OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: kelskein on July 07, 2020, 04:06:00 pm
-
I am using Surricata as IDS/IPS on several OPNSense firewalls, which is running great. Now I am cheking once a month the firewalls for alerts/drops. Is it possible to configure OPNsense to email when an Surricata alert occured?
I have been reading to setup monit, but this seems only for Firewall system alerts.
-
You should be able to select suricata logs as well I think ..
-
Should be able to select the log file and use a reg expression to pull the dropped log. Might be a bit over my head. I'm wanting to do this as well of i figure ot out I'll try and remember to post it here.
Sent from my GM1917 using Tapatalk
-
I've made some progress here but I'm still a bit over my head.
The logs are located in /var/log/suricata/eve.json
I can parse the logs and provide output using tail and piping to awk and parsing with
tail eve.json | awk -F"," '$10 ~ blocked {print $1,$5,$6,$7,$8,$9,$10,$14}'
I'm struggling to understand how to get monit to look at only new logs. Do I have to make a script? I'm in over my head there for sure. The tail of the file does a good job of providing output for an alert, but I don't know how it can be used for monitoring.
Articles of note.
- How to setup monit - https://forum.opnsense.org/index.php?topic=5303.0
- Monit Documentation - https://mmonit.com/monit/documentation/monit.html#FILE-CONTENT-TEST
- Suricata documentation on how to parse log files - https://buildmedia.readthedocs.org/media/pdf/suricata/suricata-4.0.1/suricata.pdf
-
ok, I waaaaay overthought this. Mainly due to my noobness with monit and opnsense. Here's how to make this work.
Create a Service Test
Name: IPS Block
Condition: content= "blocked"
Action: Alert
Then create Service Settings
Name: Suricata_alert
Type: File
Path: /var/log/suricata/eve.json
Tests: Select "IPS Blocked"
Save, apply, and restart suricata then test and you should get an alert via monit. Hope this helps.
-
Thx, really smart 8)
Do you want to add it to official docs?
-
Thx, really smart 8)
Do you want to add it to official docs?
Not sure if that's necessary, I think the docs cover it ok. I was just not understanding how it worked.
-
I will add it as a third example :)
Maybe it's also too easy to understand for others :)
-
I will add it as a third example :)
Maybe it's also too easy to understand for others :)
8)
-
I tried this and Monit won't start up. Had to delete to get it started again. It was complaining about syntax error on line 37.
-
I tried this and Monit won't start up. Had to delete to get it started again. It was complaining about syntax error on line 37.
Can you post screenshots of what you have? Maybe we can notice the syntax error.
Sent from my GM1917 using Tapatalk
-
No screenshot.. here's the error message
root: /usr/local/etc/rc.d/monit: WARNING: failed to start monit
Jul 18 15:20:07 monit: /usr/local/etc/monitrc:32: syntax error 'content='
-
content = "blocked"
check spaces ...
-
Ok, tried with spaces... so far so good. Will monitor
Thanks,
Richard
-
Added the space into my example so that copy paste works without error.
-
OK, I had a look here
https://docs.opnsense.org/manual/monit.html
Enabled monit with a local (LAN on opnsense) email server as recipient and Alert Setting active for an email account on this local server, have a "Service Test Setting" IPS_Block with
IPSBlock content = "blocked" Alert
and a Service with
Path: /var/log/suricata/eve.json
Tests: IPSBlock
But I don't get an email delivered when IPS blocks.
Any simple way to test the email delivery?
-
OK, I had a look here
https://docs.opnsense.org/manual/monit.html
Enabled monit with a local (LAN on opnsense) email server as recipient and Alert Setting active for an email account on this local server, have a "Service Test Setting" IPS_Block with
IPSBlock content = "blocked" Alert
and a Service with
Path: /var/log/suricata/eve.json
Tests: IPSBlock
But I don't get an email delivered when IPS blocks.
Any simple way to test the email delivery?
Best way I've found to test email is to restart the Monit service. You should get an email alert that the service was reloaded. If not then your email settings are wrong.
Sent from my GM1917 using Tapatalk
-
And you should check the contents of eve.log of course :)
-
...
Any simple way to test the email delivery?
Best way I've found to test email is to restart the Monit service. You should get an email alert that the service was reloaded. If not then your email settings are wrong.
Sent from my GM1917 using Tapatalk
Hmm, no email on restart... :-(
And you should check the contents of eve.log of course :)
No way from GUI, I guess?
PS: Got it! :-D
-
Hey,
I've done the following setting by here: https://docs.opnsense.org/manual/monit.html
If i change something on monit i get email, but i get no mails from suricata if package were "blocked". Dont know where the problem is.
Here my settings:
https://prnt.sc/11bsti8
https://prnt.sc/11bsuvw
https://prnt.sc/11bsw24
Someone any idea where the problem is? There are "blocked" alerts in the "eve.json" because i test it and see it in the logs. Ive restart both services.
-
Hey,
I've done the following setting by here: https://docs.opnsense.org/manual/monit.html
If i change something on monit i get email, but i get no mails from suricata if package were "blocked". Dont know where the problem is.
Here my settings:
https://prnt.sc/11bsti8
https://prnt.sc/11bsuvw
https://prnt.sc/11bsw24
Someone any idea where the problem is? There are "blocked" alerts in the "eve.json" because i test it and see it in the logs. Ive restart both services.
Your screenshots look correct to me. Any weird spaces after or before the file path?
-
Just checked it. No spaces. Maybe bug in version 21.1.4?
-
Just checked it. No spaces. Maybe bug in version 21.1.4?
Guess that's def possible, mine works but was working in prior versions. So maybe it's a setup issue with latest version of monit? And you are sure you are seeing new events written by suricata since you've setup monit?
-
Yep, please show contents of eve.log
-
Here the test with "eicar" from OPNSENSE. Thats the log from the "eve.json" file.
{"timestamp":"2021-04-14T10:58:41.140534+0200","flow_id":1766089189079292,"in_iface":"igb3_vlan20^","event_type":"drop","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53873,"proto":"TCP","drop":{"len":376,
"tos":0,"ttl":56,"ipid":51496,"tcpseq":3411792434,"tcpack":912671065,"tcpwin":501,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":7999999,"r
ev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2021-04-14T10:58:51.157914+0200","flow_id":1766089189079292,"in_iface":"igb3_vlan20","event_type":"drop","src_ip":"192.168.170.54","src_port":53873,"dest_ip":"89.149.211.205","dest_port":80,"proto":"TCP","drop":{"len":41,"t
os":0,"ttl":128,"ipid":62868,"tcpseq":912671064,"tcpack":3411792434,"tcpwin":516,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
{"timestamp":"2021-04-14T10:59:01.277236+0200","flow_id":1704439229827600,"in_iface":"igb3_vlan20^","event_type":"alert","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53874,"proto":"TCP","alert":{"action"
:"blocked","gid":1,"signature_id":7999999,"rev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2},"http":{"hostname":"pkg.opnsense.org","url":"\/test\/eicar.com.txt","http_user_agent":"Mozilla\/
5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko\/20100101 Firefox\/87.0","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":68},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient"
:3,"bytes_toserver":584,"bytes_toclient":510,"start":"2021-04-14T10:59:01.248336+0200"}}
{"timestamp":"2021-04-14T10:59:01.277236+0200","flow_id":1704439229827600,"in_iface":"igb3_vlan20^","event_type":"drop","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53874,"proto":"TCP","drop":{"len":376,
"tos":0,"ttl":56,"ipid":49181,"tcpseq":567625416,"tcpack":209932426,"tcpwin":501,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":7999999,"re
v":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2021-04-14T10:59:11.338807+0200","flow_id":1704439229827600,"in_iface":"igb3_vlan20","event_type":"drop","src_ip":"192.168.170.54","src_port":53874,"dest_ip":"89.149.211.205","dest_port":80,"proto":"TCP","drop":{"len":41,"t
os":0,"ttl":128,"ipid":62882,"tcpseq":209932425,"tcpack":567625416,"tcpwin":516,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
{"timestamp":"2021-04-14T10:59:21.410023+0200","flow_id":1697103426998366,"in_iface":"igb3_vlan20^","event_type":"alert","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53897,"proto":"TCP","alert":{"action"
:"blocked","gid":1,"signature_id":7999999,"rev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2},"http":{"hostname":"pkg.opnsense.org","url":"\/test\/eicar.com.txt","http_user_agent":"Mozilla\/
5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko\/20100101 Firefox\/87.0","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":68},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient"
:3,"bytes_toserver":584,"bytes_toclient":510,"start":"2021-04-14T10:59:21.381022+0200"}}
{"timestamp":"2021-04-14T10:59:21.410023+0200","flow_id":1697103426998366,"in_iface":"igb3_vlan20^","event_type":"drop","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53897,"proto":"TCP","drop":{"len":376,
"tos":0,"ttl":56,"ipid":5384,"tcpseq":1819799252,"tcpack":315511377,"tcpwin":501,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":7999999,"re
v":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2021-04-14T10:59:31.423306+0200","flow_id":1697103426998366,"in_iface":"igb3_vlan20","event_type":"drop","src_ip":"192.168.170.54","src_port":53897,"dest_ip":"89.149.211.205","dest_port":80,"proto":"TCP","drop":{"len":41,"t
os":0,"ttl":128,"ipid":62896,"tcpseq":315511376,"tcpack":1819799252,"tcpwin":516,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
{"timestamp":"2021-04-14T10:59:41.568218+0200","flow_id":1798954282727811,"in_iface":"igb3_vlan20^","event_type":"alert","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53899,"proto":"TCP","alert":{"action"
:"blocked","gid":1,"signature_id":7999999,"rev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2},"http":{"hostname":"pkg.opnsense.org","url":"\/test\/eicar.com.txt","http_user_agent":"Mozilla\/
5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko\/20100101 Firefox\/87.0","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":68},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient"
:3,"bytes_toserver":584,"bytes_toclient":510,"start":"2021-04-14T10:59:41.539011+0200"}}
-
I read back through my posts in this thread. And it looks like there needs to be a space between content= and "blocked". So content=<space>"blocked" it's hard to see. That was my issue when I first set this up as well it appears.
-
I can only save monit with
content<space>=<space>"blocked"
With content=<space>"blocked"
i cannot save the configuration of monit.
-
I can only save monit with content<space>=<space>"blocked"
With content=<space>"blocked"
i cannot save the configuration of monit.
Yup, you are right, I'm sorry I missed that second space. A space on either side of the equal is correct.
content<space>=<space>"blocked"
-
Finally i've got it:
content<space>=<space>blocked
Works only without ""
Opnsense Version 21.1.4
-
I read back through my posts in this thread. And it looks like there needs to be a space between content= and "blocked". So content=<space>"blocked" it's hard to see. That was my issue when I first set this up as well it appears.
I have a question for those who have set this up. If the same suricata rule generates multiple "blocked" entries in eve.json in short period of time, when monit then eventually reads eve.json during the next scheduled polling period and sees all the new "blocked" entries, will that result in monit generating a new email message for each "blocked" entry it finds? Or is it just one email for each polling period when monit finds andy "blocked" content in eve.json? I'm asking because I'm wondering if I would get flooded with emails if some device triggered a suricata rule to block repeatedly.
-
I also had more success with
content<space>=<space>alert
i.e. without using quotation marks ""
-
Use a reg expression to pull the dropped log. Before that, you Should be able to select the log file.