debian/ossec-hids/var/ossec/active-response/bin/ossec-tweeter.sh

   1 #!/bin/sh
   2 # Tweeter an alert - copy at /var/ossec/active-response/bin/ossec-tweeter.sh
   3 # Author: Daniel Cid
   4
   5
   6 # Change these values!
   7 TWITTERUSER=""
   8 TWITTERPASS=''
   9 DIRECTMSGUSER=""
  10 SOURCE="ossec2tweeter"
  11
  12
  13
  14 # Checking user arguments
  15 if [ "x$1" = "xdelete" ]; then
  16     exit 0;
  17 fi
  18 ALERTID=$4
  19 RULEID=$5
  20 LOCAL=`dirname $0`;
  21 ALERTTIME=`echo "$ALERTID" | cut -d  "." -f 1`
  22 ALERTLAST=`echo "$ALERTID" | cut -d  "." -f 2`
  23
  24
  25
  26 # Logging
  27 cd $LOCAL
  28 cd ../
  29 PWD=`pwd`
  30 echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
  31 ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v "\.$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139`
  32
  33
  34
  35 # Checking if we are sending direct message or not.
  36 if [ "x" = "x$DIRECTMSGUSER" ]; then
  37     SITE="http://twitter.com/statuses/update.xml"
  38     REQUESTUSER=""
  39     REQUESTMSG="status=$ALERTFULL"
  40 else
  41     SITE="http://twitter.com/direct_messages/new.xml"
  42     REQUESTUSER="user=$DIRECTMSGUSER&"
  43     REQUESTMSG="text=$ALERTFULL"
  44 fi
  45
  46
  47 ls "`which curl`" > /dev/null 2>&1
  48 if [ ! $? = 0 ]; then
  49     ls "`which wget`" > /dev/null 2>&1
  50     if [ $? = 0 ]; then
  51         wget --keep-session-cookies --http-user=$TWITTERUSER --http-password=$TWITTERPASS --post-data="source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE 2>>${PWD}/../logs/active-responses.log
  52         exit 0;
  53     fi
  54 else
  55     curl -u "$TWITTERUSER:$TWITTERPASS" -d "source=$SOURCE&$REQUESTUSER$REQUESTMSG" $SITE 2>>${PWD}/../logs/active-responses.log
  56     exit 0;
  57 fi
  58
  59 echo "`date` $0: Unable to find curl or wget." >> ${PWD}/../logs/active-responses.log
  60 exit 1;