Setting Up PasteHunter Part 2 – Email Alerts & Moving to the Cloud

Please read How to Setup PasteHunter in VirtualBox before using this guide.

So you may have noticed in the “settings.json” file that PasteHunter supports SMTP output. This is ideal for being alerted to certain Yara Rule hits, or even custom rules that you’ve created yourself as they appear.

Depending on what SMTP server you want to use will result in some of the settings being different. For this guide, I will be using Google SMTP with an App Password for alerting.

Firstly, ensure you have a Google Mail account. If you don’t have one, you can create one here. I wouldn’t recommend using your personal Gmail account you use for Amazon, LinkedIn etc. – setup a new, dedicated account for this. Your email alerts will be shown as from this address.

Google Account Settings

Next, go to your Google Account settings, and click “Security” on the left-hand pane:

Scroll down to file “Less secure app access” and ensure it’s turned “On” (as seen in Screenshot above).

Next, scroll up to “Signing in to Google” and enable “2-Step Verification”

Once “2-Step Verification” is enabled, click “App Passwords”. Create a new “App Password”, in the left-hand drop down (Select App), select “Mail” then in the right-hand drop down (Select Device), select Other (Custom Name). In here, you can put what you wish your App Password to be called, I’ve called mine “PasteHunter Notifications”

Once you click “Generate”, your “App Password” will be displayed in the yellow box (16 character code). Make sure you make a note of it.

Configure PasteHunter SMTP Settings

Next, you want to edit your “settings.json” file:

$ nano /opt/pastehunter/settings.json

Scroll down to the “smtp_output” section, and edit the following (I have added comments next to the lines you need to change):

    "smtp_output": {
      "enabled": true, # Change this to True
      "module": "outputs.smtp_output",
      "classname": "SMTPOutput",
      "smtp_host": "smtp.gmail.com", # Changed to Google SMTPServer
      "smtp_port": 587, # Changed to 587
      "smtp_security": "tls", # Changed to tls
      "smtp_user": "mynewgoogleaccount@gmail.com", # Changed to your Google Account Email
      "smtp_pass": "myapppassword", # Your App Password, that you generated earlier
      "recipients" : {
        "recipient_1": {
          "address": "emailaddress that gets the alerts", # Enter your recipient email here
          "rule_list": ["email_list" , "powershell"], # Enter the Yara Rules you want to be alerted on
          "mandatory_rule_list": []
        },
        "recipient_2": {
          "address": "emailaddress that gets the alerts", # Second Recipient (optional)
          "rule_list": [],
          "mandatory_rule_list": ["keyword1", "keyword2"]
        }
      }

Next to the “rule_list” heading, you can have as many or as little Yara Rules to be alerted on as you want, however I recommend you start with “email_list” for testing, as that one hits quite often.

Ctrl + O to Save, then restart the PasteHunter service:

$ sudo systemctl restart pastehunter.service

If everything has worked, you should start receiving email alerts! See below for example (email address omitted):

Moving PasteHunter to the Cloud

If you don’t have a Server or another method of running your Virtual Machine 24×7, you may want to invest in a Virtual Private Server. There’s plenty of providers out there that host for as little as £2.99 (ex VAT) a month! As PasteHunter is relatively lightweight, the lowest spec VPS will usually suffice, for example the VPS SSD 1 option from OVH will work perfectly. Make sure this VPS is running Ubuntu Server.

The method is essentially the same as the Virtual Box, however instead of Port Forwarding in Virtual Box, you can setup Port Forwarding using SSH.

Follow all the same methods as in How to Setup PasteHunter in VirtualBox but a couple of changes will need to be made in ElasticSearch, Kibana and PasteHunter settings.

ElasticSearch Changes

The default installation will work with no changes as it defaults to localhost which we will use for port-forwarding. Therefore, simply install Elastic Search the same way as Part 1, but don’t make any changes to the settings file.

Kibana Changes

The default installation will again work for Kibana, with 1 minor change in the settings:

$ sudo nano /etc/kibana/kibana.yml

Edit the following line:

elasticsearch.url: "http://localhost:9200"

PasteHunter Changes

Only 1 change again for the PasteHunter Settings, lets edit the “settings.json” file:

$ sudo nano /opt/pastehunter/settings.json

Edit the line commented under “elastic_output”:

  "outputs": {
    "elastic_output": {
      "enabled": true,
      "module": "outputs.elastic_output",
      "classname": "ElasticOutput",
      "elastic_index": "paste-test",
      "elastic_host": "127.0.0.1", # Changed to Localhost
      "elastic_port": 9200,
      "elastic_user": "elastic",
      "elastic_pass": "changeme",
      "elastic_ssl": false,
      "weekly_index": true
    },

Be sure to restart all your services after making your changes:

$ sudo systemctl restart elasticsearch.service
$ sudo systemctl restart kibana.service
$ sudo systemctl restart pastehunter.service

Next, you want to setup Port Forwarding, this can be achieved in both PuTTY and Termius.

Port Forwarding in PuTTY

Before connecting, in the left-hand pane, under Connections -> SSH -> Tunnels, enter the following:

Click “Add” and the line under “Forwarded Ports” will appear. If you want to view ElasticSearch in your browser, repeat but where it says “Source Port”, add port number 9200. Continue to connect to your VPS, and login.

Once logged in, go to your browser and navigate to: http://127.0.0.1:5601
You will then see Kibana.

Port Forwarding in Termius

Click “Port Forwarding” on the left-hand menu:

Add the following:

Under “Hosts”, ensure you have added your VPS under the list of “Hosts” before adding your Port Forwarding Rule.

Next, under Port Forwarding, either double-click the rule or right-click and click “Connect” and login.

Once logged in, go to your browser and navigate to: http://127.0.0.1:5601
You will then see Kibana.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s