E-mail when alert or drop

[chemlud]

OK, I had a look here

https://docs.opnsense.org/manual/monit.html

Enabled monit with a local (LAN on opnsense) email server as recipient and Alert Setting active for an email account on this local server, have a "Service Test Setting" IPS_Block with

Code: [Select]

IPSBlock content = "blocked" Alert
and a Service with

Code: [Select]

Path: /var/log/suricata/eve.json
Tests: IPSBlock
But I don't get an email delivered when IPS blocks.

Any simple way to test the email delivery?

[FullyBorked]

OK, I had a look here

https://docs.opnsense.org/manual/monit.html

Enabled monit with a local (LAN on opnsense) email server as recipient and Alert Setting active for an email account on this local server, have a "Service Test Setting" IPS_Block with

Code: [Select]

IPSBlock content = "blocked" Alert
and a Service with

Code: [Select]

Path: /var/log/suricata/eve.json
Tests: IPSBlock
But I don't get an email delivered when IPS blocks.

Any simple way to test the email delivery?

Best way I've found to test email is to restart the Monit service.  You should get an email alert that the service was reloaded.  If not then your email settings are wrong.

Sent from my GM1917 using Tapatalk

[mimugmail]

And you should check the contents of eve.log of course

[chemlud]

...

Any simple way to test the email delivery?

Best way I've found to test email is to restart the Monit service.  You should get an email alert that the service was reloaded.  If not then your email settings are wrong.

Sent from my GM1917 using Tapatalk

Hmm, no email on restart... :-(

And you should check the contents of eve.log of course

No way from GUI, I guess?

PS: Got it! :-D

[Cordial]

Hey,

I've done the following setting by here: https://docs.opnsense.org/manual/monit.html

If i change something on monit i get email, but i get no mails from suricata if package were "blocked". Dont know where the problem is.

Here my settings:

https://prnt.sc/11bsti8
https://prnt.sc/11bsuvw
https://prnt.sc/11bsw24

Someone any idea where the problem is? There are "blocked" alerts in the "eve.json" because i test it and see it in the logs. Ive restart both services.

[FullyBorked]

Hey,

I've done the following setting by here: https://docs.opnsense.org/manual/monit.html

If i change something on monit i get email, but i get no mails from suricata if package were "blocked". Dont know where the problem is.

Here my settings:

https://prnt.sc/11bsti8
https://prnt.sc/11bsuvw
https://prnt.sc/11bsw24

Someone any idea where the problem is? There are "blocked" alerts in the "eve.json" because i test it and see it in the logs. Ive restart both services.

Your screenshots look correct to me.  Any weird spaces after or before the file path? 

[Cordial]

Just checked it. No spaces. Maybe bug in version 21.1.4?

[FullyBorked]

Just checked it. No spaces. Maybe bug in version 21.1.4?

Guess that's def possible, mine works but was working in prior versions.  So maybe it's a setup issue with latest version of monit?  And you are sure you are seeing new events written by suricata since you've setup monit? 

[mimugmail]

Yep, please show contents of eve.log

[Cordial]

Here the test with "eicar" from OPNSENSE. Thats the log from the "eve.json" file.

Code: [Select]

{"timestamp":"2021-04-14T10:58:41.140534+0200","flow_id":1766089189079292,"in_iface":"igb3_vlan20^","event_type":"drop","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53873,"proto":"TCP","drop":{"len":376,
"tos":0,"ttl":56,"ipid":51496,"tcpseq":3411792434,"tcpack":912671065,"tcpwin":501,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":7999999,"r
ev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2021-04-14T10:58:51.157914+0200","flow_id":1766089189079292,"in_iface":"igb3_vlan20","event_type":"drop","src_ip":"192.168.170.54","src_port":53873,"dest_ip":"89.149.211.205","dest_port":80,"proto":"TCP","drop":{"len":41,"t
os":0,"ttl":128,"ipid":62868,"tcpseq":912671064,"tcpack":3411792434,"tcpwin":516,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
{"timestamp":"2021-04-14T10:59:01.277236+0200","flow_id":1704439229827600,"in_iface":"igb3_vlan20^","event_type":"alert","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53874,"proto":"TCP","alert":{"action"
:"blocked","gid":1,"signature_id":7999999,"rev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2},"http":{"hostname":"pkg.opnsense.org","url":"\/test\/eicar.com.txt","http_user_agent":"Mozilla\/
5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko\/20100101 Firefox\/87.0","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":68},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient"
:3,"bytes_toserver":584,"bytes_toclient":510,"start":"2021-04-14T10:59:01.248336+0200"}}
{"timestamp":"2021-04-14T10:59:01.277236+0200","flow_id":1704439229827600,"in_iface":"igb3_vlan20^","event_type":"drop","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53874,"proto":"TCP","drop":{"len":376,
"tos":0,"ttl":56,"ipid":49181,"tcpseq":567625416,"tcpack":209932426,"tcpwin":501,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":7999999,"re
v":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2021-04-14T10:59:11.338807+0200","flow_id":1704439229827600,"in_iface":"igb3_vlan20","event_type":"drop","src_ip":"192.168.170.54","src_port":53874,"dest_ip":"89.149.211.205","dest_port":80,"proto":"TCP","drop":{"len":41,"t
os":0,"ttl":128,"ipid":62882,"tcpseq":209932425,"tcpack":567625416,"tcpwin":516,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
{"timestamp":"2021-04-14T10:59:21.410023+0200","flow_id":1697103426998366,"in_iface":"igb3_vlan20^","event_type":"alert","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53897,"proto":"TCP","alert":{"action"
:"blocked","gid":1,"signature_id":7999999,"rev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2},"http":{"hostname":"pkg.opnsense.org","url":"\/test\/eicar.com.txt","http_user_agent":"Mozilla\/
5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko\/20100101 Firefox\/87.0","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":68},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient"
:3,"bytes_toserver":584,"bytes_toclient":510,"start":"2021-04-14T10:59:21.381022+0200"}}
{"timestamp":"2021-04-14T10:59:21.410023+0200","flow_id":1697103426998366,"in_iface":"igb3_vlan20^","event_type":"drop","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53897,"proto":"TCP","drop":{"len":376,
"tos":0,"ttl":56,"ipid":5384,"tcpseq":1819799252,"tcpack":315511377,"tcpwin":501,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":7999999,"re
v":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2021-04-14T10:59:31.423306+0200","flow_id":1697103426998366,"in_iface":"igb3_vlan20","event_type":"drop","src_ip":"192.168.170.54","src_port":53897,"dest_ip":"89.149.211.205","dest_port":80,"proto":"TCP","drop":{"len":41,"t
os":0,"ttl":128,"ipid":62896,"tcpseq":315511376,"tcpack":1819799252,"tcpwin":516,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
{"timestamp":"2021-04-14T10:59:41.568218+0200","flow_id":1798954282727811,"in_iface":"igb3_vlan20^","event_type":"alert","src_ip":"89.149.211.205","src_port":80,"dest_ip":"192.168.170.54","dest_port":53899,"proto":"TCP","alert":{"action"
:"blocked","gid":1,"signature_id":7999999,"rev":1,"signature":"OPNsense test eicar virus","category":"Potentially Bad Traffic","severity":2},"http":{"hostname":"pkg.opnsense.org","url":"\/test\/eicar.com.txt","http_user_agent":"Mozilla\/
5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko\/20100101 Firefox\/87.0","http_content_type":"text\/plain","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":68},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient"
:3,"bytes_toserver":584,"bytes_toclient":510,"start":"2021-04-14T10:59:41.539011+0200"}}

[FullyBorked]

I read back through my posts in this thread.  And it looks like there needs to be a space between content= and "blocked".   So content=<space>"blocked"  it's hard to see.  That was my issue when I first set this up as well it appears. 

[Cordial]

I can only save monit with 

Code: [Select]

content<space>=<space>"blocked"
With

Code: [Select]

content=<space>"blocked" i cannot save the configuration of monit.

[FullyBorked]

I can only save monit with 

Code: [Select]

content<space>=<space>"blocked"
With

Code: [Select]

content=<space>"blocked" i cannot save the configuration of monit.

Yup, you are right, I'm sorry I missed that second space.  A space on either side of the equal is correct. 

Code: [Select]

content<space>=<space>"blocked"

[Cordial]

Finally i've got it:

Code: [Select]

content<space>=<space>blocked
Works only without

Code: [Select]

""
Opnsense Version 21.1.4

[gfeiner]

I read back through my posts in this thread.  And it looks like there needs to be a space between content= and "blocked".   So content=<space>"blocked"  it's hard to see.  That was my issue when I first set this up as well it appears.

I have a question for those who have set this up.  If the same suricata rule generates multiple "blocked" entries in eve.json in short period of time, when monit then eventually reads eve.json during the next scheduled polling period and sees all the new "blocked" entries, will that result in monit generating a new email message for each "blocked" entry it finds?  Or is it just one email for each polling period when monit finds andy "blocked" content in eve.json?   I'm asking because I'm wondering if I would get flooded with emails if some device triggered a suricata rule to block repeatedly.