E-mail when alert or drop

Started by kelskein, July 07, 2020, 04:06:00 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
July 20, 2020, 02:48:53 PM #15 Last Edit: July 20, 2020, 02:52:18 PM by chemlud
OK, I had a look here

https://docs.opnsense.org/manual/monit.html

Enabled monit with a local (LAN on opnsense) email server as recipient and Alert Setting active for an email account on this local server, have a "Service Test Setting" IPS_Block with

Code Select
IPSBlock content = "blocked" Alert

and a Service with

Code Select
Path: /var/log/suricata/eve.json
Tests: IPSBlock

But I don't get an email delivered when IPS blocks.

Any simple way to test the email delivery?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
July 20, 2020, 02:54:23 PM #16
Quote from: chemlud on July 20, 2020, 02:48:53 PM
OK, I had a look here

https://docs.opnsense.org/manual/monit.html

Enabled monit with a local (LAN on opnsense) email server as recipient and Alert Setting active for an email account on this local server, have a "Service Test Setting" IPS_Block with

Code Select
IPSBlock content = "blocked" Alert

and a Service with

Code Select
Path: /var/log/suricata/eve.json
Tests: IPSBlock

But I don't get an email delivered when IPS blocks.

Any simple way to test the email delivery?
Best way I've found to test email is to restart the Monit service.  You should get an email alert that the service was reloaded.  If not then your email settings are wrong.

Sent from my GM1917 using Tapatalk

July 20, 2020, 03:00:22 PM #17
And you should check the contents of eve.log of course :)
July 20, 2020, 03:04:52 PM #18 Last Edit: July 20, 2020, 03:12:56 PM by chemlud
Quote from: FullyBorked on July 20, 2020, 02:54:23 PM
Quote from: chemlud on July 20, 2020, 02:48:53 PM
...

Any simple way to test the email delivery?
Best way I've found to test email is to restart the Monit service.  You should get an email alert that the service was reloaded.  If not then your email settings are wrong.

Sent from my GM1917 using Tapatalk

Hmm, no email on restart... :-(

Quote from: mimugmail on July 20, 2020, 03:00:22 PM
And you should check the contents of eve.log of course :)

No way from GUI, I guess?

PS: Got it! :-D
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
April 13, 2021, 11:26:56 AM #19
Hey,

I've done the following setting by here: https://docs.opnsense.org/manual/monit.html

If i change something on monit i get email, but i get no mails from suricata if package were "blocked". Dont know where the problem is.

Here my settings:

https://prnt.sc/11bsti8
https://prnt.sc/11bsuvw
https://prnt.sc/11bsw24

Someone any idea where the problem is? There are "blocked" alerts in the "eve.json" because i test it and see it in the logs. Ive restart both services.
April 13, 2021, 07:53:58 PM #20
Quote from: Cordial on April 13, 2021, 11:26:56 AM
Hey,

I've done the following setting by here: https://docs.opnsense.org/manual/monit.html

If i change something on monit i get email, but i get no mails from suricata if package were "blocked". Dont know where the problem is.

Here my settings:

https://prnt.sc/11bsti8
https://prnt.sc/11bsuvw
https://prnt.sc/11bsw24

Someone any idea where the problem is? There are "blocked" alerts in the "eve.json" because i test it and see it in the logs. Ive restart both services.

Your screenshots look correct to me.  Any weird spaces after or before the file path? 
April 13, 2021, 09:09:42 PM #21
Just checked it. No spaces. Maybe bug in version 21.1.4?
April 13, 2021, 09:18:30 PM #22
Quote from: Cordial on April 13, 2021, 09:09:42 PM
Just checked it. No spaces. Maybe bug in version 21.1.4?

Guess that's def possible, mine works but was working in prior versions.  So maybe it's a setup issue with latest version of monit?  And you are sure you are seeing new events written by suricata since you've setup monit? 
April 14, 2021, 09:25:31 AM #23
Yep, please show contents of eve.log
April 14, 2021, 11:07:26 AM #24
Here the test with "eicar" from OPNSENSE. Thats the log from the "eve.json" file.

Code Select
{"timestamp":"2021-04-14T10:58:41.140534+0200","flow_id":1766089189079292,"in_iface":"igb3_vlan20^","event_type":"drop","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53873,"proto":"TCP","drop":{"len":376,
"tos":0,"ttl":56,"ipid":51496,"tcpseq":3411792434,"tcpack":912671065,"tcpwin":501,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":7999999,"r
ev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2021-04-14T10:58:51.157914+0200","flow_id":1766089189079292,"in_iface":"igb3_vlan20","event_type":"drop","src_ip":"192.168.170.54","src_port":53873,"dest_ip":"89.149.211.205","dest_port":80,"proto":"TCP","drop":{"len":41,"t
os":0,"ttl":128,"ipid":62868,"tcpseq":912671064,"tcpack":3411792434,"tcpwin":516,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
{"timestamp":"2021-04-14T10:59:01.277236+0200","flow_id":1704439229827600,"in_iface":"igb3_vlan20^","event_type":"alert","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53874,"proto":"TCP","alert":{"action"
:"blocked","gid":1,"signature_id":7999999,"rev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2},"http":{"hostname":"pkg.opnsense.org","url":"\/test\/eicar.com.txt","http_user_agent":"Mozilla\/
5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko\/20100101 Firefox\/87.0","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":68},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient"
:3,"bytes_toserver":584,"bytes_toclient":510,"start":"2021-04-14T10:59:01.248336+0200"}}
{"timestamp":"2021-04-14T10:59:01.277236+0200","flow_id":1704439229827600,"in_iface":"igb3_vlan20^","event_type":"drop","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53874,"proto":"TCP","drop":{"len":376,
"tos":0,"ttl":56,"ipid":49181,"tcpseq":567625416,"tcpack":209932426,"tcpwin":501,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":7999999,"re
v":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2021-04-14T10:59:11.338807+0200","flow_id":1704439229827600,"in_iface":"igb3_vlan20","event_type":"drop","src_ip":"192.168.170.54","src_port":53874,"dest_ip":"89.149.211.205","dest_port":80,"proto":"TCP","drop":{"len":41,"t
os":0,"ttl":128,"ipid":62882,"tcpseq":209932425,"tcpack":567625416,"tcpwin":516,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
{"timestamp":"2021-04-14T10:59:21.410023+0200","flow_id":1697103426998366,"in_iface":"igb3_vlan20^","event_type":"alert","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53897,"proto":"TCP","alert":{"action"
:"blocked","gid":1,"signature_id":7999999,"rev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2},"http":{"hostname":"pkg.opnsense.org","url":"\/test\/eicar.com.txt","http_user_agent":"Mozilla\/
5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko\/20100101 Firefox\/87.0","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":68},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient"
:3,"bytes_toserver":584,"bytes_toclient":510,"start":"2021-04-14T10:59:21.381022+0200"}}
{"timestamp":"2021-04-14T10:59:21.410023+0200","flow_id":1697103426998366,"in_iface":"igb3_vlan20^","event_type":"drop","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53897,"proto":"TCP","drop":{"len":376,
"tos":0,"ttl":56,"ipid":5384,"tcpseq":1819799252,"tcpack":315511377,"tcpwin":501,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":7999999,"re
v":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2021-04-14T10:59:31.423306+0200","flow_id":1697103426998366,"in_iface":"igb3_vlan20","event_type":"drop","src_ip":"192.168.170.54","src_port":53897,"dest_ip":"89.149.211.205","dest_port":80,"proto":"TCP","drop":{"len":41,"t
os":0,"ttl":128,"ipid":62896,"tcpseq":315511376,"tcpack":1819799252,"tcpwin":516,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
{"timestamp":"2021-04-14T10:59:41.568218+0200","flow_id":1798954282727811,"in_iface":"igb3_vlan20^","event_type":"alert","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53899,"proto":"TCP","alert":{"action"
:"blocked","gid":1,"signature_id":7999999,"rev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2},"http":{"hostname":"pkg.opnsense.org","url":"\/test\/eicar.com.txt","http_user_agent":"Mozilla\/
5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko\/20100101 Firefox\/87.0","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":68},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient"
:3,"bytes_toserver":584,"bytes_toclient":510,"start":"2021-04-14T10:59:41.539011+0200"}}
April 14, 2021, 02:05:07 PM #25
I read back through my posts in this thread.  And it looks like there needs to be a space between content= and "blocked".   So content=<space>"blocked"  it's hard to see.  That was my issue when I first set this up as well it appears. 
April 14, 2021, 02:57:06 PM #26
I can only save monit with 
Code Select
content<space>=<space>"blocked"
With
Code Select
content=<space>"blocked" i cannot save the configuration of monit.
April 14, 2021, 03:07:46 PM #27
Quote from: Cordial on April 14, 2021, 02:57:06 PM
I can only save monit with 
Code Select
content<space>=<space>"blocked"
With
Code Select
content=<space>"blocked" i cannot save the configuration of monit.

Yup, you are right, I'm sorry I missed that second space.  A space on either side of the equal is correct. 

Code Select
content<space>=<space>"blocked"
April 15, 2021, 09:25:37 AM #28
Finally i've got it:

Code Select
content<space>=<space>blocked

Works only without
Code Select
""

Opnsense Version 21.1.4
June 04, 2021, 02:37:58 AM #29
Quote from: FullyBorked on April 14, 2021, 02:05:07 PM
I read back through my posts in this thread.  And it looks like there needs to be a space between content= and "blocked".   So content=<space>"blocked"  it's hard to see.  That was my issue when I first set this up as well it appears.

I have a question for those who have set this up.  If the same suricata rule generates multiple "blocked" entries in eve.json in short period of time, when monit then eventually reads eve.json during the next scheduled polling period and sees all the new "blocked" entries, will that result in monit generating a new email message for each "blocked" entry it finds?  Or is it just one email for each polling period when monit finds andy "blocked" content in eve.json?   I'm asking because I'm wondering if I would get flooded with emails if some device triggered a suricata rule to block repeatedly.
Print
Go Up Pages 1 2 3
User actions