OSSec+SMS

From Atomicorp Wiki
Revision as of 16:09, 28 June 2024 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

OSSEC SMS notification on CentOS with ASL


This tutorial will help you use the ossec notification system provided by ASL to send alerts to your phone.



1) Create an account with Clickatell (they will be providing the sms gateway service)

2) Add some credit to your account

3) Create a "Connection" and note you API_ID

4) download and install smssend

wget http://www.barsnick.net/sw/smssend-3.2-1.i586.rpm

yum install smssend-3.2-1.i586.rpm

5) create the .sms file you will be using

cat > /usr/share/smssend/clickatell.sms << "EOF"
NbParams 7
%Sessionid : Session ID
%Login : Your username
%Password : Your Pass
%ApiID : Your API ID
%Sender : API Sender Name
%Tel : Phone number To Send Message To
%Message Size=160 Convert : Your message

PostURL https://api.clickatell.com/http/sendmsg?
#GetURL https://api.clickatell.com/http/sendmsg?
#Params session_id=\%Sessionid%&from=\%Sender%&user=\%Login%&password=\%Password%&api_id=\%ApiID%&to=\%Tel%&text=\%Message%
PostData session_id=\%Sessionid%&from=\%Sender%&user=\%Login%&password=\%Password%&api_id=\%ApiID%&to=\%Tel%&text=\%Message%
Search ID:
PrintMsg message sent
Else
ErrorMsg 1 error sending message
GO
EOF

6) add the following to your /var/ossec/etc/ossec.conf

  <command>
    <name>smsnotify</name>
    <executable>smsnotify.sh</executable>
    <expect>srcip</expect>
  </command>

  <active-response>
    <!-- This response will notify the admin via
       - sms for every event that fires a rule with
       - level (severity) >= 10.
      -->
    <command>smsnotify</command>
    <location>local</location>
    <level>10</level>
  </active-response>

7) create your own smsnotify.sh

cat > /var/ossec/active-response/bin/smsnotify.sh << "EOF"
#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin
ACTION=$1
USER=$2
IP=$3

echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" > /tmp/alertid
ALERTID=`cat /tmp/alertid | awk '{print $11}' | cut -d  "." -f 1`

# Getting alert header
LOG=`grep -A 3 $ALERTID /var/ossec/logs/alerts/alerts.log | tail -n 2`

# Create session and save to /tmp/sessionid
wget "http://api.clickatell.com/http/auth?api_id=''yourapi_id''&user=''yourusername''&password=''yourpassword''" -O /tmp/sessionid -q

# Use only the session id for the variable
sessionid=`cat /tmp/sessionid | awk '{print $2}'`

# Send sms
smssend clickatell.sms $sessionid ''yourusername'' ''yourpassword'' ''yourapi_id'' "ServerAlert" ''yourphoneNo'' "$LOG"
EOF

chmod 755 /var/ossec/active-response/bin/smsnotify.sh

8) do an asl -f -s to restart ossec and your are good to go :)

Enjoy

Personal tools