Never Ending Security

It starts all here

Sending OSSEC Alerts Over Jabber (XMPP)

ossec-hids In this article I’ll use procmail as to call a script that will send the alert via Jabber.

As a recap:

  1. OSSEC receives an alert and needs to send an email;
  2. The MTA (postfix) will use procmail as DA due to the mailbox_command = /usr/bin/procmail’ command in /etc/postfix/;
  3. The procmail recipe will be executed which is in the home dir of the user wherefore the mail was destined (/var/ossec/.procmailrc);
  4. This recipe will execute a script ( that will send an encrypted mail.
Point 4 is where we will go further. First create a simple text file to which the alert will be written to:
touch /var/ossec/tmp/alert.txt

Give it the right owner and permissions:

chown ossec:root /var/ossec/tmp/alert.txt
chmod 664 /var/ossec/tmp/alert.txt

A script that will send the jabber message will be called in The latter will now look like this:


/usr/bin/formail -I "" > /var/ossec/tmp/alert.txt
cat /var/ossec/tmp/alert.txt | /usr/bin/gpg --homedir /var/ossec/.gnupg - --trust-model always -ear "" | /usr/bin/mail -s "$SUBJECT"

/usr/bin/python /var/ossec/ /var/ossec/tmp/alert.txt

Now, let’s create the /var/ossec/ script. First we will need to download the xmpppy module from : Do the regular tar zxvf for extracting, go to the directory with the unpacked files and do the typical stuff to install it (./setup install). Then create and add the following:

import sys,os,xmpp,time

if len(sys.argv) < 2:
    print "Syntax: xsend JID text"

m = open(sys.argv[2],'r')
array = m.readlines()

for record in array:
        msg = msg + record

username = '' # from whom will the message be sent
password = 'test'


if not con:
    print "Could not connect"

if not auth:
    print "Authentication failed"

#cl.SendInitPresence(requestRoster=0)   # you may need to uncomment
this for old server
id=cl.send(xmpp.protocol.Message(tojid, msg))

time.sleep(1)   # some older servers will not send the message if you
disconnect immediately after sending


That’s it. Every time an alert is generated with a level that is high enough to send a mail, a jabber message will be sent as well.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s