Added a script for Slack notifications called notify_with_slack.sh
This commit is contained in:
Ronan Daly
parent
1fb3dca6e9
commit
b94dd5e62d
|
|
@ -0,0 +1,94 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
#
|
||||
# Hello, lovely FastNetMon customer! I'm really happy to see you here!
|
||||
# Pavel Odintsov, author
|
||||
#
|
||||
#
|
||||
# Instructions:
|
||||
#
|
||||
# Copy this script to /usr/local/bin/
|
||||
# Edit /etc/fastnetmon.conf and set:
|
||||
# notify_script_path = /usr/local/bin/notify_with_slack.sh
|
||||
#
|
||||
# Add your email address to email_notify.
|
||||
#
|
||||
# Add your Slack incoming webhook to slack_url.
|
||||
# slack_url="https://hooks.slack.com/services/TXXXXXXXX/BXXXXXXXXX/LXXXXXXXXX"
|
||||
#
|
||||
# Notes:
|
||||
# hostname lookup requires the dig command.
|
||||
# Debian: apt-get install dnsutils
|
||||
# Redhat: yum install bind-utils
|
||||
|
||||
#
|
||||
# For ban and attack_details actions we will receive attack details to stdin
|
||||
# if option notify_script_pass_details enabled in FastNetMon's configuration file
|
||||
#
|
||||
# If you do not need this details, please set option notify_script_pass_details to "no".
|
||||
#
|
||||
# Please do not remove the following command if you have notify_script_pass_details enabled, because
|
||||
# FastNetMon will crash in this case (it expect read of data from script side).
|
||||
#
|
||||
|
||||
if [ "$4" = "ban" ] || [ "$4" = "attack_details" ]; then
|
||||
fastnetmon_output=$(</dev/stdin)
|
||||
fi
|
||||
|
||||
# This script will get following params:
|
||||
# $1 client_ip_as_string
|
||||
# $2 data_direction
|
||||
# $3 pps_as_string
|
||||
# $4 action (ban or unban)
|
||||
|
||||
# Target hostname
|
||||
hostname=`dig -x ${1} +short`
|
||||
|
||||
# Email:
|
||||
email_notify="root,please_fix_this_email@domain.ru"
|
||||
|
||||
# Slack:
|
||||
slack_url=""
|
||||
slack_title="FastNetMon Alert!"
|
||||
slack_text="IP: ${1}\nHostname: ${hostname}\nAttack: ${2}\nPPS: ${3}\nAction: ${4}\n\n${fastnetmon_output}"
|
||||
slack_action=${4}
|
||||
|
||||
function slackalert () {
|
||||
if [ ! -z $slack_url ] && [ "$slack_action" = "ban" ]; then
|
||||
local slack_color="danger"
|
||||
elif [ ! -z $slack_url ] && [ "$slack_action" = "attack_details" ]; then
|
||||
local slack_color="warning"
|
||||
elif [ ! -z $slack_url ] && [ "$slack_action" = "unban" ]; then
|
||||
local slack_color="good"
|
||||
else
|
||||
return 0
|
||||
fi
|
||||
local slack_payload="{\"attachments\": [ { \"title\": \"${slack_title}\", \"text\": \"${slack_text}\", \"color\": \"${slack_color}\" } ] }"
|
||||
curl --connect-timeout 30 --max-time 60 -s -S -X POST -H 'Content-type: application/json' --data "${slack_payload}" "${slack_url}"
|
||||
}
|
||||
|
||||
if [ "$4" = "unban" ]; then
|
||||
# Slack Alert:
|
||||
slackalert
|
||||
# Unban actions if used
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$4" = "ban" ]; then
|
||||
# Email Alert:
|
||||
echo "${fastnetmon_output}" | mail -s "FastNetMon Alert: IP $1 blocked because of $2 attack with power $3 pps" $email_notify;
|
||||
# Slack Alert:
|
||||
slackalert
|
||||
# You can add ban code here!
|
||||
# iptables -A INPUT -s $1 -j DROP
|
||||
# iptables -A INPUT -d $1 -j DROP
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$4" = "attack_details" ]; then
|
||||
# Email Alert:
|
||||
echo "${fastnetmon_output}" | mail -s "FastNetMon Analysis: IP $1 blocked because of $2 attack with power $3 pps" $email_notify;
|
||||
# Slack Alert:
|
||||
slackalert
|
||||
exit 0
|
||||
fi
|
||||
Loading…
Reference in New Issue