Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/morningconsult/go-elasticsearch-alerts
A daemon for generating alerts on Elasticsearch data in real-time.
Further details on setup and usage can be found in the project documentation.
You can download your preferred variant of the binary from the releases page.
go get
You can build the binary via go get
with
$ go get github.com/morningconsult/go-elasticsearch-alerts
If you do not have Go installed locally, you can still build the binary if you have Docker installed. Simply clone this repository and run make docker
to build the binary within a Docker container and output it to the local directory.
You can cross-compile the binary using the TARGET_GOOS
and TARGET_GOARCH
environment variables. For example, if you wish to compile the binary for a 64-bit (x86-64) Windows machine, run the following command:
$ TARGET_GOOS="windows" TARGET_GOARCH="amd64" make docker
The binary will be output to bin
in the local directory.
This application requires several configuration files: a main configuration file and one or more rule configuration files. The main configuration file is used to configure general behavior of the application. The rule files are used to define your alerts (e.g. what queries are executed, when they are executed, where the results shall be sent, etc.).
The main configuration file is used to specify:
The application will look for this file at /etc/go-elasticsearch-alerts/config.json
by default, but if you wish to keep it elsewhere you can specify the location of this file using the GO_ELASTICSEARCH_ALERTS_CONFIG_FILE
environment variable.
This example shows a sample main configuration file.
{
"elasticsearch": {
"server": {
"url": "https://my.elasticsearch.com"
},
"client": {
"tls_enabled": true,
"ca_cert": "/tmp/cacert.pem",
"client_cert": "/tmp/client_cert.pem",
"client_key": "/tmp/client_key.pem"
}
},
"distributed": true,
"consul": {
"consul_lock_key": "go-elasticsearch-alerts/leader",
"consul_http_addr": "http://127.0.0.1:8500",
"consul_http_ssl": "true",
"consul_cacert": "/tmp/cacert_consul.pem",
"consul_client_cert": "/tmp/client_cert_consul.pem",
"consul_client_key": "/tmp/client_key_consul.pem"
}
}
The rule configuration files are used to configure what Elasticsearch queries will be run, how often they will be run, how the data will be transformed, and how the transformed data will be output. These files should be JSON format. The application will look for the rule files at /etc/go-elasticsearch-alerts/rules
by default, but if you wish to keep them elsewhere you can specify this directory using the GO_ELASTICSEARCH_ALERTS_RULES_DIR
environment variable.
{
"name": "Filebeat Errors",
"index": "filebeat-*",
"schedule": "@every 10m",
"body": {
"query": {
"bool": {
"must": [
{ "query_string" : {
"query" : "*",
"fields" : [ "system.syslog.message", "message" ]
} }
]
}
},
"aggs": {
"hostname": {
"terms": {
"field": "system.syslog.hostname",
"min_doc_count": 1
}
}
},
"size": 20,
"_source": "system.syslog"
},
"body_field": "hits.hits._source",
"filters": [
"aggregations.service_name.buckets",
"aggregations.service_name.buckets.program.buckets"
],
"outputs": [
{
"type": "slack",
"config" : {
"webhook": "https://slack.webhooks.foo/asdf",
"channel": "#error-alerts",
"text": "New errors",
"emoji": ":hankey:"
}
},
{
"type": "file",
"config": {
"file": "/tmp/errors.log"
}
}
]
}
In the example above, the application would execute the following query (illustrated by the cURL
request below) to Elasticsearch every ten minutes, group by aggregations.service_name.buckets
and aggregations.service_name.buckets.program.buckets
, and write the results to Slack and local disk.
$ curl http://<your_elasticsearch_host>/filebeat-*/_search \
--header "Content-Type: application/json" \
--data '{
"query": {
"bool": {
"must": [
{ "query_string" : {
"query" : "*",
"fields" : [ "system.syslog.message", "message" ]
} }
]
}
},
"aggs": {
"hostname": {
"terms": {
"field": "system.syslog.hostname",
"min_doc_count": 1
}
}
},
"size": 20,
"_source": "system.syslog"
}'
Once your configuration files have been setup, to run the program simply execute the binary
$ ./go-elasticsearch-alerts
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.