Replace GREEDYDATA with DATA pattern for SMB IP parsing

- Removed SMB_IP_PORT custom pattern
- Use standard DATA pattern for ip_source_with_port extraction
- Extract IP using lastIndexOf expression to handle IPv6 addresses with ports
- Pattern now works correctly for both IPv4 and IPv6 addresses

Author: LaurenceJJones

.tests/smb-logs/parser.assert

@@ -13,7 +13,7 @@ basename(results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_
 results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Meta["datasource_type"] == "file"
 results["s00-raw"]["crowdsecurity/non-syslog"][1].Evt.Whitelisted == false
 results["s00-raw"]["crowdsecurity/non-syslog"][2].Success == true
-results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [HOST]\\[guest] at [Tue, 18 Nov 2025 22:37:21.070329 GMT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [localhost] remote host [ipv6:fd00:ffff:ffff:7:101c:49b2:e676:ab41:60630] mapped to [HOST]\\[guest]. local host [ipv6:fd00:ffff:ffff:5::4:445]"
+results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["message"] == "Auth: [SMB2,(null)] user [HOST]\\[guest] at [Tue, 18 Nov 2025 22:37:21.070329 GMT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [localhost] remote host [ipv6:fd00:ffff:ffff:7:101c:49b2:e676:ab41:60630] mapped to [HOST]\\[guest]. local host [ipv6:fd00:ffff:ffff:5::4:445] "
 results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Parsed["program"] == "smb"
 basename(results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_path"]) == "smb-logs.log"
 results["s00-raw"]["crowdsecurity/non-syslog"][2].Evt.Meta["datasource_type"] == "file"

.tests/smb-logs/smb-logs.log

@@ -1,4 +1,4 @@
 Auth: [SMB2,(null)] user [WORKGROUP]\[root] at [Thu, 14 Oct 2021 15:24:12.023984 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MANTIS] remote host [ipv4:172.17.0.1:44890] mapped to [WORKGROUP]\[root]. local host [ipv4:172.17.0.2:445] 
 Auth: [SMB2,(null)] user [WORKGROUP]\[administrator] at [Thu, 14 Oct 2021 15:24:16.248504 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [MANTIS] remote host [ipv4:172.17.0.1:44896] mapped to [WORKGROUP]\[administrator]. local host [ipv4:172.17.0.2:445]
-Auth: [SMB2,(null)] user [HOST]\[guest] at [Tue, 18 Nov 2025 22:37:21.070329 GMT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [localhost] remote host [ipv6:fd00:ffff:ffff:7:101c:49b2:e676:ab41:60630] mapped to [HOST]\[guest]. local host [ipv6:fd00:ffff:ffff:5::4:445]
+Auth: [SMB2,(null)] user [HOST]\[guest] at [Tue, 18 Nov 2025 22:37:21.070329 GMT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [localhost] remote host [ipv6:fd00:ffff:ffff:7:101c:49b2:e676:ab41:60630] mapped to [HOST]\[guest]. local host [ipv6:fd00:ffff:ffff:5::4:445] 
 Auth: [SMB2,(null)] user [HOST]\[testuser] at [Wed, 19 Nov 2025 10:23:54.603389 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [localhost] remote host [ipv6:fd00:ffff:ffff:7:101c:49b2:e676:ab41:60763] mapped to [HOST]\[testuser]. local host [ipv6:fd00:ffff:ffff:5::4:445] 

parsers/s01-parse/crowdsecurity/smb-logs.yaml

@@ -3,8 +3,8 @@ name: crowdsecurity/smb-logs
 filter: evt.Parsed.program == 'smb'
 description: "Parse SMB logs"
 pattern_syntax:
-  SMB_AUTH_FAIL: "Auth:%{GREEDYDATA} user \\[%{DATA:smb_domain}\\]\\\\\\[%{DATA:user}\\]%{GREEDYDATA} status \\[NT_STATUS_NO_SUCH_USER\\]%{GREEDYDATA} remote host \\[ipv\\d:%{DATA:ip_source_with_port}\\]"
-  SMB_BAD_PASSWORD: "Auth:%{GREEDYDATA} user \\[%{DATA:smb_domain}\\]\\\\\\[%{DATA:user}\\]%{GREEDYDATA} status \\[NT_STATUS_WRONG_PASSWORD\\]%{GREEDYDATA} remote host \\[ipv\\d:%{DATA:ip_source_with_port}\\]"
+  SMB_AUTH_FAIL: "Auth: \\[%{DATA}\\] user \\[%{DATA:smb_domain}\\]\\\\\\[%{DATA:user}\\] at \\[%{DATA}\\] with \\[%{DATA}\\] status \\[NT_STATUS_NO_SUCH_USER\\] workstation \\[%{DATA}\\] remote host \\[ipv\\d:%{DATA:ip_source_with_port}\\]"
+  SMB_BAD_PASSWORD: "Auth: \\[%{DATA}\\] user \\[%{DATA:smb_domain}\\]\\\\\\[%{DATA:user}\\] at \\[%{DATA}\\] with \\[%{DATA}\\] status \\[NT_STATUS_WRONG_PASSWORD\\] workstation \\[%{DATA}\\] remote host \\[ipv\\d:%{DATA:ip_source_with_port}\\]"
 nodes:
  - grok:
     name: "SMB_AUTH_FAIL"