Elastalert custom alerter and rule types

[quentin mallet]

Good morning,
I've been digging into elastalert and I would like to be able to implement custom rule types (say to check for successful bruteforces, users loging in on workstations after hours or from strange places) as well as creating custom alerters (like to insert the alert into the sguil database).

I read the docs and found out which classes I need to extend to be able to do so. When I looked at my SO install I found out that there was no way to access those folders from the host. Using docker copy wouldn't be optimal since those new rule types and alerters would get overwritten every time the container is updated.

Will it be possible, in a future update, to add scripts on the host that would be mounted in a /opt/elastalert subfolder so we can create our own custom rules and alerters library, the same way /etc/elastalert/rules is already mounted by the docker container?

Regards,
Quentin

[Wes Lambert]

Hi Quentin,

We'll take at look at this and see if it makes sense for the team and the community.

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Wes Lambert]

Quentin,

One option for the current, would be to mount those Elastalert directories/files for the Docker container, using ELASTALERT_OPTIONS in /etc/nsm/securityonion.conf.

Thanks,

Wes

On Tue, May 22, 2018 at 6:55 AM, Wes Lambert <wlamb...@gmail.com> wrote:

Hi Quentin,

We'll take at look at this and see if it makes sense for the team and the community.

Thanks,

Wes

On Mon, May 21, 2018 at 6:15 AM, quentin mallet <quentin...@gmail.com> wrote:

Good morning,
I've been digging into elastalert and I would like to be able to implement custom rule types (say to check for successful bruteforces, users loging in on workstations after hours or from strange places) as well as creating custom alerters (like to insert the alert into the sguil database).

I read the docs and found out which classes I need to extend to be able to do so. When I looked at my SO install I found out that there was no way to access those folders from the host. Using docker copy wouldn't be optimal since those new rule types and alerters would get overwritten every time the container is updated.

Will it be possible, in a future update, to add scripts on the host that would be mounted in a /opt/elastalert subfolder so we can create our own custom rules and alerters library, the same way /etc/elastalert/rules is already mounted by the docker container?

Regards,
Quentin

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.

Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[quentin mallet]

Thank you! I hadn't thought about this possibility, I'll have a look tomorrow.
Regards,
Quentin