Can we setup daily email reports?
Kristiaan Bennett
We've just got Security Onion up and running and besides trying to get my head around how this works, I was trying to find a way in which I can setup this system so that it generates daily emailed reports?
for instance we would be looking to get reports on SSH, FTP Web access etc, I am still getting to grips with this system as well so any good resources you can recommend would also be appreacited.
Wes
Kristiaan,
You can take a look at the following to see what is already available for email:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Email
In summary, currently:
-You can schedule a daily email to provide health/statistics for your Security Onion machine.
-You can schedule queries in ELSA and send an email whenever a match is made for a particular query.
-Sguil can send email alerts when ever it sees an event that matches to a class defined in /etc/sguild/sguild.email
-Sguil can send reports defined by an analyst from the Sguil console (not scheduled, but ad-hoc)
-OSSEC will send email alerts whenever an alert that matches the email_alert_level (or higer) defined in /var/ossec/etc/ossec.conf.
-Bro will send an email whenever it is not seeing packets, or the service has stopped/crashed.
-Bro can send hourly connection summaries, if defined in /opt/bro/etc/broctl.cfg.
Another option would be to create an ELSA dashboard, where you could have all of this information in a single place.
https://github.com/Security-Onion-Solutions/security-onion/wiki/ELSA
You could even have a cron job to run a script that would pull the data from ELSA via cli , generate your own report, and then email it to you.
Another option would be to have a script that would query Bro logs for all this information and then send it off via email.
https://github.com/Security-Onion-Solutions/security-onion/wiki/Bro
I'm currently looking into ways to improve reporting, so I may be able to come up with something to help out with this soon.
Hope this helps.
Thanks,
Wes
Kristiaan Bennett
Firstly thanks for the very detailed reply to my post, I've got Security-Onion able to send certain emails that I would say are more status related than management reports.
I'm by no means a Linux expert when it comes to scripting so if there's any good examples on how to go about generating reports via the CLI from ELSA I would be interested.
on a semi related note regarding SO, is there any best practice / SOP documents on what you would configure to watch / not watch on the network. I'm still trying to figure out what it is we would like SO to-do
Wes
Kristiaan,
Essentially, you would want a way to interface with the CLI/API, grab the data, format it as you wish, then send it off.
Here are a couple of links to give you an idea of how to query the cli/api and get the data you are looking for:
CLI:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ELSA#cli
Powershell:
http://dropinthebuckit.azurewebsites.net/?p=691
Bash:
https://github.com/theflakes/ELSA/blob/master/elsa_query.sh
Python:
https://github.com/theflakes/ELSA/blob/master/elsa_query/elsa_query.py
Tuning your sensor will be based on what you expect and what you consider normal in your environment. Since no two environments are the same, is is difficult to make specific recommendations, but general suggestions and tips can be found on the Security Onion wiki:
https://github.com/Security-Onion-Solutions/security-onion/wiki
Take a look at the Post-Installation instructions for some general ideas:
https://github.com/Security-Onion-Solutions/security-onion/wiki/PostInstallation
It also wouldn't hurt to take a look at a couple of these great books:
Practice of Network Security Monitoring - Richard Bejtlich
https://www.nostarch.com/nsm
Applied NSM - Chris Sanders, Jason Smith
http://www.appliednsm.com/
Also, check out some Security Onion videos to see how other folks have leveraged Security Onion to benefit themselves and their ogranizations:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Videos
Last, get a better idea of how to tune, manage your machines, and what to look for, by going through one of the courses offered by Security Onion Solutions, found here:
https://attendee.gototraining.com/9z73w/catalog/8119062504158470144?tz=America/New_York
Thanks,
Wes