From ddc92e13786b90fb3eb6d7c6b33bfb524da48c23 Mon Sep 17 00:00:00 2001 From: Luiz Pasqual Date: Tue, 15 Dec 2015 10:29:03 -0200 Subject: [PATCH] Create ossec-slack.sh This is an integration with Slack (https://slack.com/) service, based on the Twitter integration. --- active-response/ossec-slack.sh | 45 ++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 active-response/ossec-slack.sh diff --git a/active-response/ossec-slack.sh b/active-response/ossec-slack.sh new file mode 100644 index 000000000..eba683f44 --- /dev/null +++ b/active-response/ossec-slack.sh @@ -0,0 +1,45 @@ +#!/bin/sh + +# Change these values! +# SLACKUSER user who posts notifications +# CHANNEL witch channel it should be posted +# SITE is the URL provided by the Slack's WebHook, something like: +# https://hooks.slack.com/services/TOKEN" +SLACKUSER="" +CHANNEL="" +SITE="" +SOURCE="ossec2slack" + +# Checking user arguments +if [ "x$1" = "xdelete" ]; then + exit 0; +fi +ALERTID=$4 +RULEID=$5 +LOCAL=`dirname $0`; +ALERTTIME=`echo "$ALERTID" | cut -d "." -f 1` +ALERTLAST=`echo "$ALERTID" | cut -d "." -f 2` + +# Logging +cd $LOCAL +cd ../ +PWD=`pwd` +echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log +ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v ".$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139 | sed 's/\"//g'` + +PAYLOAD='{"channel": "'"$CHANNEL"'", "username": "'"$SLACKUSER"'", "text": "'"${ALERTFULL}"'"}' + +ls "`which curl`" > /dev/null 2>&1 +if [ ! $? = 0 ]; then + ls "`which wget`" > /dev/null 2>&1 + if [ $? = 0 ]; then + wget --keep-session-cookies --post-data="${PAYLOAD}" ${SITE} 2>>${PWD}/../logs/active-responses.log + exit 0; + fi +else + curl -X POST --data-urlencode "payload=${PAYLOAD}" ${SITE} 2>>${PWD}/../logs/active-responses.log + exit 0; +fi + +echo "`date` $0: Unable to find curl or wget." >> ${PWD}/../logs/active-responses.log +exit 1;