active-response/ossec-slack.sh

   1 #!/bin/sh
   2
   3 # Change these values!
   4 # SLACKUSER user who posts notifications
   5 # CHANNEL which channel it should be posted
   6 # SITE is the URL provided by the Slack's WebHook, something like:
   7 # https://hooks.slack.com/services/TOKEN"
   8 SLACKUSER=""
   9 CHANNEL=""
  10 SITE=""
  11 SOURCE="ossec2slack"
  12
  13 # Checking user arguments
  14 if [ "x$1" = "xdelete" ]; then
  15     exit 0;
  16 fi
  17 ALERTID=$4
  18 RULEID=$5
  19 LOCAL=`dirname $0`;
  20
  21 # Logging
  22 cd $LOCAL
  23 cd ../
  24 PWD=`pwd`
  25 echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
  26 ALERTTITLE=`grep -A 1 "$ALERTID" ${PWD}/../logs/alerts/alerts.log | tail -1`
  27 ALERTTEXT=`grep -A 10 "$ALERTID" ${PWD}/../logs/alerts/alerts.log | grep -v "Src IP: " | grep -v "User: " | grep "Rule: " -A 4 | sed '/^$/Q' | cut -c -139 | sed 's/\"//g'`
  28
  29 LEVEL=`echo "${ALERTTEXT}" | head -1 | grep "(level [0-9]*)" | sed 's/^.*(level \([0-9]*\)).*$/\1/'`
  30 COLOR="#D3D3D3"
  31 if [ "${LEVEL}" ]
  32 then
  33   [ "${LEVEL}" -ge 4 ] && COLOR="#FFCC00"
  34   [ "${LEVEL}" -ge 7 ] && COLOR="#FF9966"
  35   [ "${LEVEL}" -ge 12 ] && COLOR="#CC3300"
  36 fi
  37
  38 PAYLOAD='{"channel": "'"$CHANNEL"'", "username": "'"$SLACKUSER"'", "attachments": [ {"fallback": "'"$( printf "${ALERTTITLE}\n${ALERTTEXT}" )"'", "title": "'"${ALERTTITLE}"'", "text": "'"${ALERTTEXT}"'", "color": "'"${COLOR}"'"} ]}'
  39
  40 ls "`which curl`" > /dev/null 2>&1
  41 if [ ! $? = 0 ]; then
  42     ls "`which wget`" > /dev/null 2>&1
  43     if [ $? = 0 ]; then
  44         wget --keep-session-cookies --post-data="${PAYLOAD}" ${SITE} 2>>${PWD}/../logs/active-responses.log
  45         exit 0;
  46     fi
  47 else
  48     curl -s -X POST --data-urlencode "payload=${PAYLOAD}" ${SITE} 2>>${PWD}/../logs/active-responses.log
  49     exit 0;
  50 fi
  51
  52 echo "`date` $0: Unable to find curl or wget." >> ${PWD}/../logs/active-responses.log
  53 exit 1;