Re: [security-onion] Snorby Alerts to MS Exchange Server
1,097 views
Skip to first unread message
Karolis karolis
Aug 13, 2012, 5:54:14 PM8/13/12
to securit...@googlegroups.com
Have you installed any mail server?
http://code.google.com/p/security-onion/wiki/Email
check "How do I configure the OS itself to send emails?" part
Karolis
http://code.google.com/p/security-onion/wiki/Email
check "How do I configure the OS itself to send emails?" part
Karolis
On Mon, Aug 13, 2012 at 7:39 PM, bliptakjr <blip...@gmail.com> wrote:
I have set up Security Onion and started using Snorby. I created a user (Snorby) in our Active Directory environment. I have edited /usr/local/share/snorby/config/initializers/mail_config.rb with the Snorby credentials and used the FQDN of the mail server, IP address, and every combination I can think of. Between each change I used the following commands: sudo pkill -f delayed_job
sudo su www-data -c "cd /usr/local/share/snorby; bundle exec rake snorby:update RAILS_ENV=production"
Then tried to export an alert to my email address. I cannot get this to work. As a test I created a gmail account and used the gmail account settings in the mail_config.rb. That does work but we do not want to use it this way. We want to keep all of this information internal.
During my research of this problem I found that a ruby gem can be installed named ruby-NTLM that would solve the authentication problem. I tried following the directions but I am pretty sure that it was installed in the wrong location. The directions were not for SO but just a linux based install of Snorby/Ruby...
My latest research uncovered a proxy called cntlm. I have not tried to use this yet since I am not sure it would be correct. I am still pretty new to Linux and still suck at it.
Can anyone help me with this? Please if you have any help be descriptive with any commands or directions. I just need our SO machine to send the alerts to our MS Exchange Server.
-Bruce
--
Heine Lysemose
Aug 14, 2012, 8:09:44 AM8/14/12
to securit...@googlegroups.com
Hi,
This is what I have in my mail_config.rb
ActionMailer::Base.delivery_method = :smtp
ActionMailer::Base.smtp_settings = {
:address => "smtp.domain.local",
:port => 25,
:domain => "domain.local",
:authentication => "plain",
:enable_starttls_auto => true
}
"smtp.domain.local" should be your local SMTP server in this sense your MS Exchange Server, and remember to allow relaying from the SO installation or teh subnet were the SO is palced.
"domain.local" is your local domain from your MS Exchange Server accepts mails.
After these changes I usually reboot my server so Snorby reloads it's entire configuration.
/Lysemose
--
Heine Lysemose
Aug 14, 2012, 1:12:23 PM8/14/12
to securit...@googlegroups.com
That sounds like a relaying problem...
/Lysemose
On Aug 14, 2012 6:01 PM, "bliptakjr" <blip...@gmail.com> wrote:
On Tuesday, August 14, 2012 12:29:19 PM UTC, Mike landoll wrote:
> This may seem like a stupid question but can you send mail from the server to an exchange account via telnet,like this?
> in a terminal window type:
> telnet (your mail server ip address) 25
> "example telnet 192.168.1.1 25"
> you should get a response code back from the server listing the server name and esmtp mail service ready
> next type
> ehlo (hit enter)
> you should receive a hello message back from the server
> next type
> mail from:y...@yourdomain.com (example only) hit enter
> next type
> rcpt to:y...@yourdomain.com (example only) hit enter
> then type
> data hit enter
> type
> test email hit enter then . then enter again
> your message should be queued for delivery at this point and you should receive your mail
> if at any point you receive an error above it should be fairly clear as to where the problem lies, when selecting the email address sender/receiver, try sending and receiving from the same account as it bypasses some relaying rules on the exchange side.
>
>When trying to telnet to mail server it fails:
telnet: Unable to connect to remote host: Connection refused
--
Dustin Webber
Aug 17, 2012, 4:26:40 PM8/17/12
to securit...@googlegroups.com, securit...@googlegroups.com
When you change email settings in Snorby make sure to always restart for the changes to take affect.
On Aug 17, 2012, at 3:06 PM, bliptakjr <blip...@gmail.com> wrote:
> I still can't get Snorby to send emails though. I have recently tried to use the relay.domain.com as the address as well as the actual IP @ of the mail relay. I did get OSSEC to send me emails. Nice but not what I need.
>
> -Bruce
>
> --
>
>
On Aug 17, 2012, at 3:06 PM, bliptakjr <blip...@gmail.com> wrote:
> I still can't get Snorby to send emails though. I have recently tried to use the relay.domain.com as the address as well as the actual IP @ of the mail relay. I did get OSSEC to send me emails. Nice but not what I need.
>
> -Bruce
>
> --
>
>
Dustin Webber
Aug 17, 2012, 6:09:06 PM8/17/12
to securit...@googlegroups.com, securit...@googlegroups.com
Try this http://www.breckenedge.com/2011/07/configuration-of-ruby-on-rails-actionmailer-for-microsoft-exchange-smtp/
On Aug 17, 2012, at 5:07 PM, bliptakjr <blip...@gmail.com> wrote:
> How does this look???
> :domain => 'domain.com',# example.com
> :user_name => 'snorby', # user.name
> :password => 'password', # p@ssw0rd
> :port => 25,
> :authentication => :plain,
> :enable_starttls_auto => true
> }
>
> --
>
>
On Aug 17, 2012, at 5:07 PM, bliptakjr <blip...@gmail.com> wrote:
> How does this look???
>
> ActionMailer::Base.delivery_method = :smtp
> ActionMailer::Base.smtp_settings = {
> :address => 'relay.domain.com', # mail.example.com
> ActionMailer::Base.delivery_method = :smtp
> ActionMailer::Base.smtp_settings = {
> :domain => 'domain.com',# example.com
> :user_name => 'snorby', # user.name
> :password => 'password', # p@ssw0rd
> :port => 25,
> :authentication => :plain,
> :enable_starttls_auto => true
> }
>
> --
>
>
Bruce Liptak
Aug 19, 2012, 10:07:39 PM8/19/12
to securit...@googlegroups.com
Thank you! How do you have reports sent? Ideally I would like to
have the daily/weekly/monthly/etc reports as well as any High level
alerts sent via email. If possible the High alerts sent to our help
desk or a distribution list to be able to react quickly. Eventually
setting up an IPS or IDPS internally is a future goal.
have the daily/weekly/monthly/etc reports as well as any High level
alerts sent via email. If possible the High alerts sent to our help
desk or a distribution list to be able to react quickly. Eventually
setting up an IPS or IDPS internally is a future goal.
Bruce Liptak
Aug 19, 2012, 10:15:42 PM8/19/12
to securit...@googlegroups.com
I just saw this after I saw and replied to your previous reply. I
will try what you did when I get back to the office on Tuesday. Thank
you and I'll keep you updated.
-Bruce
On Sun, Aug 19, 2012 at 3:04 PM, Mike landoll <mlan...@gmail.com> wrote:
>
> Ended up installing sendmail on the SO box;
>
> sudo apt-get install sendmail
>
> set it up by running
> sudo sendmailconfig
>
> also installed mailutils (not sure if that was entirely necessary in this particular situation, but it was a recommended step in setup I had found googling)
>
>
> edited the /usr/local/share/snorby/config/initializers/mail_config.rb file and uncommented the lines from the sendmail example section.
>
> Followed the steps for restarting snorby a minute later i had a snorby daily report sitting in my inbox, jumped on snorby, selected an event, exported to email, selected a user, poof, i had an email in my inbox with the event.
>
> setting up sendmail was a breeze, working with an existing example in the mail config was a piece of cake, definitely would recommend going this route as you won't have to worry about the relay issues in exchange.
>
> Hope you find this helpful
will try what you did when I get back to the office on Tuesday. Thank
you and I'll keep you updated.
-Bruce
On Sun, Aug 19, 2012 at 3:04 PM, Mike landoll <mlan...@gmail.com> wrote:
> On Friday, August 17, 2012 5:07:56 PM UTC-4, bliptakjr wrote:
>> How does this look???
>>
> So i couldn't get Snorby to send mail directly to our exchange server, kept complaining about improper auth method (we don't use auth, so i had removed the corresponding entries from the mail_config.rb file)
>> How does this look???
>>
>
> Ended up installing sendmail on the SO box;
>
> sudo apt-get install sendmail
>
> set it up by running
> sudo sendmailconfig
>
> also installed mailutils (not sure if that was entirely necessary in this particular situation, but it was a recommended step in setup I had found googling)
>
>
> edited the /usr/local/share/snorby/config/initializers/mail_config.rb file and uncommented the lines from the sendmail example section.
>
> Followed the steps for restarting snorby a minute later i had a snorby daily report sitting in my inbox, jumped on snorby, selected an event, exported to email, selected a user, poof, i had an email in my inbox with the event.
>
> setting up sendmail was a breeze, working with an existing example in the mail config was a piece of cake, definitely would recommend going this route as you won't have to worry about the relay issues in exchange.
>
> Hope you find this helpful
Reply all
Reply to author
Forward
0 new messages