Saturday, 24 May 2008

Ossec plugin for sms notification

1. Create an account with Clickatell (they will be providing the sms gateway service)

2. Add some credit to your account

3. Create a "Connection" and note you API_ID

4. download and install smssend
wget http://www.barsnick.net/sw/smssend-3.2-1.i586.rpm
yum install smssend-3.2-1.i586.rpm

or (for Slackware users)

wget http://linuxpackages.inode.at/Slackware-10.2/Console/smssend/smssend-3.4-i486-2alt.tgz

installpkg smssend-3.4-i486-2alt.tgz

5. Create the .sms file you will be using
cat > /usr/share/smssend/clickatell.sms << "EOF"
NbParams 7
%Sessionid : Session ID
%Login : Your username
%Password : Your Pass
%ApiID : Your API ID
%Sender : API Sender Name
%Tel : Phone number To Send Message To
%Message Size=160 Convert : Your message

PostURL https://api.clickatell.com/http/sendmsg?
#GetURL https://api.clickatell.com/http/sendmsg?
#Params session_id=\%Sessionid%&from=\%Sender%&user=\%Login%&password=\%Password%&api_id=\%ApiID%&to=\%Tel%&text=\%Message%
PostData session_id=\%Sessionid%&from=\%Sender%&user=\%Login%&password=\%Password%&api_id=\%ApiID%&to=\%Tel%&text=\%Message%
Search ID:
PrintMsg message sent
Else
ErrorMsg 1 error sending message
GO
EOF

6. Add the following to your /var/ossec/etc/ossec.conf
<command>
<name>smsnotify</name>
<executable>smsnotify.sh</executable>
<expect>srcip</expect>
</command>

<active-response>
<!-- This response will notify the admin via
- sms for every event that fires a rule with
- level (severity) >= 10.
-->
<command>smsnotify</command>
<location>local</location>
<level>10</level>
</active-response>

7. Create your own smsnotify.sh
cat > /var/ossec/active-response/bin/smsnotify.sh << "EOF"
#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin
ACTION=$1
USER=$2
IP=$3

echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" > /tmp/alertid
ALERTID=`cat /tmp/alertid | awk '{print $11}' | cut -d "." -f 1`

# Getting alert header
LOG=`grep -A 3 $ALERTID /var/ossec/logs/alerts/alerts.log | tail -n 2`

# Create session and save to /tmp/sessionid
wget "http://api.clickatell.com/http/auth?api_id=''yourapi_id''&user=''yourusername''&password=''yourpassword''" -O /tmp/sessionid -q

# Use only the session id for the variable
sessionid=`cat /tmp/sessionid | awk '{print $2}'`

# Send sms
smssend clickatell.sms $sessionid ''yourusername'' ''yourpassword'' ''yourapi_id'' "ServerAlert" ''yourphoneNo'' "$LOG"
EOF

chmod 755 /var/ossec/active-response/bin/smsnotify.sh

8. Do an asl -f -s to restart ossec and your are good to go



update to come...

No comments:

Post a Comment