smb: add more bruteforce detection scenario #1567
Conversation
- Add crowdsecurity/smb-slow-bf conditional scenario - Uses MedianInterval() to detect 3+ failed auth attempts with >5m intervals - Leakspeed 2h, catches slow attacks evading standard rate limiting - Update SMB collection to include slow-bf scenario - Add test suite with 6 events (2 IPs, >5min intervals)
- Rename smb-slow-bf to smb-time-based-bf (conditional with MedianInterval) - Create new smb-slow-bf as leaky bucket (60s leakspeed, capacity 10) - Now follows SSH pattern with 3 tiers: - smb-bf: fast attacks (5 failures in ~50s) - smb-slow-bf: slower attacks (10 failures in ~10min) - smb-time-based-bf: time-spaced attacks (3 failures with >5min median) - Update SMB collection to include all 3 scenarios - Update test logs to use private IP ranges (192.168.1.x) - Create test suites for all 3 scenarios with proper assertions - Remove unnecessary parser.assert files (ignore_parsers: true)
LaurenceJJones
changed the title
…sed-bf - Add smb-success-logs parser for NT_STATUS_OK authentications - Uses generic log_type: auth_success for impossible-travel compatibility - Sets service: smb metadata - Create smb-impossible-travel collection - Leverages generic impossible-travel scenarios - Detects compromised credentials used from multiple locations - Update smb-logs parser to include service metadata - Improve smb-time-based-bf scenario: - Reduce median interval from 5m to 2m for better coverage - Add cancel_on for successful authentication (false positive reduction) - Filter includes both failed and successful auth events - Better coverage between slow-bf (60s) and time-based (>2m) - Update coverage analysis in documentation: - smb-bf: 0-10s intervals - smb-slow-bf: 10-60s intervals - smb-time-based-bf: >120s intervals - Update test logs with 3.5-4 minute intervals - Regenerate all test assertions
- Update parser.assert to include new service: smb metadata - All SMB parser tests now validate service field
- Add smb-success-logs parser test - Tests NT_STATUS_OK successful authentication parsing - Validates log_type: auth_success, service: smb metadata - Tests multiple users and domains - Add smb-impossible-travel scenario test - Tests generic impossible-travel scenario with SMB - Uses geographically distant IPs (AU and US) - Includes geoip-enrich for location data - Validates impossible travel detection for same user - Both tests passing successfully
- Add crowdsecurity/smb-success-logs parser to main smb collection - Ensures success parser is available for smb-time-based-bf cancel_on - Update documentation to reflect both parsers - Correct median interval in docs (2min not 5min) - smb-impossible-travel collection remains separate with parser + scenarios
|
@LaurenceJJones I was just about to raise an issue that crowdsecurity/smb-logs is limited to "ipv4", please can you update the patterns to support "ipv6" too. |
codersaur
left a comment
codersaur
left a comment
There was a problem hiding this comment.
There is no need to limit to "ipv4", please support "ipv6" too.
|
Hey @codersaur know you must be passionate about ipv6, but commenting 4 times all with the same content is just annoying. Do you have an example log line so I can ensure I can get the right fix for this. |
Sorry Laurence, I discovered I could add a comment to specific files so thought I was being helpful identifying the files. At least I got the right repo this time... 😅 Here's an example log line: This will match the SMB_AUTH_FAIL pattern if you change "ipv4" to "ipv\d" in /patterns/smb For SMB_BAD_PASSWORD: Similarly, the SMB_BAD_PASSWORD pattern seems to work if you change "ipv4" to "ipv\d" in parsers/s01-parse/crowdsecurity/smb-logs.yaml I humbly suggest that IPv6 test cases are added across the board, perhaps also a linting rule to spot any hard-coded "ipv4" references...? If is 2025 after all, IPv6 shouldn't be the forgotten sister... especially for a product that puts "IPV6 compatible" in its headline. |
Most do already support ipv6, it just some lesser used ones such as SMB (cause not many people exposed SMB over the internet) are just not used enough to surface issues. There no need to add any linting rules when this is the only case when it occurs cause new parsers use |
2 participants
Description
🎯 SMB 3-Tier Bruteforce Detection with Impossible Travel
This PR implements a comprehensive SMB security detection suite following the SSH pattern, providing gap-free coverage against all bruteforce attack speeds plus impossible travel detection.
✨ Key Features
3-Tier Bruteforce Detection (Gap-Free Coverage)
crowdsecurity/smb-bf(Fast attacks - unchanged)crowdsecurity/smb-slow-bf(Slower attacks - new)crowdsecurity/smb-time-based-bf(Time-spaced attacks - new)MedianInterval()helpercancel_onfor successful authentication (false positive reduction)Success Authentication & Impossible Travel
crowdsecurity/smb-success-logsparser (new)NT_STATUS_OKsuccessful authenticationslog_type: auth_successfor compatibilityservice: smbmetadatacrowdsecurity/smb-impossible-travelcollection (new)🔧 Parser Enhancements
service: smbmetadata tocrowdsecurity/smb-logsparser🧪 Testing
6 comprehensive test suites:
smb-logs- Failed auth parser testsmb-bf- Fast bruteforce (updated with private IPs)smb-slow-bf- Slow bruteforce (15s intervals, 16 events)smb-time-based-bf- Time-based bruteforce (3-4min intervals)smb-success-logs- Success auth parser testsmb-impossible-travel- Impossible travel scenario test with GeoIPAll tests use private IP ranges (192.168.1.x) where appropriate.
📊 Coverage Analysis
No detection gaps:
smb-bfsmb-slow-bfsmb-time-based-bfThis ensures attackers cannot evade detection by adjusting their attack speed.
📦 Collections Updated
crowdsecurity/smb- Now includes all 3 bruteforce scenarioscrowdsecurity/smb-impossible-travel(new) - Success logs + impossible travel detection🎓 Pattern Consistency
Follows the established SSH detection pattern:
cancel_onapproach for false positive reductionChecklist