Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Master Untangler
    Join Date
    Apr 2007
    Posts
    594

    Default How To: Untangle Active Alerting


    INSTALL AT YOUR OWN RISK THIS WAS TESTED ON 5.4.2, 6.0, 6.0.1

    First note, Silver Bullet, you seem to be the howto king. If you would like to add anything to this or fix my commands so they are easier for users please do.

    I have somewhat limited linux experience, but had to come up with a solution for active intrusion detection alerting.

    For this example we are doing alerting for any IPS event logged or blocked and alerting an unlimited amount of times.

    You can further broaden or narrow down the expression that is checked before alerting you, but for that you will need to go to the authors website and research there. Credit goes to www.rsyslog.com for their beautiful email alerting syslog daemon.

    Here we go!

    1. Backup Orignal sources.list
    Code:
    cp /etc/apt/sources.list /etc/apt/sources.list.orig
    2. edit /etc/apt/sources.list remove all lines and add this:
    Code:
    deb http://http.us.debian.org/debian stable main contrib non-free
    deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free
    deb http://security.debian.org stable/updates main contrib non-free
    deb-src http://http.us.debian.org/debian stable main contrib non-free
    deb-src http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free
    3. Run apt update
    Code:
    apt-get update
    4. Install needed modules
    Code:
    apt-get install cpp gcc libc6-dev g++ make
    Hit “y” when asked to download
    Hit “y” to update glib
    Hit “y” to restart services
    5. Download rsyslog and install
    Code:
    wget http://www.rsyslog.com/Downloads-req-getit-lid-137.phtml
    tar xvzf rsyslog-3.20.2.tar.gz
    rm rsyslog-3.20.2.tar.gz
    cd rsyslog-3.20.2
    ./configure -enable-mail
    make
    Hit n when asked to correct to ‘makeg’ 
    make install
    Hit n when asked to correct to ‘makeg’ 
    cd ..
    rm -r rsyslog-3.20.2
    6. Create file /etc/default/rsyslog and put the following in
    Code:
    RSYSLOGD_OPTIONS="-c3"
    RKLOGD_OPTIONS="-x"
    7. create /etc/rsyslog.conf and put the following in (please note, this is probably the only file you will need to modify to fit your needs. If you set smtp server to localhost, then it will send email using your settings that are specified in the mail portion of Untangle's GUI. If you don't want to use Untangle to send email, then just change to your own smtp server(must alow open relay) Please see www.rsyslog.com for more help on config options)
    Code:
    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    $ActionResumeRetryCount -1 # infinety retries if host is down
    
    #### MODULES ####
    
    $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
    $ModLoad imklog.so # provides kernel logging support (previously done by rklogd)
    #$ModLoad immark.so # provides --MARK-- message capability
    $ModLoad ommail
    #$ModLoad imuxsock     # uncomment if you need to forward messages to anther syslog server
    
    # Provides UDP syslog reception
    $ModLoad imudp.so
    $UDPServerRun 514
    
    # Provides TCP syslog reception
    #$ModLoad imtcp.so
    #$InputTCPServerRun 514
    
    ####ACTIONS####
    
    ##Note, smtp server must be able to relay mail!##
    $ActionMailSMTPServer localhost 
    $ActionMailSMTPPort 25
    $ActionMailFrom email@fromaddress.com
    $ActionMailTo email@toaddress.com
    $template mailSubject,"Untangle Alert On Server"
    $template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
    $ActionMailSubject mailSubject
    if $syslogtag contains 'Intrusion_Prevention' then :ommail:;mailBody
    
    ##second alert if needed uncomment lines if needed##
    #$ActionMailSMTPServer localhost 
    #$ActionMailSMTPPort 25
    #$ActionMailFrom email@fromaddress.com
    #$ActionMailTo email@toaddress.com
    #$template mailSubject,"Untangle Alert On Server"
    #$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
    #$ActionMailSubject mailSubject
    #if $syslogtag contains 'Intrusion_Prevention' then :ommail:;mailBody
    
    
    
    # uncomment below lines if you need to forward all messages to another server as well
    #$WorkDirectory /rsyslog/work  # default location for work (spool) files
    
    # start forwarding rule 1
    #$ActionQueueType LinkedList   # use asynchronous processing
    #$ActionQueueFileName srvrfwd1 # set file name, also enables disk mode
    #$ActionResumeRetryCount -1    # infinite retries on insert failure
    #$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
    *.*       @@serverhostnameorip:port
    # end forwarding rule 1
    
    #
    # First some standard logfiles.  Log by facility.
    #
    
    
    *.* /var/log/rsyslog.log
    
    
    auth,authpriv.*			/var/log/auth.log
    *.*;auth,authpriv.none		-/var/log/syslog
    #cron.*				/var/log/cron.log
    daemon.*			-/var/log/daemon.log
    kern.*				-/var/log/kern.log
    lpr.*				-/var/log/lpr.log
    mail.*				-/var/log/mail.log
    user.*				-/var/log/user.log
    uucp.*				/var/log/uucp.log
    
    #
    # Logging for the mail system.  Split it up so that
    # it is easy to write scripts to parse these files.
    #
    mail.info			-/var/log/mail.info
    mail.warn			-/var/log/mail.warn
    mail.err			/var/log/mail.err
    
    # Logging for INN news system
    #
    news.crit			/var/log/news/news.crit
    news.err			/var/log/news/news.err
    news.notice			-/var/log/news/news.notice
    
    #
    # Some `catch-all' logfiles.
    #
    *.=debug;\
    	auth,authpriv.none;\
    	news.none;mail.none	-/var/log/debug
    *.=info;*.=notice;*.=warn;\
    	auth,authpriv.none;\
    	cron,daemon.none;\
    	mail,news.none		-/var/log/messages
    
    #
    # Emergencies are sent to everybody logged in.
    #
    *.emerg				*
    
    #
    # I like to have messages displayed on the console, but only on a virtual
    # console I usually leave idle.
    #
    #daemon,mail.*;\
    #	news.=crit;news.=err;news.=notice;\
    #	*.=debug;*.=info;\
    #	*.=notice;*.=warn	/dev/tty8
    
    # The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
    # you must invoke `xconsole' with the `-file' option:
    # 
    #    $ xconsole -file /dev/xconsole [...]
    #
    # NOTE: adjust the list below, or you'll go crazy if you have a reasonably
    #      busy site..
    #
    daemon.*;mail.*;\
    	news.crit;news.err;news.notice;\
    	*.=debug;*.=info;\
    	*.=notice;*.=warn	|/dev/xconsole
    8. create /etc/init.d/rsyslogd file and put the following in
    Code:
    #! /bin/sh
    ### BEGIN INIT INFO
    # Provides: syslog
    # Required-Start: $remote_fs $time
    # Required-Stop: $remote_fs $time
    # Should-Start: $network
    # Should-Stop: $network
    # Default-Start: 2 3 4 5
    # Default-Stop: 0 1 6
    # Short-Description: enhanced syslogd
    # Description: Rsyslog is an enhanced multi-threaded syslogd.
    # It is quite compatible to stock sysklogd and can be
    # used as a drop-in replacement.
    ### END INIT INFO
    
    # Do NOT "set -e"
    
    # PATH should only include /usr/* if it runs after the mountnfs.sh script
    PATH=/sbin:/usr/sbin:/bin:/usr/bin
    DESC="enhanced syslogd"
    NAME=rsyslog
    
    RSYSLOGD=rsyslogd
    RSYSLOGD_BIN=/usr/local/sbin/rsyslogd
    RSYSLOGD_OPTIONS="-c3"
    RSYSLOGD_PIDFILE=/var/run/rsyslogd.pid
    
    SCRIPTNAME=/etc/init.d/$NAME
    
    # Exit if the package is not installed
    [ -x "$RSYSLOGD_BIN" ] || exit 0
    
    # Read configuration variable file if it is present
    [ -r /etc/default/$NAME ] && . /etc/default/$NAME
    
    # Define LSB log_* functions.
    # Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
    . /lib/lsb/init-functions
    
    do_start()
    {
    DAEMON="$RSYSLOGD_BIN"
    DAEMON_ARGS="$RSYSLOGD_OPTIONS"
    PIDFILE="$RSYSLOGD_PIDFILE"
    
    # Return
    # 0 if daemon has been started
    # 1 if daemon was already running
    # other if daemon could not be started or a failure occured
    start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_ARGS
    }
    
    do_stop()
    {
    NAME="$RSYSLOGD"
    PIDFILE="$RSYSLOGD_PIDFILE"
    
    # Return
    # 0 if daemon has been stopped
    # 1 if daemon was already stopped
    # other if daemon could not be stopped or a failure occurred
    start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
    }
    
    #
    # Tell rsyslogd to reload its configuration
    #
    do_reload() {
    NAME="$RSYSLOGD"
    PIDFILE="$RSYSLOGD_PIDFILE"
    
    start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE --name $NAME
    }
    
    create_xconsole() {
    if [ ! -e /dev/xconsole ]
    then
    mknod -m 640 /dev/xconsole p
    chown root:adm /dev/xconsole
    fi
    }
    
    case "$1" in
    start)
    log_daemon_msg "Starting $DESC" "$RSYSLOGD"
    create_xconsole
    do_start
    case "$?" in
    0) log_end_msg 0 ;;
    1) log_progress_msg "already started"
    log_end_msg 0 ;;
    *) log_end_msg $? ;;
    esac
    
    ;;
    stop)
    log_daemon_msg "Stopping $DESC" "$RSYSLOGD"
    do_stop
    case "$?" in
    0) log_end_msg 0 ;;
    1) log_progress_msg "already stopped"
    log_end_msg 0 ;;
    *) log_end_msg $? ;;
    esac
    
    ;;
    reload|force-reload)
    log_daemon_msg "Reloading $DESC" "$RSYSLOGD"
    do_reload
    log_end_msg $?
    ;;
    restart)
    $0 stop
    $0 start
    ;;
    *)
    echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
    exit 3
    ;;
    esac
    
    :
    9. make /etc/init.d/rsyslogd executable
    Code:
    chmod 755 /etc/init.d/rsyslogd
    10. Setup rsyslog to autostart with system
    Code:
    ln -s /etc/init.d/rsyslogd /etc/rc5.d/S10rsyslogd
    11. Stop sysklogd if its running
    Code:
    /etc/init.d/sysklogd stop
    12. Stop sysklogd from starting up
    Code:
    cp /etc/init.d/sysklogd /etc/init.d/_sysklogd
    rm /etc/init.d/sysklogd
    13. Create rsyslog working directory
    Code:
    mkdir /rsyslog
    mkdir /rsyslog/work
    14. Start rsyslog
    Code:
    /etc/init.d/rsyslogd start
    15. Restore original sources.list
    Code:
    cp /etc/apt/sources.list.orig /etc/apt/sources.list
    rm /etc/apt/sources.list.orig
    16. Your last step is to go to the administration section of untangle and enable syslog monitoring. For the hostname put in localhost, for the port leave at 514, leave facility at 0 and change threashold to notice.

  2. #2
    mdh
    mdh is offline
    Untangle Ninja mdh's Avatar
    Join Date
    Aug 2007
    Posts
    4,752

    Default

    Glad to see you finally got this out for the world to see. Look for a PM from me.

  3. #3
    Master Untangler
    Join Date
    Apr 2007
    Posts
    594

    Default

    lol just after posting I saw your pm. Thanks for the followup, I shot you one back.

  4. #4
    Untangle Ninja juank's Avatar
    Join Date
    Aug 2007
    Location
    Athens
    Posts
    1,413

    Default

    Great.. thanks... can you post samples of the kind of information you are getting via email from these alerts?
    Thanks!
    --------------------------------
    Juan Machado
    --------------------------------

  5. #5
    Master Untangler
    Join Date
    Apr 2007
    Posts
    594

    Default

    here is one I got from a customers box about a week back

    Code:
    syslog@192.168.99.24[local0.warning]: Dec 8 09:03:38 untangle.domain.local Intrusion_Prevention[20]: Log # endpoints: create-date=Mon Dec 08 09:03:38 CST 2008, session-id=950890419, protocol=TCP, policy=Directors, client-iface=inside, client-addr=192.168.99.51, client-port=1256, server-addr=64.4.55.109, server-port=80, server-iface=outside, client-addr=192.168.99.51, client-port=1256, server-addr=64.4.55.109, server-port=80 # info: snort-id=1233, blocked=true, message=WEB-CLIENT Outlook EML access #

  6. #6
    Untangle Ninja juank's Avatar
    Join Date
    Aug 2007
    Location
    Athens
    Posts
    1,413

    Default

    Do you want something better ? Why don't you add to the email a link to the SNORT rule description, just add http://www.snort.org/pub-bin/sigs.cgi?sid=SNORT_RULE ...

    i.e. http://www.snort.org/pub-bin/sigs.cgi?sid=1233
    --------------------------------
    Juan Machado
    --------------------------------

  7. #7
    Master Untangler
    Join Date
    Apr 2007
    Posts
    594

    Default

    Quote Originally Posted by juank View Post
    Do you want something better ? Why don't you add to the email a link to the SNORT rule description, just add http://www.snort.org/pub-bin/sigs.cgi?sid=SNORT_RULE ...

    i.e. http://www.snort.org/pub-bin/sigs.cgi?sid=1233
    I'm not sure how I would extract the SID from the message....other than that what a great idea.

  8. #8
    Untangle Ninja juank's Avatar
    Join Date
    Aug 2007
    Location
    Athens
    Posts
    1,413

    Default

    Pretty easy, I'll help you with that later.
    --------------------------------
    Juan Machado
    --------------------------------

  9. #9
    Untangle Ninja Silver Bullet's Avatar
    Join Date
    Sep 2007
    Posts
    1,946

    Default

    Good Stuff bigdessert!!

    Juank may have had something different in mind, but this will do what he was talking about and format the alerts for html.

    In the script, just change the alerts variable ( alerts="`cat /path/to/log ) to where you actually are reading the log files from.

    Script
    Code:
    #!/bin/bash
    
    alerts="`cat snortlog | awk '{ print $2, $3, $4, "  ", "<a href=http://www.snort.org/pub-bin/sigs.cgi?sid="$31">"$31"</a>", "   ", $20, "    ", $21, "         ", $22, "      ", $23, "           ", $32 }' | sed 's/snort-id=//g;s/client-addr=//g;s/client-port=//g;s/server-addr=//g;s/server-port=//g;s/blocked=//g;s/,//g'`"
    
    echo "<pre>"
    echo "Time              SID      Client Address     Client Port    Server Address     Server Port   Blocked ?"
    echo "-------------------------------------------------------------------------------------------------------"
    echo "$alerts"
    echo "</pre>"
    It will look like this in the terminal
    Code:
    <pre>
    Time              SID      Client Address     Client Port    Server Address     Server Port   Blocked ?
    -------------------------------------------------------------------------------------------------------
    Dec 8 09:03:38    <a href=http://www.snort.org/pub-bin/sigs.cgi?sid=1233>1233</a>     192.168.99.51      1256           64.4.55.109        80             true
    Dec 8 09:03:38    <a href=http://www.snort.org/pub-bin/sigs.cgi?sid=1233>1233</a>     192.168.99.51      1256           64.4.55.109        80             true
          <a href=http://www.snort.org/pub-bin/sigs.cgi?sid=></a>
    </pre>
    But in html it will look like this with each SID having a link to the Snort site.
    Code:
    Time              SID      Client Address     Client Port    Server Address     Server Port   Blocked ?
    -------------------------------------------------------------------------------------------------------
    Dec 8 09:03:38    1233     192.168.99.51      1256           64.4.55.109        80             true
    Dec 8 09:03:38    1233     192.168.99.51      1256           64.4.55.109        80             true
    Vote here to have wireless included in Untangle.

  10. #10
    Master Untangler MiniPilote's Avatar
    Join Date
    Feb 2008
    Posts
    188

    Default

    I'd like to implement this but I'm a little confused Where does Silver Bullet's ALERT code get placed? Are the instructions from the original post complete with this code?

    It looks like anything that generates a syslog message can be used for alerting, is that correct? I'm not a syslog expert so some help here would be appreciated.

    Thanks for the "How To:" bigdessert.
    MiniPilote

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2