Re: [ossec-list] OSSEC 2.9.2 Slack integration integrity check alert no hostname

2018-04-24 Thread Florin Andrei 
$ diff -u ossec-slack.sh ossec-slack.sh.old 
--- ossec-slack.sh2018-04-24 18:51:45.0 -0700
+++ ossec-slack.sh.old2018-04-24 18:52:10.0 -0700
@@ -27,9 +27,6 @@
 echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> 
${PWD}/../logs/active-responses.log
 ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep 
-v ".$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep 
"Rule: " -A 4 | cut -c -139 | sed 's/\"//g'`
 
-# add the agent ID
-ALERTFULL=`echo ${6}; echo ${ALERTFULL}`
-
 PAYLOAD='{"channel": "'"$CHANNEL"'", "username": "'"$SLACKUSER"'", "text": 
"'"${ALERTFULL}"'"}'
 
 ls "`which curl`" > /dev/null 2>&1

On Monday, September 11, 2017 at 10:10:16 AM UTC-7, dan (ddpbsd) wrote:
>
> On Mon, Sep 11, 2017 at 7:56 AM, Fredrik Hilmersson 
>  wrote: 
> > Hello, 
> > 
> > I'm wondering if it would be possible to do a small update regarding the 
> > ossec-slack integration to report from which host the integrity check 
> > reports from. 
> > Today an alert message looks like: 
> > 
> > Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' 
> > Integrity checksum changed for: '/usr/bin/lxc' 
> > Old md5sum was: 'checksum' 
> > New md5sum is : 'checksum' 
> > Old sha1sum was: 'checksum' 
> > 
> > however, it obviously doesn't state on which agent the checksum change 
> > occurred. Hopefully you could add this to the ossec-slack integration. 
> > 
>
> I won't use ossec-slack.sh, so if you can come up with a diff and post 
> a pull request, I'll merge it. 
>
> > Kind regards, 
> > Fredrik 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] OSSEC 2.9.2 Slack integration integrity check alert no hostname

2017-09-11 Thread Fredrik Hilmersson 
Hello,

I'm wondering if it would be possible to do a small update regarding the 
ossec-slack integration to report from which host the integrity check 
reports from.
Today an alert message looks like:

Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).'
Integrity checksum changed for: '/usr/bin/lxc'
Old md5sum was: 'checksum'
New md5sum is : 'checksum'
Old sha1sum was: 'checksum'

however, it obviously doesn't state on which agent the checksum change 
occurred. Hopefully you could add this to the ossec-slack integration.

Kind regards,
Fredrik

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.