A collection to defend Sympa - Mailing List Management Software instance against common attacks:

• Sympa web service (wwsympa) parser
• Sympa http scan detection

This collection protects against HTTP scanning attempts that try to discover non-existing actions or lists. Since Sympa returns HTTP 200 responses even for non-existent resources with user-facing error messages, standard web server log analysis cannot detect these scans. This collection uses Sympa's own logs to detect and block such attempts.

Example acquisition for this collection :

1---
2filenames:
3 - /var/log/sympa.log
4labels:
5  type: syslog

Or using journalctl:

1---
2source: journalctl
3journalctl_filter:
4  - "_SYSTEMD_UNIT=wwsympa.service"
5labels:
6  type: syslog