12  EXIM_OPT_DATE: '(:?%{EXIM_DATE:date} )?'
13  EXIM_SOURCE_TLS: 'H=%{EXIM_SOURCE}(?::%{POSINT:source_port})? (:?X=%{NOTSPACE:tls_cipher} CV=(:?yes|no) )?'
14nodes:
15  - grok:
16      pattern: '%{EXIM_OPT_DATE}%{EXIM_AUTH:exim_auth} authenticator failed for %{EXIM_SOURCE}:(?:%{POSINT:source_port}:)? 535 Incorrect authentication data \(set_id=%{NO_END_PAR:target_user}\)'
17      apply_on: message
18      statics:
19        - meta: log_type
20          value: exim_failed_auth
21  - grok:
22      pattern: '%{EXIM_OPT_DATE}%{EXIM_SOURCE_TLS}F=<%{EMAILADDRESS:source_user}> rejected RCPT <%{EMAILADDRESS:target_user}>: "JunkMail rejected - %{NOTSPACE} \[%{NO_END_BRACKET}\]:%{INT} is in an RBL: %{NO_DOUBLE_QUOTE:rbl_url}"'
23      apply_on: message
24      statics:
25        - meta: log_type
26          value: spam-attempt
27        - meta: rbl_url
28          expression: evt.Parsed.rbl_url
29        - meta: source_user
30          expression: evt.Parsed.source_user
31  - grok:
32      pattern: '%{EXIM_OPT_DATE}%{EXIM_SOURCE_TLS}F=<%{EMAILADDRESS:source_user}> rejected RCPT <%{EMAILADDRESS:target_user}>: Email blocked by %{HOSTNAME:rbl_url}'
33      apply_on: message
34      statics:
35        - meta: log_type
36          value: spam-attempt
37        - meta: rbl_url
38          expression: evt.Parsed.rbl_url
39        - meta: source_user
40          expression: evt.Parsed.source_user
41  - grok:
42      pattern: '%{EXIM_OPT_DATE}%{EXIM_SOURCE_TLS}F=<%{EMAILADDRESS:source_user}> rejected RCPT <%{EMAILADDRESS:target_user}>: No Such User Here'
43      apply_on: message
44      statics:
45        - meta: log_type
46          value: exim_failed_auth
47        - meta: source_user
48          expression: evt.Parsed.source_user
49  - grok:
50      pattern: '%{EXIM_OPT_DATE}%{EXIM_SOURCE_TLS}temporarily rejected connection in "%{NO_DOUBLE_QUOTE:acl}" ACL: "Host is ratelimited \(%{NO_END_PAR:rate_limit}\)'
51      apply_on: message
52      statics:
53        - meta: log_type
54          value: spam-attempt
55  - grok:
56      pattern: '%{EXIM_OPT_DATE}%{EXIM_SOURCE_TLS}sender verify fail for <%{EMAILADDRESS:source_user}>: The mail server does not recognize %{NOTSPACE} as a valid sender.'
57      apply_on: message
58      statics:
59        - meta: log_type
60          value: spam-attempt
61        - meta: source_user
62          expression: evt.Parsed.source_user
63  - grok:
64      pattern: '%{EXIM_OPT_DATE}%{EXIM_SOURCE_TLS}F=<%{EMAILADDRESS:source_user}> rejected RCPT <%{EMAILADDRESS:target_user}>: Sender verify failed'
65      apply_on: message
66      statics:
67        - meta: log_type
68          value: spam-attempt
69        - meta: source_user
70          expression: evt.Parsed.source_user
71  - grok:
72      pattern: '%{EXIM_OPT_DATE}%{EXIM_SOURCE_TLS}F=<%{EMAILADDRESS:source_user}> rejected RCPT <%{EMAILADDRESS:target_user}>: SMTP AUTH is required for message submission on port %{POSINT:target_port}'
73      apply_on: message
74      statics:
75        - meta: log_type
76          value: spam-attempt
77        - meta: source_user
78          expression: evt.Parsed.source_user
79        - meta: target_port
80          expression: evt.Parsed.target_port
81statics:
82  - meta: service
83    value: exim
84  - target: evt.StrTime
85    expression: evt.Parsed.date
86  - meta: source_ip
87    expression: evt.Parsed.source_ip
88  - meta: source_dns
89    expression: evt.Parsed.source_dns
90  - meta: source_helo
91    expression: evt.Parsed.source_helo
92  - meta: username
93    expression: evt.Parsed.target_user
94