forked from ossec/ossec-hids
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathossec-tweeter.sh
executable file
·60 lines (46 loc) · 1.6 KB
/
ossec-tweeter.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/bin/sh
# Tweeter an alert - copy at /var/ossec/active-response/bin/ossec-tweeter.sh
# Author: Daniel Cid
# Change these values!
TWITTERUSER=""
TWITTERPASS=''
DIRECTMSGUSER=""
SOURCE="ossec2tweeter"
# Checking user arguments
if [ "x$1" = "xdelete" ]; then
exit 0;
fi
ALERTID=$4
RULEID=$5
LOCAL=`dirname $0`;
ALERTTIME=`echo "$ALERTID" | cut -d "." -f 1`
ALERTLAST=`echo "$ALERTID" | cut -d "." -f 2`
# Logging
cd $LOCAL
cd ../
PWD=`pwd`
echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "\.$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139`
# Checking if we are sending direct message or not.
if [ "x" = "x$DIRECTMSGUSER" ]; then
SITE="http://twitter.com/statuses/update.xml"
REQUESTUSER=""
REQUESTMSG="status=$ALERTFULL"
else
SITE="http://twitter.com/direct_messages/new.xml"
REQUESTUSER="user=$DIRECTMSGUSER&"
REQUESTMSG="text=$ALERTFULL"
fi
ls "`which curl`" > /dev/null 2>&1
if [ ! $? = 0 ]; then
ls "`which wget`" > /dev/null 2>&1
if [ $? = 0 ]; then
wget --keep-session-cookies --http-user=$TWITTERUSER --http-password=$TWITTERPASS --post-data="source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE 2>>${PWD}/../logs/active-responses.log
exit 0;
fi
else
curl -u "$TWITTERUSER:$TWITTERPASS" -d "source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE 2>>${PWD}/../logs/active-responses.log
exit 0;
fi
echo "`date` $0: Unable to find curl or wget." >> ${PWD}/../logs/active-responses.log
exit 1;