postfix-non-smtp-command Scenario

« postfix-non-smtp-command »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:postfixspoofable:0confidence:3

Detect scanning of postfix service through non-SMTP commands

Installation

cscli scenarios install crowdsecurity/postfix-non-smtp-command

Description

Postfix non-SMTP commands is a log message generated when a client sends a command that is not recognized by the server. This primarily happens when a IP address is enumerating services on a machine.

YAML Configuration

1type: trigger
2name: crowdsecurity/postfix-non-smtp-command
3description: "Detect scanning of postfix service through non-SMTP commands"
4filter: "evt.Meta.service == 'postfix' && evt.Meta.log_type_enh == 'non-smtp-command'"
5groupby: evt.Meta.source_ip
6blackhole: 1m
7reprocess: false
8labels:
9  service: postfix
10  remediation: true
11  confidence: 3
12  spoofable: 0
13  behavior: "generic:scan"
14  label: "Postfix Non-SMTP Command"

Hub configuration

« postfix-non-smtp-command »v0.1 by crowdsecurityAttack scenarioremediation:trueservice:postfixspoofable:0confidence:3

« postfix-non-smtp-command »
v0.1 by crowdsecurity
Attack scenarioremediation:trueservice:postfixspoofable:0confidence:3