Re: [ossec-list] OSSEC 2.9.2 Slack integration integrity check alert no hostname
$ diff -u ossec-slack.sh ossec-slack.sh.old --- ossec-slack.sh2018-04-24 18:51:45.0 -0700 +++ ossec-slack.sh.old2018-04-24 18:52:10.0 -0700 @@ -27,9 +27,6 @@ echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v ".$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139 | sed 's/\"//g'` -# add the agent ID -ALERTFULL=`echo ${6}; echo ${ALERTFULL}` - PAYLOAD='{"channel": "'"$CHANNEL"'", "username": "'"$SLACKUSER"'", "text": "'"${ALERTFULL}"'"}' ls "`which curl`" > /dev/null 2>&1 On Monday, September 11, 2017 at 10:10:16 AM UTC-7, dan (ddpbsd) wrote: > > On Mon, Sep 11, 2017 at 7:56 AM, Fredrik Hilmersson > > wrote: > > Hello, > > > > I'm wondering if it would be possible to do a small update regarding the > > ossec-slack integration to report from which host the integrity check > > reports from. > > Today an alert message looks like: > > > > Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' > > Integrity checksum changed for: '/usr/bin/lxc' > > Old md5sum was: 'checksum' > > New md5sum is : 'checksum' > > Old sha1sum was: 'checksum' > > > > however, it obviously doesn't state on which agent the checksum change > > occurred. Hopefully you could add this to the ossec-slack integration. > > > > I won't use ossec-slack.sh, so if you can come up with a diff and post > a pull request, I'll merge it. > > > Kind regards, > > Fredrik > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] OSSEC 2.9.2 Slack integration integrity check alert no hostname
On Mon, Sep 11, 2017 at 7:56 AM, Fredrik Hilmersson wrote: > Hello, > > I'm wondering if it would be possible to do a small update regarding the > ossec-slack integration to report from which host the integrity check > reports from. > Today an alert message looks like: > > Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' > Integrity checksum changed for: '/usr/bin/lxc' > Old md5sum was: 'checksum' > New md5sum is : 'checksum' > Old sha1sum was: 'checksum' > > however, it obviously doesn't state on which agent the checksum change > occurred. Hopefully you could add this to the ossec-slack integration. > I won't use ossec-slack.sh, so if you can come up with a diff and post a pull request, I'll merge it. > Kind regards, > Fredrik > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] OSSEC 2.9.2 Slack integration integrity check alert no hostname
Hello, I'm wondering if it would be possible to do a small update regarding the ossec-slack integration to report from which host the integrity check reports from. Today an alert message looks like: Rule: 551 (level 7) -> 'Integrity checksum changed again (2nd time).' Integrity checksum changed for: '/usr/bin/lxc' Old md5sum was: 'checksum' New md5sum is : 'checksum' Old sha1sum was: 'checksum' however, it obviously doesn't state on which agent the checksum change occurred. Hopefully you could add this to the ossec-slack integration. Kind regards, Fredrik -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.