smb: add more bruteforce detection scenario

.tests/smb-bf/scenario.assert

@@ -1,40 +1,57 @@
 len(results) == 1
-"1.2.3.4" in results[0].Overflow.GetSources()
-results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4"
-results[0].Overflow.Sources["1.2.3.4"].Range == ""
-results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip"
-results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4"
-results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "smb-bf.log"
+"192.168.1.100" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["192.168.1.100"].IP == "192.168.1.100"
+results[0].Overflow.Sources["192.168.1.100"].Range == ""
+results[0].Overflow.Sources["192.168.1.100"].GetScope() == "Ip"
+results[0].Overflow.Sources["192.168.1.100"].GetValue() == "192.168.1.100"
+basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "smb-bf.log"
 results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "smb_failed_auth"
-results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[0].GetMeta("machine") == "host2"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "192.168.1.100"
+results[0].Overflow.Alert.Events[0].GetMeta("subtype") == "smb_bad_user"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-09-24T10:04:52Z"
 results[0].Overflow.Alert.Events[0].GetMeta("user") == "toto"
-results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "smb-bf.log"
+basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "smb-bf.log"
 results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "smb_failed_auth"
-results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[1].GetMeta("machine") == "host2"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "192.168.1.100"
+results[0].Overflow.Alert.Events[1].GetMeta("subtype") == "smb_bad_user"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-09-24T10:04:53Z"
 results[0].Overflow.Alert.Events[1].GetMeta("user") == "toto"
-results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "smb-bf.log"
+basename(results[0].Overflow.Alert.Events[2].GetMeta("datasource_path")) == "smb-bf.log"
 results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "smb_failed_auth"
-results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[2].GetMeta("machine") == "host2"
+results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "192.168.1.100"
+results[0].Overflow.Alert.Events[2].GetMeta("subtype") == "smb_bad_user"
+results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2025-09-24T10:04:54Z"
 results[0].Overflow.Alert.Events[2].GetMeta("user") == "toto"
-results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "smb-bf.log"
+basename(results[0].Overflow.Alert.Events[3].GetMeta("datasource_path")) == "smb-bf.log"
 results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "smb_failed_auth"
-results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[3].GetMeta("machine") == "host2"
+results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "192.168.1.100"
+results[0].Overflow.Alert.Events[3].GetMeta("subtype") == "smb_bad_user"
+results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2025-09-24T10:04:55Z"
 results[0].Overflow.Alert.Events[3].GetMeta("user") == "toto"
-results[0].Overflow.Alert.Events[4].GetMeta("datasource_path") == "smb-bf.log"
+basename(results[0].Overflow.Alert.Events[4].GetMeta("datasource_path")) == "smb-bf.log"
 results[0].Overflow.Alert.Events[4].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[4].GetMeta("log_type") == "smb_failed_auth"
-results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[4].GetMeta("machine") == "host2"
+results[0].Overflow.Alert.Events[4].GetMeta("source_ip") == "192.168.1.100"
+results[0].Overflow.Alert.Events[4].GetMeta("subtype") == "smb_bad_user"
+results[0].Overflow.Alert.Events[4].GetMeta("timestamp") == "2025-09-24T10:04:55Z"
 results[0].Overflow.Alert.Events[4].GetMeta("user") == "toto"
-results[0].Overflow.Alert.Events[5].GetMeta("datasource_path") == "smb-bf.log"
+basename(results[0].Overflow.Alert.Events[5].GetMeta("datasource_path")) == "smb-bf.log"
 results[0].Overflow.Alert.Events[5].GetMeta("datasource_type") == "file"
 results[0].Overflow.Alert.Events[5].GetMeta("log_type") == "smb_failed_auth"
-results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[5].GetMeta("machine") == "host2"
+results[0].Overflow.Alert.Events[5].GetMeta("source_ip") == "192.168.1.100"
+results[0].Overflow.Alert.Events[5].GetMeta("subtype") == "smb_bad_user"
+results[0].Overflow.Alert.Events[5].GetMeta("timestamp") == "2025-09-24T10:04:57Z"
 results[0].Overflow.Alert.Events[5].GetMeta("user") == "toto"
 results[0].Overflow.Alert.GetScenario() == "crowdsecurity/smb-bf"
 results[0].Overflow.Alert.Remediation == true
 results[0].Overflow.Alert.GetEventsCount() == 6
-

.tests/smb-bf/smb-bf.log

@@ -1,6 +1,6 @@
-Sep 24 10:04:52 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:52.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:1.2.3.4:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015
-Sep 24 10:04:53 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:53.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:1.2.3.4:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015
-Sep 24 10:04:54 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:54.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:1.2.3.4:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015
-Sep 24 10:04:55 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:55.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:1.2.3.4:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015
-Sep 24 10:04:55 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:55.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:1.2.3.4:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015
-Sep 24 10:04:57 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:57.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:1.2.3.4:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015
+Sep 24 10:04:52 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:52.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015
+Sep 24 10:04:53 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:53.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015
+Sep 24 10:04:54 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:54.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015
+Sep 24 10:04:55 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:55.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015
+Sep 24 10:04:55 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:55.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015
+Sep 24 10:04:57 host2 smb[2725]: Auth: [SMB2,(null)] user []\[toto] at [Fri, 24 Sep 2021 10:04:57.030937 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [] remote host [ipv4:192.168.1.100:62419] mapped to []\[toto]. local host [ipv4:10.1.1.1:445] #015

.tests/smb-impossible-travel/config.yaml

@@ -0,0 +1,11 @@
+parsers:
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- crowdsecurity/geoip-enrich
+- ./parsers/s01-parse/crowdsecurity/smb-success-logs.yaml
+scenarios:
+- "./scenarios/crowdsecurity/impossible-travel.yaml"
+log_file: smb-success-logs.log
+log_type: syslog
+ignore_parsers: true
+

.tests/smb-impossible-travel/scenario.assert

@@ -0,0 +1,36 @@
+len(results) == 1
+"9.8.8.8" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["9.8.8.8"].IP == "9.8.8.8"
+results[0].Overflow.Sources["9.8.8.8"].Range == ""
+results[0].Overflow.Sources["9.8.8.8"].GetScope() == "Ip"
+results[0].Overflow.Sources["9.8.8.8"].GetValue() == "9.8.8.8"
+"1.2.3.4" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4"
+results[0].Overflow.Sources["1.2.3.4"].Range == ""
+results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip"
+results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4"
+results[0].Overflow.Alert.Events[0].GetMeta("ASNNumber") == "0"
+results[0].Overflow.Alert.Events[0].GetMeta("IsInEU") == "false"
+results[0].Overflow.Alert.Events[0].GetMeta("IsoCode") == "AU"
+basename(results[0].Overflow.Alert.Events[0].GetMeta("datasource_path")) == "smb-success-logs.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "auth_success"
+results[0].Overflow.Alert.Events[0].GetMeta("machine") == "host2"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "smb"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2025-09-24T10:00:00Z"
+results[0].Overflow.Alert.Events[0].GetMeta("user") == "vagrant"
+results[0].Overflow.Alert.Events[1].GetMeta("ASNNumber") == "0"
+results[0].Overflow.Alert.Events[1].GetMeta("IsInEU") == "false"
+results[0].Overflow.Alert.Events[1].GetMeta("IsoCode") == "US"
+basename(results[0].Overflow.Alert.Events[1].GetMeta("datasource_path")) == "smb-success-logs.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "auth_success"
+results[0].Overflow.Alert.Events[1].GetMeta("machine") == "host2"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "smb"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "9.8.8.8"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2025-09-24T10:01:00Z"
+results[0].Overflow.Alert.Events[1].GetMeta("user") == "vagrant"
+results[0].Overflow.Alert.GetScenario() == "crowdsecurity/impossible-travel"
+results[0].Overflow.Alert.Remediation == false
+results[0].Overflow.Alert.GetEventsCount() == 2

.tests/smb-impossible-travel/smb-success-logs.log

@@ -0,0 +1,3 @@
+Sep 24 10:00:00 host2 smb[2725]: Auth: [SMB2,(null)] user [WORKGROUP]\[vagrant] at [Fri, 24 Sep 2021 10:00:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT1] remote host [ipv4:1.2.3.4:62419] mapped to [WORKGROUP]\[vagrant]. local host [ipv4:10.1.1.1:445] #015
+Sep 24 10:01:00 host2 smb[2726]: Auth: [SMB2,(null)] user [WORKGROUP]\[vagrant] at [Fri, 24 Sep 2021 10:01:00.030937 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [CLIENT2] remote host [ipv4:9.8.8.8:62420] mapped to [WORKGROUP]\[vagrant]. local host [ipv4:10.1.1.1:445] #015
+

.tests/smb-logs/parser.assert

@@ -1,26 +1,47 @@
 len(results) == 3
+len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 2
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[root] at [Thu, 14 Oct 2021 15:24:12.023984 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MANTIS] remote host [ipv4:172.17.0.1:44890] mapped to [WORKGROUP]\\[root]. local host [ipv4:172.17.0.2:445] "
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "smb"
+basename(results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"]) == "smb-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Whitelisted == false
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[administrator] at [Thu, 14 Oct 2021 15:24:16.248504 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MANTIS] remote host [ipv4:172.17.0.1:44896] mapped to [WORKGROUP]\\[administrator]. local host [ipv4:172.17.0.2:445] "
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Parsed["program"] == "smb"
+basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_path"]) == "smb-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 2
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false
 len(results["s01-parse"]["crowdsecurity/smb-logs"]) == 2
 results["s01-parse"]["crowdsecurity/smb-logs"][0].Success == true
+results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["ip_source"] == "172.17.0.1"
 results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[root] at [Thu, 14 Oct 2021 15:24:12.023984 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MANTIS] remote host [ipv4:172.17.0.1:44890] mapped to [WORKGROUP]\\[root]. local host [ipv4:172.17.0.2:445] "
 results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["program"] == "smb"
 results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["smb_domain"] == "WORKGROUP"
 results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["user"] == "root"
-results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Parsed["ip_source"] == "172.17.0.1"
+basename(results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["datasource_path"]) == "smb-logs.log"
+results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["datasource_type"] == "file"
 results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["log_type"] == "smb_failed_auth"
+results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["service"] == "smb"
 results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["source_ip"] == "172.17.0.1"
 results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["subtype"] == "smb_bad_user"
 results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["user"] == "root"
-results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["datasource_path"] == "smb-logs.log"
-results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["crowdsecurity/smb-logs"][0].Evt.Whitelisted == false
 results["s01-parse"]["crowdsecurity/smb-logs"][1].Success == true
 results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["ip_source"] == "172.17.0.1"
 results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [WORKGROUP]\\[administrator] at [Thu, 14 Oct 2021 15:24:16.248504 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MANTIS] remote host [ipv4:172.17.0.1:44896] mapped to [WORKGROUP]\\[administrator]. local host [ipv4:172.17.0.2:445] "
 results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["program"] == "smb"
 results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["smb_domain"] == "WORKGROUP"
 results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Parsed["user"] == "administrator"
-results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["datasource_path"] == "smb-logs.log"
+basename(results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["datasource_path"]) == "smb-logs.log"
 results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["datasource_type"] == "file"
 results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["log_type"] == "smb_failed_auth"
+results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["service"] == "smb"
 results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["source_ip"] == "172.17.0.1"
 results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["subtype"] == "smb_bad_password"
 results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Meta["user"] == "administrator"
+results["s01-parse"]["crowdsecurity/smb-logs"][1].Evt.Whitelisted == false
+len(results["success"][""]) == 0

.tests/smb-slow-bf/config.yaml

@@ -0,0 +1,11 @@
+parsers:
+- crowdsecurity/smb-logs
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+scenarios:
+- ./scenarios/crowdsecurity/smb-slow-bf.yaml
+postoverflows:
+- ""
+log_file: smb-slow-bf.log
+log_type: syslog
+ignore_parsers: true