Skip to content

Config Email SMS alert

khoanase62625 edited this page Jul 15, 2019 · 3 revisions

1. Config Email

Mutt: 1.12.1

1. Install Mutt

Reference: Setup mutt with Gmail on CentOS and Ubuntu Install Mutt CentOS

sudo yum install mutt

Ubunut

sudo apt install mutt

Config Mutt Creat Mutt component folder

mkdir -p ~/.mutt/cache/headers
mkdir ~/.mutt/cache/bodies
touch ~/.mutt/certificates

Create Mutt config file muttrc

vim ~/.mutt/muttrc

Paste these config (NOTE: change Bold text)

set ssl_starttls=yes
set ssl_force_tls=yes
set imap_user = '**<Snort-alert>**@gmail.com'
set imap_pass = '**<Password>**'
set from='**<Snort-alert>**@gmail.com'
set realname='Snort Alert'
set folder = imaps://imap.gmail.com/
set spoolfile = imaps://imap.gmail.com/INBOX
set postponed="imaps://imap.gmail.com/[Gmail]/Drafts"
set header_cache = "~/.mutt/cache/headers"
set message_cachedir = "~/.mutt/cache/bodies"
set certificate_file = "~/.mutt/certificates"
set smtp_url = 'smtp://**<Snort-alert>**@smtp.gmail.com:587/'
set smtp_pass = '**<Password>**'
set move = no
set imap_keepalive = 900

2. Config Watcher

Open Kibana Management

Open Watcher

Create advanced watch

ID:snort-alert (customize with your choice) Name:snort-alert (customize with your choice) Watch JSON

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "logstash-snort3j"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "{{ctx.trigger.scheduled_time}}||-30m",
                    "lte": "{{ctx.trigger.scheduled_time}}",
                    "format": "strict_date_optional_time||epoch_millis"
                  }
                }
              }
            }
          },
          "aggs": {
            "bucketAgg": {
              "terms": {
                "field": "json.rule.keyword",
                "size": 5,
                "order": {
                  "_count": "desc"
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i].doc_count > params.threshold) { return true; } } return false;",
      "lang": "painless",
      "params": {
        "threshold": 20
      }
    }
  },
  "actions": {
    "send-email-sms": {
      "throttle_period": "15m",
      "webhook": {
        "scheme": "http",
        "host": "192.168.4.2",
        "port": 8080,
        "method": "post",
        "path": "/send-email-sms",
        "params": {},
        "headers": {},
        "auth": {
          "basic": {
            "username": "api",
            "password": "::es_redacted::"
          }
        },
        "body": "{\"rule\":[{{#ctx.payload.results}}\"{{key}}\",{{/ctx.payload.results}}],\"hits\":[{{#ctx.payload.results}}\"{{value}}\",{{/ctx.payload.results}}]}"
      }
    }
  },
  "transform": {
    "script": {
      "source": "HashMap result = new HashMap(); ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; ArrayList filteredHits = new ArrayList(); for (int i = 0; i < arr.length; i++) { HashMap filteredHit = new HashMap(); filteredHit.key = arr[i].key; filteredHit.value = arr[i].doc_count; if (filteredHit.value > params.threshold) { filteredHits.add(filteredHit); } } result.results = filteredHits; return result;",
      "lang": "painless",
      "params": {
        "threshold": 20
      }
    }
  }
}
  • trigger: How long will watcher check condition
  • input: Query data from elasticsearch
  • condition: check if data meet some condition to fire action
  • action: action to take when condition is met

2. Config sms

Webhook Service: Webhookd SMS Service: ShellMS JQ: JQ Android device

1. Install JQ and CURL

JQ CentOS

wget -O jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
chmod +x ./jq
cp jq /usr/bin

Ubuntu

sudo apt install jq

Curl CentOS

sudo yum install curl

Ubuntu

sudo apt install curl

2. Create send email and sms script

mkdir ~/scripts
vim ~/scripts/send-email-sms

Paste this lines:

#!/bin/bash
### Format: Rule MSG Proto Dst_addr Hits
TIMESTAMP="$(date +%F\ %T)"
EMAIL="$TIMESTAMP \n"
SMS=""
i=0
for i in {0..4}
do
rule="$(echo $1 | sed 's/,]/]/g' | jq --raw-output --argjson i $i '.rule[$i]')"
if [ $rule != "null" ]
then
QUERY="{\"size\":1,\"query\":{\"match\":{\"json.rule\":\"$rule\"}}}"
MSG="$(curl -s -XGET "http://localhost:9200/logstash-snort3j/_search" -H 'Content-Type: application/json' -d $QUERY | jq --raw-output '.hits.hits[]._source.jso$
PROTO="$(curl -s -XGET "http://localhost:9200/logstash-snort3j/_search" -H 'Content-Type: application/json' -d $QUERY | jq --raw-output '.hits.hits[]._source.j$
DST_ADDR="$(curl -s -XGET "http://localhost:9200/logstash-snort3j/_search" -H 'Content-Type: application/json' -d $QUERY | jq --raw-output '.hits.hits[]._sourc$
HITS="$(echo $1 | sed 's/,]/]/g' | jq --raw-output --argjson i $i '.hits[$i]')"
EMAIL="$EMAIL RULE :$rule, MSG: $MSG, PROTO $PROTO, DST_ADDR $DST_ADDR, HITS $HITS \n"
SMS="${SMS} $rule,$MSG,$DST_ADDR|"
fi
i+=1
done
#send Email
EMAIL_ADDR="**<ADMIN-Email>**"
echo -e $EMAIL | mutt -s "Snort Alert" $EMAIL_ADDR >> /dev/null 2>&1
#Send sms
PHONENUMBER="**<ADMIN-Phone>**"
adb shell am startservice --user 0 -n com.android.shellms/.sendSMS -e contact $PHONENUMBER -e msg "\"${SMS}\"" >> /dev/null 2>&1

3. Install Webhookd

sudo curl -s https://raw.githubusercontent.com/ncarlier/webhookd/master/install.sh | bash

Run webhookd

nohup webhookd --scripts ~/scripts & echo "webhookd has been stopped"

4. Install adb shell

sudo apt install android-tools-adb

Start adb server

sudo adb start-server

5. Install ShellMS

  • Connect Android device to ELK server and enable USB debug
  • Download and install ShellMS
  • Grant ShellMS permisson to use SMS service

Clone this wiki locally