Hello,
I have configured our OSSEC server to tweet alerts with a severity of >= 10
as per the instructions on your website.
If I launch an ssh brute force attack against one of our hosts with an OSSEC
agent installed, an alert is generated, it is logged, an e-mail is sent out
but no tweet.
I have narrowed down the problem to the fact that the tweet is longer than
139 characters.
Further, this logic, in ossec-tweeter.sh, seems to be the source of the
problem:
ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep
-v ".$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep
"Rule: " -A 4 | cut -c -139`
I can’t quite figure out what you are trying to do here. If I replace your
line with something like “ALERTFULL=”Testing 1-2-3” I get a tweet when the
ssh brute force attack is launched. If I replace my line with your original
line and echo the value of $ALERTFULL to the log file, it contains far more
than 139 characters.
Part of the problem seems to be the last grep: “Rule: “ –A 4 | cut -c
-139. All that guarantees is a maximum of 4 lines where each line is no
longer than 139 characters. Certainly the total number of characters could
exceed 139 (4 rows x 139 characters each).
The logic seems to be to find all lines that contain the alert time followed
by 10 lines. Then you are filtering out all the lines that match the last
part of the alert id (the part after the period) as well as all lines that
contain the source IP and User. As I mentioned, I can’t quite figure out
what you are trying to do here.
I’d appreciate any help you can offer.
Cheers!
Trevor
