forked from ossec/ossec-hids
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathossec-slack.sh
53 lines (46 loc) · 1.7 KB
/
ossec-slack.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/bin/sh
# Change these values!
# SLACKUSER user who posts notifications
# CHANNEL which channel it should be posted
# SITE is the URL provided by the Slack's WebHook, something like:
# https://hooks.slack.com/services/TOKEN"
SLACKUSER=""
CHANNEL=""
SITE=""
SOURCE="ossec2slack"
# Checking user arguments
if [ "x$1" = "xdelete" ]; then
exit 0;
fi
ALERTID=$4
RULEID=$5
LOCAL=`dirname $0`;
# Logging
cd $LOCAL
cd ../
PWD=`pwd`
echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
ALERTTITLE=`grep -A 1 "$ALERTID" ${PWD}/../logs/alerts/alerts.log | tail -1`
ALERTTEXT=`grep -A 10 "$ALERTID" ${PWD}/../logs/alerts/alerts.log | grep -v "Src IP: " | grep -v "User: " | grep "Rule: " -A 4 | sed '/^$/Q' | cut -c -139 | sed 's/\"//g'`
LEVEL=`echo "${ALERTTEXT}" | head -1 | grep "(level [0-9]*)" | sed 's/^.*(level \([0-9]*\)).*$/\1/'`
COLOR="#D3D3D3"
if [ "${LEVEL}" ]
then
[ "${LEVEL}" -ge 4 ] && COLOR="#FFCC00"
[ "${LEVEL}" -ge 7 ] && COLOR="#FF9966"
[ "${LEVEL}" -ge 12 ] && COLOR="#CC3300"
fi
PAYLOAD='{"channel": "'"$CHANNEL"'", "username": "'"$SLACKUSER"'", "attachments": [ {"fallback": "'"$( printf "${ALERTTITLE}\n${ALERTTEXT}" )"'", "title": "'"${ALERTTITLE}"'", "text": "'"${ALERTTEXT}"'", "color": "'"${COLOR}"'"} ]}'
ls "`which curl`" > /dev/null 2>&1
if [ ! $? = 0 ]; then
ls "`which wget`" > /dev/null 2>&1
if [ $? = 0 ]; then
wget --keep-session-cookies --post-data="${PAYLOAD}" ${SITE} 2>>${PWD}/../logs/active-responses.log
exit 0;
fi
else
curl -s -X POST --data-urlencode "payload=${PAYLOAD}" ${SITE} 2>>${PWD}/../logs/active-responses.log
exit 0;
fi
echo "`date` $0: Unable to find curl or wget." >> ${PWD}/../logs/active-responses.log
exit 1;