Add Azlaroc/sftpgo collection with tests for PR crowdsecurity#1461

Azlaroc · Azlaroc · commit 56519a1eeced · 2025-09-14T20:10:53.000Z
diff --git a/.tests/sftpgo-logs/config.yaml b/.tests/sftpgo-logs/config.yaml
@@ -0,0 +1,9 @@
+parsers:
+  - crowdsecurity/syslog-logs
+  - ./parsers/s01-parse/Azlaroc/sftpgo-logs.yaml
+  - crowdsecurity/dateparse-enrich
+scenarios: []
+postoverflows: []
+log_file: sftpgo-logs.log
+log_type: sftpgo
+ignore_parsers: false
diff --git a/.tests/sftpgo-logs/parser.assert b/.tests/sftpgo-logs/parser.assert
@@ -0,0 +1,40 @@
+len(results) == 4
+len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 10
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][1].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][3].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][4].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][5].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][6].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][7].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][8].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][9].Success == true
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 10
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][1].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][2].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][3].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][4].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][5].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][6].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][7].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][8].Success == false
+results["s00-raw"]["crowdsecurity/syslog-logs"][9].Success == false
+len(results["s01-parse"][""]) == 10
+results["s01-parse"][""][0].Success == false
+results["s01-parse"][""][1].Success == false
+results["s01-parse"][""][2].Success == false
+results["s01-parse"][""][3].Success == false
+results["s01-parse"][""][4].Success == false
+results["s01-parse"][""][5].Success == true
+results["s01-parse"][""][6].Success == true
+results["s01-parse"][""][7].Success == false
+results["s01-parse"][""][8].Success == true
+results["s01-parse"][""][9].Success == true
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 4
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][1].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][2].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][3].Success == true
+len(results["success"][""]) == 0
diff --git a/.tests/sftpgo-logs/sftpgo-logs.log b/.tests/sftpgo-logs/sftpgo-logs.log
@@ -0,0 +1,10 @@
+{"level":"debug","time":"2025-09-13T12:14:31.013","sender":"eventmanager","message":"loading updated rules"}
+{"level":"debug","time":"2025-09-13T12:14:31.013","sender":"dataprovider_sqlite","message":"start user cache check, update time 2025-09-13 12:04:31.013 -0400 EDT"}
+{"level":"debug","time":"2025-09-13T12:14:31.013","sender":"eventmanager","message":"recently updated event rules loaded: 0"}
+{"level":"debug","time":"2025-09-13T12:14:31.013","sender":"eventmanager","message":"event rules updated, fs events: 0, provider events: 0, schedules: 0, ip blocked events: 0, certificate events: 0, IDP login events: 0"}
+{"level":"debug","time":"2025-09-13T12:14:31.013","sender":"dataprovider_sqlite","message":"end user cache check, new update time 2025-09-13 12:14:31.013 -0400 EDT"}
+{"level":"debug","time":"2025-09-13T12:16:35.504","sender":"connection_failed","client_ip":"174.245.92.29","username":"switchgo","login_type":"password","protocol":"SSH","error":"invalid credentials"}
+{"level":"debug","time":"2025-09-13T12:16:35.843","sender":"connection_failed","client_ip":"174.245.92.29","username":"switchgo","login_type":"keyboard-interactive","protocol":"SSH","error":"invalid credentials"}
+{"level":"debug","time":"2025-09-13T12:16:36.014","sender":"sftpd","message":"failed to accept an incoming connection from ip \"174.245.92.29\": ssh: disconnect, reason 11: "}
+{"level":"debug","time":"2025-09-13T12:16:36.014","sender":"connection_failed","client_ip":"174.245.92.29","username":"","login_type":"no_auth_tried","protocol":"SSH","error":"ssh: disconnect, reason 11: "}
+{"level":"debug","time":"2025-09-13T12:16:42.724","sender":"connection_failed","client_ip":"174.245.92.29","username":"switchgo","login_type":"password","protocol":"SSH","error":"invalid credentials"}
diff --git a/collections/Azlaroc/sftpgo.yaml b/collections/Azlaroc/sftpgo.yaml
@@ -0,0 +1,7 @@
+name: Azlaroc/sftpgo
+description: "Collection for detecting bruteforce attacks on SFTPGo (FTP and SFTP protocols)"
+author: "Azlaroc"
+parsers:
+  - Azlaroc/sftpgo-logs
+scenarios:
+  - Azlaroc/sftpgo-bf
diff --git a/parsers/s01-parse/Azlaroc/sftpgo-logs.yaml b/parsers/s01-parse/Azlaroc/sftpgo-logs.yaml
@@ -0,0 +1,29 @@
+onsuccess: next_stage
+pattern_syntax:
+  SFTPGO_TIME: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}T%{HOUR}:%{MINUTE}:%{SECOND}\.%{NUMBER}'
+  SFTPGO_FAILED: '\{"level":"%{WORD:log_level}","time":"%{SFTPGO_TIME:evt_time}","sender":"connection_failed","client_ip":"%{IPV4:client_ip}","username":"%{DATA:username}","login_type":"%{DATA:login_type}","protocol":"%{WORD:protocol}","error":"%{GREEDYDATA:error}"\}'
+filter: evt.Parsed.program == 'sftpgo'
+nodes:
+  - grok:
+      name: SFTPGO_FAILED
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: sftpgo_auth
+        - meta: source_ip
+          expression: evt.Parsed.client_ip
+        - meta: target_user
+          expression: evt.Parsed.username
+        - meta: protocol
+          expression: evt.Parsed.protocol
+        - meta: login_type
+          expression: evt.Parsed.login_type
+        - meta: error
+          expression: evt.Parsed.error
+        - meta: is_failed_login
+          value: true
+        - target: evt.StrTime
+          expression: evt.Parsed.evt_time
+        - meta: service
+          value: sftpgo
+description: Parse SFTPGo authentication logs (failed attempts only)
diff --git a/scenarios/Azlaroc/sftpgo-bf.yaml b/scenarios/Azlaroc/sftpgo-bf.yaml
@@ -0,0 +1,17 @@
+type: leaky
+name: Azlaroc/sftpgo-bf
+description: "Detect SFTPGo bruteforce attacks on FTP/SSH"
+filter: "evt.Meta.log_type == 'sftpgo_auth' && evt.Meta.is_failed_login == 'true'"
+groupby: evt.Meta.source_ip
+capacity: 3
+leakspeed: "30s"
+blackhole: 4h
+labels:
+  service: sftpgo
+  confidence: 3
+  spoofable: 0
+  classification:
+    - attack.T1110
+  behavior: "sftp:bruteforce"
+  label: "SFTPGo Bruteforce"
+  remediation: true
