Custom rule for Postfix logging

[Wilco]

Hi all, 

I have an agent where I scan a logfile with Postfix log entries. If there is a log entry that looks like the one below, I want to trigger a rule. This rule should activate a response script with the from= email as input. I need to escape the from email address from the log entry. I’ve tried, but I feel that my regular expression isn’t working at all. When I insert the log entry into the rule tester, it triggers rule 3303, which is a Postfix rule (makes sense). However, I want the log entry to trigger my custom rule with rule ID 100400.

Here is my log entry:

Feb 13 01:45:15 example-mail postfix-smtp/smtpd[1659017]: NOQUEUE: reject: RCPT from 0.0.0.0.example.net[0.0.0.0]: 450 4.7.1 <te...@gmail.com>: Recipient address rejected: Rate limit reach, retry later; from=<na...@example.com> to=<te...@gmail.com> proto=ESMTP helo=<DESKTOPV4J6P86>

Here is my custom rule:

<group name="postfix-custom,">
    <rule id="100400" level="10">
        <decoded_as>postfix</decoded_as>
        <regex>reject: RCPT from .*: 450 4\.7\.1</regex>
        <regex>Recipient address rejected: Rate limit reach</regex>
        <regex>from=&amp;lt;([^&amp;gt;]+)&amp;gt;</regex>
        <description>Postfix: Recipient address rejected due to rate limit</description>
        <options>no_full_log</options>
        <group>email,</group>
    </rule>
</group>

 Note: The rule does not have the active_response tag yet, because I want to make sure the above works first. Also, the IP address and email addresses are redacted.  

I'm a beginner with regular expressions, so any help would be appreciated.

[Stuti Gupta]

Hi Wilco,

You need to create a rule like this:

<group name="postfix-custom">

    <rule id="100400" level="10">

        <if_sid>3303</if_sid>
        <match>Recipient address rejected: Rate limit reach</match>

        <description>Postfix: Recipient address rejected due to rate limit</description>
        <options>no_full_log</options>

        <group>email</group>
    </rule>
</group>

We use <if_sid> because the default rule (3303) is already triggering when testing the log. This custom rule (100400) is a child rule that refines the detection by matching the specific log message. If the log contains this message and the parent rule (3303) is triggered, then rule 100400 will activate.



To learn more about rule syntax and regex: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html and https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

Let me know if you need any further assistance!

[Wilco]

Hi Stuti,

 Thank you, this works fine. I experimented with a regular expression to match only the e-mail in the from=<> part and created this:  

<regex>^from=\p([^@]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})\p</regex>

I used \p to escape the < and > characters because of the XML structure in Wazuh. When I reload the Wazuh manager and test the log entry again, it only triggers the default rule 3303. I think this happens because Wazuh cannot match the regex, and therefore doesn’t trigger my rule?  Can you help me with that?

Op donderdag 13 februari 2025 om 11:56:54 UTC+1 schreef Stuti Gupta:

[Stuti Gupta]

  The regex should be replaced by a match, and you can create a rule like this:  

<group name="postfix-custom">
<rule id="100400" level="10">
           <if_sid>3303</if_sid>

           <match type="osregex">from=\p\.+@\.+\p</match>

           <description>Postfix: Recipient address rejected due to rate limit</description>
           <options>no_full_log</options>
           <group>email</group>
</rule>
</group>

I I believe this explains how the rule should be created. For more information, please refer to https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html and https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html