Logcheck

[Whistle Master]

Hi !

My last add-on to the pineapple: a log checker to send by email events based on defined matching rules

Features

- Add rules to filter log events (match & ignore)

- Automatically send filtered events by email on a defined frequency (cron).

- See filtered log in the UI and auto-refresh

- Test email function

- Autostart

- Custom script execution

Screenshots

Edited August 7, 2012 by Whistle Master

[shadowmmm]

thank you WM

ps have u been working on the keylogger module still :)

Edited May 1, 2012 by shadowmmm

[Whistle Master]

First version has been send to Seb :)

[Whistle Master]

Last version with Autostart and ignore rules is out :)

[Whistle Master]

Last version with Custom script execution is out :)

[PineDominator]

Last version with Custom script execution is out :)

I am not sure how to use this? is it watching the logger log? how do I chose what log is being checked?

[Whistle Master]

Yes, the module is watching the logger log. You can add filter (matching, ignore).

The last addition is the execution of a custom script with the output result sent by email. I already included an example of custom script which is the same as the output from the pineapple main page (DHCP log, ARP and Karma log).

[PineDominator]

Yes, the module is watching the logger log. You can add filter (matching, ignore).

The last addition is the execution of a custom script with the output result sent by email. I already included an example of custom script which is the same as the output from the pineapple main page (DHCP log, ARP and Karma log).

Thanks WM:-)

This link has your name on it;-)

[velkrosmaak]

Am I being a dumbass or do I need to find some kind of open smtp server? I can't find a way to add a password in order to authenticate to say, Gmail's SMTP server.

[Whistle Master]

For Gmail, add to the configuration:

root=username@gmail.com
mailhub=smtp.gmail.com:587
rewriteDomain=
hostname=username@gmail.com
UseSTARTTLS=YES
AuthUser=username
AuthPass=password
FromLineOverride=YES

Edited May 18, 2012 by Whistle Master

[Razzlerock]

Hi there. I got this working with the default script, but now I would like to use my own 'simple' script. It seems simple, but I cannot get it to work

Basically, I want the pineapple to 'check' if an (auto)ssh connection has successfully connected (after 5 minutes of a reboot) - if it has I would like it to fire me an email. If it hasn't connected via ssh, I don't want an email.

Why do I want this? When deploying on a site, I would like a way to know if the pineapple has been able to tunnel through a companies firewall - in other words, if they are permitting SSH. A simple cron check after 5 minutes of a reboot to check ssh and fire me an email saying its connected would be beautiful. If I don't get an email, I can assume that SSH is blocked....

P.S. I know I can use 3g (no company firewall restriction) and I know I can check the ssh connection on the pineapple by wireless connecting to it - in this scenario please consider that neither of these options are available.

I was wondering if a simple 'pidof autossh' could be used? If there is no output (no ssh connection), do nothing. If there is output (see below) then there IS an SSH connection and trigger an email? I'd appreciate a few pointers please.

root@Pineapple:~# pidof autossh

1972

root@Pineapple:~#

Razzlerock

Thanks

Razzlerock

[Razzlerock]

Sorry to reply to my own post but I got this working (except the cron bit). Maybe this will help someone one day....

root@Pineapple:/usb/etc/ssmtp# ls

email-content revaliases send-email.sh ssh-check.sh ssmtp.conf

root@Pineapple:/usb/etc/ssmtp# cat ssh-check.sh

#!/bin/sh

# -----------------------------------------------------------------

# Simple script to send email if SSH is connected.

# -----------------------------------------------------------------

logger "Check if SSH is established"

if ! ( pidof autossh); then

logger "SSH: Connection seemed to be down."

else

/usb/etc/ssmtp/send-email.sh &

logger "SSH: Connection seems to be up. Issued /usb/etc/ssmtp/send-email.sh"

fi

root@Pineapple:/usb/etc/ssmtp# cat send-email.sh

ssmtp destinationemailaddress@test.com < /usb/etc/ssmtp/email-content

root@Pineapple:/usb/etc/ssmtp# cat email-content

To: destinationemailaddress@test.com;

From: myemail@gmail.com;

Subject: Pineapple has dialed home successfully;

A check has confirmed you have dialled home.

root@Pineapple:/usb/etc/ssmtp#

The only part I need to work out now, is if I can schedule to run in cron 10 minutes after a reboot (I don't want it to run every 15 mins.....) If I work this out, ill let you know. If you know how to do this, let me know.

Razzlerock

[Razzlerock]

BTW, I have tried the @reboot cron entry and it doesn't look like its supported. Can anyone verify?

The plan was to invoke via cron on reboot using '@reboot' and then have 'sleep 600' at the start of the shell, effectively delaying the rest of the script for 10 minutes. This 'would' have given me the desired effect, but testing has so far shown no cigar.

[velkrosmaak]

For Gmail, add to the configuration:

root=username@gmail.com
mailhub=smtp.gmail.com:587
rewriteDomain=
hostname=username@gmail.com
UseSTARTTLS=YES
AuthUser=username
AuthPass=password
FromLineOverride=YES

I never thanked you for this, by the way. Thanks man, 'till I get some sort of SMTP relay running this is a lot easier!

[thesugarat]

I don't want log check to send emails but I would like to see Karma logs output to /USB/logs folder. Is that possible as an option?

[mreidiv]

Running 2.7.5 module has no install button for ssmtp

[telot]

mreidiv: First off, good to see you posting again! It's been a while, so welcome back to the community

Second, for advice on ssmtp, you might find value in my post on the subject:

http://forums.hak5.org/index.php?/topic/25966-sent-from-my-pineapple/?hl=ssmtp

Enjoy

telot

[mreidiv]

mreidiv: First off, good to see you posting again! It's been a while, so welcome back to the community

Second, for advice on ssmtp, you might find value in my post on the subject:

http://forums.hak5.org/index.php?/topic/25966-sent-from-my-pineapple/?hl=ssmtp

Enjoy

telot

Thanks, Its been hard to find time while looking for a job here in st. Louis and going to school, and maintaining civility between 4 kids. I stop in when i can . Your post worked thanks, i am a assuming that the problem will be fixed when the next major firmware is released.

[Whistle Master]

Running 2.7.5 module has no install button for ssmtp

The feature has never been there actually ;) I will add it in the next version of the module.

EDIT: version 2.3 is out with ssmtp installation feature ^_^

Edited January 29, 2013 by Whistle Master

[newbi3]

This is a lot like my SMS script I wrote just got to get around to releasing it. I'll probably add some of the features that you have in this to that. Good work mate!

[Whistle Master]

I would suggest to collaborate on this and bring a single module to the community, instead of splitting :)

I'll PM you.

[Boba Fett]

There is a way to check the sslstrip log by mail?

[Boba Fett]

I have 2.7.0 and try to make a custom filter:

#!/bin/sh

# Custom script

grep PHISH /pineapple/logs/phish.log | grep SSLSTRIP /?????????/dnsspoof.log

This is ok? Where find sslstrip log?

I only want the phish log and the sslstrip log.

[telot]

I don't know anything about where or what the logs are for the module, as I use 'strip via cli and wps button, but see my thread on ssmtp for a great start on emailed logs.

http://forums.hak5.org/index.php?/topic/25966-sent-from-my-pineapple/

telot