Postfix decoder: Making ending doubled dot optional

[iasdeoupxe]

Dec 14 22:23:34 myhost postfix/smtpd[27266]: warning: hostname other.host does not resolve to address 1.2.3.4

[Lopuiz]

Hello @iasdeoupxe,
First, sorry for the late answer.
Thank you for your contribution. We are going to considerate this correction to next releases.

kind regards, Eva

[iasdeoupxe]

I'm not absolutely sure if this is the way to go / implement this because if the ending doubled dot is there the \S+ operator might match this in the IP?

[Lopuiz]

Yes, you're right. I will study the way to match your log Dec 14 22:23:34 myhost postfix/smtpd[27266]: warning: hostname other.host does not resolve to address 1.2.3.4 with the decoder postfix-warning

[Lopuiz]

The ending doubled dot will be added in the IP.
Thank you for your correction

[Lopuiz]

Hello @iasdeoupxe,

How about this regex?
<regex>^warning: (\S+):|warning: Illegal address syntax from unknown[(\S+)]|warning: hostname \S+ does not resolve to address (\d+.\d+.\d+.\d+)</regex>

Dec 14 22:23:34 myhost postfix/smtpd[27266]: warning: hostname other.host does not resolve to address 1.2.3.4:


**Phase 1: Completed pre-decoding.
       full event: 'Dec 14 22:23:34 myhost postfix/smtpd[27266]: warning: hostname other.host does not resolve to address 1.2.3.4:'
       timestamp: 'Dec 14 22:23:34'
       hostname: 'myhost'
       program_name: 'postfix/smtpd'
       log: 'warning: hostname other.host does not resolve to address 1.2.3.4:'

**Phase 2: Completed decoding.
       decoder: 'postfix'
       srcip: '1.2.3.4'

**Phase 3: Completed filtering (rules).
       Rule id: '3398'
       Level: '6'
       Description: 'Postfix: Illegal address from unknown sender'
**Alert to be generated.

If you agree you can commit it yourself

Regards, Eva

[iasdeoupxe]

Mhhh, but this is then only catching IPv4 addresses and would miss the IPv6 ones. Not sure but we probably need to have regex which matches both?

[Lopuiz]

@iasdeoupxe
you could create multiple decoders that match IPv4 or IPv6

[iasdeoupxe]

Any suggestion for a IPv6 regex? I'm currently not even sure if such a complex regex like e.g. suggested in https://stackoverflow.com/a/17871737 is even possible with the Wazuh ruleset regex.

[Lopuiz]

No, this regex doesn't work

[iasdeoupxe]

So i'm currently stuck on how to proceed with this. Any suggestions on a regex which could match IPv4 AND IPv6 where the ending doubled dot could be removed?

[iasdeoupxe]

Could something like this working?

<regex>^warning: (\S+):|warning: Illegal address syntax from unknown[(\S+)]|warning: hostname \S+ does not resolve to address (\S+): |warning: hostname \S+ does not resolve to address (\S+)</regex>

Description:

If there is an ending dot in the regex the second one will match and isn't extracting the double dot into the IP, if there is no ending doubled dot the third regex will kick in.

[iasdeoupxe]

It looks indeed that this could work (ossec-logtest output with the suggested regex above).

Dec 14 22:23:34 myhost postfix/smtpd[27266]: warning: hostname other.host does not resolve to address 1.2.3.4


**Phase 1: Completed pre-decoding.
       full event: 'Dec 14 22:23:34 myhost postfix/smtpd[27266]: warning: hostname other.host does not resolve to address 1.2.3.4'
       timestamp: 'Dec 14 22:23:34'
       hostname: 'myhost'
       program_name: 'postfix/smtpd'
       log: 'warning: hostname other.host does not resolve to address 1.2.3.4'

**Phase 2: Completed decoding.
       decoder: 'postfix'
       srcip: '1.2.3.4'

**Phase 3: Completed filtering (rules).
       Rule id: '3398'
       Level: '6'
       Description: 'Postfix: Illegal address from unknown sender.'
**Alert to be generated.

and:

Dec 14 22:23:34 myhost postfix/smtpd[27266]: warning: hostname other.host does not resolve to address 1.2.3.4: no address associated with name

**Phase 1: Completed pre-decoding.
       full event: 'Dec 14 22:23:34 myhost postfix/smtpd[27266]: warning: hostname other.host does not resolve to address 1.2.3.4: no address associated with name'
       timestamp: 'Dec 14 22:23:34'
       hostname: 'myhost'
       program_name: 'postfix/smtpd'
       log: 'warning: hostname other.host does not resolve to address 1.2.3.4: no address associated with name'

**Phase 2: Completed decoding.
       decoder: 'postfix'
       srcip: '1.2.3.4'

**Phase 3: Completed filtering (rules).
       Rule id: '3398'
       Level: '6'
       Description: 'Postfix: Illegal address from unknown sender.'
**Alert to be generated.

[iasdeoupxe]

Changed the PR in 4cb0cc7 with the suggested change from #245 (comment). Found the log entry with the ending doubled dot in https://www.linuxquestions.org/questions/linux-server-73/how-i-can-resolve-the-error-postfix-warning-hostname-does-not-resolve-to-address-4175455058/

@Lopuiz This could be reviewed again. I have also changed the base branch to 3.10 as it seems 3.9 was already released since i had created this PR 9 months ago.

[Lopuiz]

Hi!

I review it as soon as possible and it will merge in 3.11.
Thanks.

Regards,
Eva

[iasdeoupxe]

@Lopuiz Any updates on a review? Three months+ for such a minor change is a quite long time frame 😢