Send emails from the command line and with elastalert

[davidjud]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

upgrading

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

20

Storage for /

500

Storage for /nsm

100

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello,

I am currently trying to configure ElastAlert to send Emails to an external gmail-address. But apperently you have to install the NULLMAILER Agent on the SO instance, so that the linux system is able to send emails. Also other mail packages like mutt msmtp and mailutils aren't downladable. Is there any possiblity to install a package to send mail from the commandline and later on with elastalert?

Thanks in advance!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[DebianGuru]

I have done this via sendmail. I don't guarantee this is the best solution, but it works for me. It involves a couple of scripts I wrote, some cron jobs, and a little salt file editing and adding a few packages to the OS.

First, if you're using the ISO install, it's a castrated version of Oracle. Only base utilities and SO tools.

1. Add repository for regular Oracle:
   vi /etc/yum.repos.d/oracle9.repo

	[ol9_baseos_latest]
	name=Oracle Linux 9 BaseOS Latest ($basearch)
	baseurl=https://yum.oracle.com/repo/OracleLinux/OL9/baseos/latest/$basearch/
	gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
	gpgcheck=1
	enabled=1

2. Install new repo and install packages

	dnf install oracle-epel-release-el9
	yum install -y sendmail sendmail-cf

Setup sendmail (You will have to refer to sendmail docs to see exactly what google needs (I know there are directions online)
vi /etc/mail/sendmail.mc
Change "dnl define(SMART_HOST', smtp.your.provider')dnl" line to "define(SMART_HOST', mailerver.mydomain.com')dnl"
Save and restart sendmail with:
service sendmail restart
Test with:
echo "Subject: sendmail test" | sendmail -v [email protected]
Once you get that working, move on to step 3.

3. This only allows the OS to send email, but the problem is that elastalert runs in a docker container and doesn't have access to the sendmail executable on the OS level. (if you were to get into the docker container via 'docker exec -it so-elastalert bash' command, you would see that sendmail doesn't exist (isn't visible) inside the container.) So we can't just pipe something to sendmail directly.

The solution is that you hae to add some lines to
/opt/so/saltstack/default/salt/elastalert/enabled.sls (you'll see other similar lines, where you need to add this)

	# Added by me
      		- /usr/local/bin/so-alerts.sh:/usr/local/bin/so-alerts.sh:ro
     		- /tmp/elastalert:/tmp/elastalert:rw

What I have here is a small script which is run when an alert is triggered by Elastalert.
The script dumps the alert into a semi-formatted file which sendmail understands. (The "From" and "Subjects" fields are added in the script and the alert contents becomes the body of the email.)

The second line there just gives me a place to dump the file into from the script.

4. I added this file under /opt/so/rules/elastalert.

type: blacklist
es_host: 172.17.1.84
es_port: 9200
index: "*:logs-suricata-so"

compare_key:
- "rule.name"
blacklist:
- "GPL ATTACK_RESPONSE id check returned root"

realert:
  minutes: 0

alert:
  - command
command: "/usr/local/bin/so-alerts.sh"

pipe_alert_text: true

Of course, you could trigger it on whatever you want, but I I have a daily cron job like:

# Test NIDS alerts daily at 15:00
	0  19 * * * /usr/bin/curl "http://testmynids.org/uid/index.html" > /dev/null
      		

5. Put this script somewhere (I used /usr/local/bin/so-alerts.sh, but as long as it matches where you mapped it in the previous step, it should work.

#!/bin/sh
# Setup variables.

# Make sure there's a directory in /tmp

strFrom="From: SecurityOnion24"
strName="Name: alert_test"

# Read stdin to file. Uncomment for production.
#
cat - > /tmp/elastalert/alerts.txt
#cat /tmp/elastalert/alerts.txt

# Setup some variables to put in email by parsing our temp file.
strAlertName=$(egrep "ET|GPL" /tmp/elastalert/alerts.txt |cut -d "," -f 1-15 |grep name|cut -d ":" -f 2|cut -d "," -f 1)
strSeverity=$(grep severity_label /tmp/elastalert/alerts.txt |cut -d ":" -f2)

# Build "Subject" and "Header" using the above variables
strSubject="Subject: $strAlertName - Severity: $strSeverity."
strHeader="$strFrom\n$strSubject\n"

# Put header onto email body. The first commented line caused "feedback" alerts when the body contained alerts.
#strEmailBody="$strHeader\n $(cat /tmp/elastalert/alerts.txt)"
strEmailBody="$strHeader\n $(date): Alert: $strAlertName has been detected."


# Send our alert to an email file.
echo $strEmailBody > /tmp/elastalert/email.txt
#echo -e "$(cat /tmp/elastalert/email.txt)"

So when the script is run, the input from stdin is piped into a file under /tmp/elastalerts/alerts.xt (You'll have to make the /tmp/elastalert folder for this to work). This file is well commented, you should be able to understand what's being done. Basically, the file is massaged into something useful and some email tags added, then it is dumpted to /tmp/elastalert/email.txt file.

6. I added a cron job to run every 5 minutes with vi crontab -e

# Check for new email alerts to send out every 5 minutes.
*/5 * * * * /usr/local/bin/so-email-alerts.sh > /dev/null

7. Here's the script for /usr/local/bin/so-email-alerts.sh

#!/bin/sh
# Setup variables.

# Make sure there's an email waiting in /tmp/elastalert
if ! [ -f /tmp/elastalert/email.txt ]
then
#    echo "No waiting email."
    exit 0
fi

# Email Recipients (Who receives the emails)
strTo="To: [email protected]"

# Read the mail from email.txt and prepend the recipients listed above to our email
email="$(cat /tmp/elastalert/email.txt)"
strCompleteEmail="$strTo\n$email"

# Then pipe to email program.
echo -e "$strCompleteEmail" | /usr/sbin/sendmail -t

# Remove the temp file so it can be re-created for the next alert.
# If the sendmail was successful, rename the file to reflect the current date (sort of an archive)
# Currently, this is going to keep a history of your alerts.  It's not quite complete as you'll eventually want to delete alerts 
# older than say 30 days with something like:
# "find  /tmp/elastalert/alerts.txt-*  -type f -mtime +30" at the end of the script.

if [ $? -eq 0 ]
then
        # echo "Sendmail successful. Deleting old email file."
        sleep 5s
        rm -f /tmp/elastalert/email.txt
        mv  /tmp/elastalert/alerts.txt  /tmp/elastalert/alerts.txt-$(date '+%Y-%m-%d %H:%M:%S'|sed -e "s/ /_/g")
else
        echo "Sendmail Failed. NOT deleting old email file."
fi

I know this is a bit convoluted, but it was the only way I could see to get an alert emailed out the way I wanted it to. In my original scripts, it looks at times of the day to determine if it should Really send an alert or if it was just our daily test time.

It would have been so much easier if the elastalert container had a basic sendmail or alternative builtin.

I hope this is helpful?