Categories
Uncategorized

Allowing unverified HTTP Post’s by Elastalert

I am using Praeco as a frontend for the Elastalert API which relies on Elastalert.

The problem I faced was that sending unverified requests failed, as elastalert didn’t allow verfiy=False.

I searched the Elastalert code and found the place the request is being made, it is in alerts.py file, the class HTTPPostAlerter.

I changed:


response = requests.post(
               url,
               data=json.dumps(payload, cls=DateTimeEncoder),
               headers=headers,
               proxies=proxies,
               timeout=self.timeout
)

to:


response = requests.post(
               url,
               data=json.dumps(payload, cls=DateTimeEncoder),
               headers=headers,
               proxies=proxies,
               timeout=self.timeout,
               verify=False
)

You will still get an insecure request warning, but the request is sent.

If you are using the Praeco docker containers, then you can use this post to figure out which version of the code to change.

Remember to first go into the container:


docker exec -it praeco_elastalert_1 sh

Testing this in reality

Outside of test function, the http post does not work.

In the alert log on the praeco frontend the slack alert shows, but the http post does not.

In the application logs the following error is shown:

 


  ProcessController:  ERROR:root:Error while running alert http_post: Error posting HTTP Post alert: HTTPSConnectionPool(host='{ base_url }', port=443): Max retries exceeded with url: /st2/api/v1/webhooks/praeco (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

I had to restart the containers, docker container stop and start for it to read the updated files.