Config Email SMS alert - khoanase62625/Snort-Capstone GitHub Wiki
Mutt: 1.12.1
Reference: Setup mutt with Gmail on CentOS and Ubuntu Install Mutt CentOS
sudo yum install mutt
Ubunut
sudo apt install mutt
Config Mutt Creat Mutt component folder
mkdir -p ~/.mutt/cache/headers
mkdir ~/.mutt/cache/bodies
touch ~/.mutt/certificates
Create Mutt config file muttrc
vim ~/.mutt/muttrc
Paste these config (NOTE: change Bold text)
set ssl_starttls=yes
set ssl_force_tls=yes
set imap_user = '**<Snort-alert>**@gmail.com'
set imap_pass = '**<Password>**'
set from='**<Snort-alert>**@gmail.com'
set realname='Snort Alert'
set folder = imaps://imap.gmail.com/
set spoolfile = imaps://imap.gmail.com/INBOX
set postponed="imaps://imap.gmail.com/[Gmail]/Drafts"
set header_cache = "~/.mutt/cache/headers"
set message_cachedir = "~/.mutt/cache/bodies"
set certificate_file = "~/.mutt/certificates"
set smtp_url = 'smtp://**<Snort-alert>**@smtp.gmail.com:587/'
set smtp_pass = '**<Password>**'
set move = no
set imap_keepalive = 900
Open Kibana Management
Open Watcher
Create advanced watch
ID:snort-alert (customize with your choice) Name:snort-alert (customize with your choice) Watch JSON
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logstash-snort3j"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "{{ctx.trigger.scheduled_time}}||-30m",
"lte": "{{ctx.trigger.scheduled_time}}",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
}
},
"aggs": {
"bucketAgg": {
"terms": {
"field": "json.rule.keyword",
"size": 5,
"order": {
"_count": "desc"
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; for (int i = 0; i < arr.length; i++) { if (arr[i].doc_count > params.threshold) { return true; } } return false;",
"lang": "painless",
"params": {
"threshold": 20
}
}
},
"actions": {
"send-email-sms": {
"throttle_period": "15m",
"webhook": {
"scheme": "http",
"host": "192.168.4.2",
"port": 8080,
"method": "post",
"path": "/send-email-sms",
"params": {},
"headers": {},
"auth": {
"basic": {
"username": "api",
"password": "::es_redacted::"
}
},
"body": "{\"rule\":[{{#ctx.payload.results}}\"{{key}}\",{{/ctx.payload.results}}],\"hits\":[{{#ctx.payload.results}}\"{{value}}\",{{/ctx.payload.results}}]}"
}
}
},
"transform": {
"script": {
"source": "HashMap result = new HashMap(); ArrayList arr = ctx.payload.aggregations.bucketAgg.buckets; ArrayList filteredHits = new ArrayList(); for (int i = 0; i < arr.length; i++) { HashMap filteredHit = new HashMap(); filteredHit.key = arr[i].key; filteredHit.value = arr[i].doc_count; if (filteredHit.value > params.threshold) { filteredHits.add(filteredHit); } } result.results = filteredHits; return result;",
"lang": "painless",
"params": {
"threshold": 20
}
}
}
}
- trigger: How long will watcher check condition
- input: Query data from elasticsearch
- condition: check if data meet some condition to fire action
- action: action to take when condition is met
Webhook Service: Webhookd SMS Service: ShellMS JQ: JQ Android device
JQ CentOS
wget -O jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
chmod +x ./jq
cp jq /usr/bin
Ubuntu
sudo apt install jq
Curl CentOS
sudo yum install curl
Ubuntu
sudo apt install curl
mkdir ~/scripts
vim ~/scripts/send-email-sms
Paste this lines:
#!/bin/bash
### Format: Rule MSG Proto Dst_addr Hits
TIMESTAMP="$(date +%F\ %T)"
EMAIL="$TIMESTAMP \n"
SMS=""
i=0
for i in {0..4}
do
rule="$(echo $1 | sed 's/,]/]/g' | jq --raw-output --argjson i $i '.rule[$i]')"
if [ $rule != "null" ]
then
QUERY="{\"size\":1,\"query\":{\"match\":{\"json.rule\":\"$rule\"}}}"
MSG="$(curl -s -XGET "http://localhost:9200/logstash-snort3j/_search" -H 'Content-Type: application/json' -d $QUERY | jq --raw-output '.hits.hits[]._source.jso$
PROTO="$(curl -s -XGET "http://localhost:9200/logstash-snort3j/_search" -H 'Content-Type: application/json' -d $QUERY | jq --raw-output '.hits.hits[]._source.j$
DST_ADDR="$(curl -s -XGET "http://localhost:9200/logstash-snort3j/_search" -H 'Content-Type: application/json' -d $QUERY | jq --raw-output '.hits.hits[]._sourc$
HITS="$(echo $1 | sed 's/,]/]/g' | jq --raw-output --argjson i $i '.hits[$i]')"
EMAIL="$EMAIL RULE :$rule, MSG: $MSG, PROTO $PROTO, DST_ADDR $DST_ADDR, HITS $HITS \n"
SMS="${SMS} $rule,$MSG,$DST_ADDR|"
fi
i+=1
done
#send Email
EMAIL_ADDR="**<ADMIN-Email>**"
echo -e $EMAIL | mutt -s "Snort Alert" $EMAIL_ADDR >> /dev/null 2>&1
#Send sms
PHONENUMBER="**<ADMIN-Phone>**"
adb shell am startservice --user 0 -n com.android.shellms/.sendSMS -e contact $PHONENUMBER -e msg "\"${SMS}\"" >> /dev/null 2>&1
sudo curl -s https://raw.githubusercontent.com/ncarlier/webhookd/master/install.sh | bash
Run webhookd
nohup webhookd --scripts ~/scripts & echo "webhookd has been stopped"
sudo apt install android-tools-adb
Start adb server
sudo adb start-server
- Connect Android device to ELK server and enable USB debug
- Download and install ShellMS
- Grant ShellMS permisson to use SMS service