Re: [security-onion] Sguil SMTP E-mail Notifications when an alert is triggered.

[Wes Lambert]

Hi Bob,

If you run so-email, it will configure postfix and mailutils for you (however, OOB there is additional config that needs to occur to send to an external relay. Otherwise, you can setup up Postfix and /etc/aliases your self and have root@localhost forwarded to the notification address of your choice.  From there you can add configuration to send to an external relay like Gmail, similar to what is described here:

https://www.howtoforge.com/tutorial/configure-postfix-to-use-gmail-as-a-mail-relay/ 

Thanks,

Wes 

On Mon, Jun 17, 2019 at 1:59 PM BobW <Grak...@gmail.com> wrote:

Hello All,

I'm having issues getting Sguil to send an e-mail alert when an event has been triggered. I've tried going through the help files to no avail. Basically, I would just like to send an automated e-mail alert to Gmail through smtp.gmail.com.

Any help would be greatly appreciated!

Attached is my sostat-redacted log.


Here's my "sguild.log output after running testmyids:

Executing: /usr/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.
queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs
2019-06-17 16:10:24 pid(2468)  Loading access list: /etc/nsm/securityonion/sguild.access
2019-06-17 16:10:24 pid(2468)  Sensor access list set to ALLOW ANY.
2019-06-17 16:10:24 pid(2468)  Client access list set to ALLOW ANY.
2019-06-17 16:10:24 pid(2468)  Email Configuration:
2019-06-17 16:10:24 pid(2468)    Config file: /etc/sguild/sguild.email
2019-06-17 16:10:24 pid(2468)    Enabled: Yes
2019-06-17 16:10:24 pid(2468)    Server: smtp.gmail.com
2019-06-17 16:10:24 pid(2468)    Rcpt To: xxxxx...@gmail.com
2019-06-17 16:10:24 pid(2468)    From: sguil@xxx-seconion02
2019-06-17 16:10:24 pid(2468)    Classes: successful-admin trojan-activity attempted-admin attempted-user
2019-06-17 16:10:24 pid(2468)    Priorities: 0
2019-06-17 16:10:24 pid(2468)    Disabled Sig IDs: 0
2019-06-17 16:10:24 pid(2468)    Enabled Sig IDs: 2100498
2019-06-17 16:10:24 pid(2468)  Connecting to localhost on 3306 as sguil
2019-06-17 16:10:24 pid(2468)  MySQL Version: version 5.7.24-0ubuntu0.16.04.1
2019-06-17 16:10:24 pid(2468)  SguilDB Version: 0.14
2019-06-17 16:10:24 pid(2468)  Creating event MERGE table.
2019-06-17 16:10:24 pid(2468)  Creating tcphdr MERGE table.
2019-06-17 16:10:24 pid(2468)  Creating udphdr MERGE table.
2019-06-17 16:10:24 pid(2468)  Creating icmphdr MERGE table.
2019-06-17 16:10:25 pid(2468)  Creating data MERGE table.
2019-06-17 16:10:25 pid(2557)  Loaderd Forked
2019-06-17 16:10:25 pid(2558)  Queryd Forked
2019-06-17 16:10:25 pid(2468)  Retrieving DB info...
2019-06-17 16:10:25 pid(2468)    SELECT sid, net_name, hostname, agent_type FROM sensor WHERE active='Y' ORDER BY net_name, sid ASC
2019-06-17 16:10:25 pid(2468)    SELECT MAX(timestamp) FROM event WHERE sid=2
2019-06-17 16:10:25 pid(2468)    SELECT MAX(timestamp) FROM event WHERE sid=3
2019-06-17 16:10:25 pid(2468)    SELECT MAX(timestamp) FROM event WHERE sid=1
2019-06-17 16:10:25 pid(2468)  Querying DB for archived events...
2019-06-17 16:10:25 pid(2468)  Querying DB for escalated events...
2019-06-17 16:10:25 pid(2468)  Retrieving DB info...
2019-06-17 16:10:25 pid(2468)    Getting a list of tables.
2019-06-17 16:10:25 pid(2468)    ...Getting info on autocat.
2019-06-17 16:10:25 pid(2468)    ...Getting info on data.
2019-06-17 16:10:25 pid(2468)    ...Getting info on event.
2019-06-17 16:10:25 pid(2468)    ...Getting info on filters.
2019-06-17 16:10:25 pid(2468)    ...Getting info on history.
2019-06-17 16:10:25 pid(2468)    ...Getting info on icmphdr.
2019-06-17 16:10:25 pid(2468)    ...Getting info on ip2c.
2019-06-17 16:10:25 pid(2468)    ...Getting info on mappings.
2019-06-17 16:10:25 pid(2468)    ...Getting info on nessus.
2019-06-17 16:10:25 pid(2468)    ...Getting info on nessus_data.
2019-06-17 16:10:25 pid(2468)    ...Getting info on object_mappings.
2019-06-17 16:10:25 pid(2468)    ...Getting info on pads.
2019-06-17 16:10:25 pid(2468)    ...Getting info on portscan.
2019-06-17 16:10:25 pid(2468)    ...Getting info on sensor.
2019-06-17 16:10:25 pid(2468)    ...Getting info on stat_types.
2019-06-17 16:10:25 pid(2468)    ...Getting info on stats.
2019-06-17 16:10:25 pid(2468)    ...Getting info on status.
2019-06-17 16:10:25 pid(2468)    ...Getting info on tcphdr.
2019-06-17 16:10:25 pid(2468)    ...Getting info on udphdr.
2019-06-17 16:10:25 pid(2468)    ...Getting info on user_info.
2019-06-17 16:10:25 pid(2468)    ...Getting info on version.
2019-06-17 16:10:25 pid(2468)  Sguild Initialized.
2019-06-17 16:10:40 pid(2468)  Sensor agent connect from 127.0.0.1:36063 sock17e0f20
2019-06-17 16:10:40 pid(2468)  Validating sensor access: 127.0.0.1 :
2019-06-17 16:10:40 pid(2468)  Valid sensor agent: 127.0.0.1
2019-06-17 16:10:40 pid(2468)  Sensor agent connect from 127.0.0.1:45997 sock1c02ae0
2019-06-17 16:10:40 pid(2468)  Validating sensor access: 127.0.0.1 :
2019-06-17 16:10:40 pid(2468)  Valid sensor agent: 127.0.0.1
2019-06-17 16:10:41 pid(2468)  Sensor agent connect from 127.0.0.1:39501 sock1c31180
2019-06-17 16:10:41 pid(2468)  Validating sensor access: 127.0.0.1 :
2019-06-17 16:10:41 pid(2468)  Valid sensor agent: 127.0.0.1
2019-06-17 16:14:25 pid(2468)  Client Connect: 127.0.0.1 42403 sock1dd4480
2019-06-17 16:14:25 pid(2468)  Validating client access: 127.0.0.1
2019-06-17 16:14:25 pid(2468)  Valid client access: 127.0.0.1
2019-06-17 16:14:43 pid(2468)  sock1dd4480 added to clientList
2019-06-17 16:16:10 pid(2468)  Error sending "InsertSystemInfoMsg sguild {User iwadmin has disconnected.}" to sock1dd4480
2019-06-17 16:16:10 pid(2468)  Socket sock1dd4480 closed

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/d14ad98f-4f0e-46cb-a86e-805ebc08760f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Robert Walden]

Wes,

Thank you very much! I will give this a try!

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHjBB6FxEcdQBRHFUpYWkq1QKRRfaUPRNCdrAc%3DdVJr%3Dz1EV4g%40mail.gmail.com.

[Robert Walden]

Wes,

In my case, I have run the so-email. Do you have info on the additional config necessary if you ran the so-email?

Thanks!

On Mon, Jun 17, 2019 at 2:49 PM Wes Lambert <wlamb...@gmail.com> wrote:

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHjBB6FxEcdQBRHFUpYWkq1QKRRfaUPRNCdrAc%3DdVJr%3Dz1EV4g%40mail.gmail.com.

[Wes Lambert]

You would still need to configure postfix.cnf will the additional info required for Gmail/sasl.  If you point everything else to localhost for SMTP and root@localhost for the notification address, then /etc/aliases should take care of aliasing root to your destination notification address.

Thanks,

Wes 

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAAkFrRGKCB-W252HDy8qtfk4pvD8Tvgt4BQHYBYA5czg%2BNs4LA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Robert Walden]

Thank you Wes!

I will try this. My apologies, but the SMTP setup is a bit new for me (really new!).

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHjBB6GvFiFy3w0ZGJ_aEZSwjnRj_OGion_bFdFqLfDEkeCuXA%40mail.gmail.com.