'[ossec-list] Re: Tweets not working'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    [ossec-list] Re: Tweets not working
From:       tm <trevor.a.b.mcleod () gmail ! com>
Date:       2010-02-12 22:23:54
Message-ID: 7b19c33b-ff14-4404-a6dd-6ba1181a0ce3 () t34g2000prm ! googlegroups ! com
[Download RAW message or body]

Final solution:

# Logging
cd $LOCAL
cd ../
PWD=`pwd`
echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-
responses.log
#ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log |
grep -v ".$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |
grep "Rule: " -A 4 | cut -c -139`
ALERTFULL=`grep -A 2 "$ALERTID" ${PWD}/../logs/alerts/alerts.log |
grep -v ".$ALERTID: " | grep "Rule: "`
ALERTFULL="$6 $ALERTID $ALERTFULL"

# Checking if we are sending direct message or not.
if [ "x" = "x$DIRECTMSGUSER" ]; then
    SITE="http://twitter.com/statuses/update.xml"
    REQUESTUSER=""
    REQUESTMSG="status=$ALERTFULL"
else
    SITE="http://twitter.com/direct_messages/new.xml"
    REQUESTUSER="user=$DIRECTMSGUSER&"
    REQUESTMSG="text=$ALERTFULL"
fi

REQUESTMSG=`echo $REQUESTMSG | cut -c -139`
echo $REQUESTMSG >> ${PWD}/../logs/active-responses.log

Note that prepending $6 to $ALERTFULL only works if the alert is
coming in from a host running the OSSEC agent.  If the alert is on the
host running the OSSEC server, then the hostname is not included in
the call to ossec-tweeter.sh and $6 becomes the name of the logfile.
This patch is just for testing purposes to see if the whole concept
works.

Cheers
Trevor

On Feb 11, 8:31 am, Trevor McLeod <trevor.a.b.mcl...@gmail.com> wrote:
> Hello,
>
> I have configured our OSSEC server to tweet alerts with a severity of >= 10
> as per the instructions on your website.
>
> If I launch an ssh brute force attack against one of our hosts with an OSSEC
> agent installed, an alert is generated, it is logged, an e-mail is sent out
> but no tweet.
>
> I have narrowed down the problem to the fact that the tweet is longer than
> 139 characters.
>
> Further, this logic, in ossec-tweeter.sh, seems to be the source of the
> problem:
>
> ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep
> -v ".$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep
> "Rule: " -A 4 | cut -c -139`
>
> I can’t quite figure out what you are trying to do here.  If I replace your
> line with something like “ALERTFULL=”Testing 1-2-3” I get a tweet when the
> ssh brute force attack is launched.  If I replace my line with your original
> line and echo the value of $ALERTFULL to the log file, it contains far more
> than 139 characters.
>
> Part of the problem seems to be the last grep:  “Rule: “ –A 4 | cut -c
> -139.  All that guarantees is a maximum of 4 lines where each line is no
> longer than 139 characters.  Certainly the total number of characters could
> exceed 139 (4 rows x 139 characters each).
>
> The logic seems to be to find all lines that contain the alert time followed
> by 10 lines.  Then you are filtering out all the lines that match the last
> part of the alert id (the part after the period) as well as all lines that
> contain the source IP and User.  As I mentioned, I can’t quite figure out
> what you are trying to do here.
>
> I’d appreciate any help you can offer.
>
> Cheers!
>
> Trevor

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic