Never Ending Security

It starts all here

Sending OSSEC Alerts Over Jabber (XMPP)

ossec-hids In this article I’ll use procmail as to call a script that will send the alert via Jabber.

As a recap:

  1. OSSEC receives an alert and needs to send an email;
  2. The MTA (postfix) will use procmail as DA due to the mailbox_command = /usr/bin/procmail’ command in /etc/postfix/main.cf;
  3. The procmail recipe will be executed which is in the home dir of the user wherefore the mail was destined (/var/ossec/.procmailrc);
  4. This recipe will execute a script (send_encrypted_alarm.sh) that will send an encrypted mail.
Point 4 is where we will go further. First create a simple text file to which the alert will be written to:
touch /var/ossec/tmp/alert.txt

Give it the right owner and permissions:

chown ossec:root /var/ossec/tmp/alert.txt
chmod 664 /var/ossec/tmp/alert.txt

A script that will send the jabber message will be called in send_encrypted_alarm.sh. The latter will now look like this:

#!/bin/bash

/usr/bin/formail -I "" > /var/ossec/tmp/alert.txt
cat /var/ossec/tmp/alert.txt | /usr/bin/gpg --homedir /var/ossec/.gnupg - --trust-model always -ear "john@example.com" | /usr/bin/mail -s "$SUBJECT" john@example.com

/usr/bin/python /var/ossec/send_jabber_alarm.py john@jabber.example.be /var/ossec/tmp/alert.txt

Now, let’s create the /var/ossec/send_jabber_alarm.py script. First we will need to download the xmpppy module from : http://sourceforge.net/projects/xmpppy/files/xmpppy/. Do the regular tar zxvf for extracting, go to the directory with the unpacked files and do the typical stuff to install it (./setup install). Then create send_jabber_alarm.py and add the following:

#!/usr/bin/python
import sys,os,xmpp,time

if len(sys.argv) < 2:
    print "Syntax: xsend JID text"
    sys.exit(0)

tojid=sys.argv[1]
m = open(sys.argv[2],'r')
array = m.readlines()
m.close()

msg=""
for record in array:
        msg = msg + record

username = 'test@jabber.example.be' # from whom will the message be sent
password = 'test'

jid=xmpp.protocol.JID(username)
cl=xmpp.Client(jid.getDomain(),debug=[])

con=cl.connect()
if not con:
    print "Could not connect"
    sys.exit()

auth=cl.auth(jid.getNode(),password,resource=jid.getResource())
if not auth:
    print "Authentication failed"
    sys.exit()

#cl.SendInitPresence(requestRoster=0)   # you may need to uncomment
this for old server
id=cl.send(xmpp.protocol.Message(tojid, msg))

time.sleep(1)   # some older servers will not send the message if you
disconnect immediately after sending

#cl.disconnect()

That’s it. Every time an alert is generated with a level that is high enough to send a mail, a jabber message will be sent as well.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s