From b94dd5e62dd92c829aeee1ba4217d9e174ad922f Mon Sep 17 00:00:00 2001
From: Ronan Daly <ronan@blacknight.com>
Date: Tue, 9 Aug 2016 18:56:35 +0100
Subject: [PATCH] Added a script for Slack notifications called
 notify_with_slack.sh

---
 src/scripts/notify_with_slack.sh | 94 ++++++++++++++++++++++++++++++++
 1 file changed, 94 insertions(+)
 create mode 100755 src/scripts/notify_with_slack.sh

diff --git a/src/scripts/notify_with_slack.sh b/src/scripts/notify_with_slack.sh
new file mode 100755
index 00000000..d75c368b
--- /dev/null
+++ b/src/scripts/notify_with_slack.sh
@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+
+#
+# Hello, lovely FastNetMon customer! I'm really happy to see you here!
+#  Pavel Odintsov, author 
+#
+#
+# Instructions:
+#
+# Copy this script to /usr/local/bin/
+# Edit /etc/fastnetmon.conf and set:
+# notify_script_path = /usr/local/bin/notify_with_slack.sh
+#
+# Add your email address to email_notify.
+#
+# Add your Slack incoming webhook to slack_url.
+# slack_url="https://hooks.slack.com/services/TXXXXXXXX/BXXXXXXXXX/LXXXXXXXXX"
+#
+# Notes:
+# hostname lookup requires the dig command.
+# Debian: apt-get install dnsutils
+# Redhat: yum install bind-utils
+
+#
+# For ban and attack_details actions we will receive attack details to stdin
+# if option notify_script_pass_details enabled in FastNetMon's configuration file
+#
+# If you do not need this details, please set option notify_script_pass_details to "no".
+#
+# Please do not remove the following command if you have notify_script_pass_details enabled, because
+# FastNetMon will crash in this case (it expect read of data from script side).
+#
+
+if [ "$4" = "ban" ] || [ "$4" = "attack_details" ]; then
+    fastnetmon_output=$(</dev/stdin)
+fi
+
+# This script will get following params:
+#  $1 client_ip_as_string
+#  $2 data_direction
+#  $3 pps_as_string
+#  $4 action (ban or unban)
+
+# Target hostname
+hostname=`dig -x ${1} +short`
+
+# Email:
+email_notify="root,please_fix_this_email@domain.ru"
+
+# Slack:
+slack_url=""
+slack_title="FastNetMon Alert!"
+slack_text="IP: ${1}\nHostname: ${hostname}\nAttack: ${2}\nPPS: ${3}\nAction: ${4}\n\n${fastnetmon_output}"
+slack_action=${4}
+
+function slackalert () {
+    if [ ! -z $slack_url  ] && [ "$slack_action" = "ban" ]; then
+        local slack_color="danger"
+    elif [ ! -z $slack_url  ] && [ "$slack_action" = "attack_details" ]; then
+        local slack_color="warning"
+    elif [ ! -z $slack_url  ] && [ "$slack_action" = "unban" ]; then
+        local slack_color="good"
+    else
+        return 0
+    fi
+    local slack_payload="{\"attachments\": [ { \"title\": \"${slack_title}\", \"text\": \"${slack_text}\",  \"color\": \"${slack_color}\" } ] }"
+    curl --connect-timeout 30 --max-time 60 -s -S -X POST -H 'Content-type: application/json' --data "${slack_payload}" "${slack_url}"
+}
+
+if [ "$4" = "unban" ]; then
+    # Slack Alert:
+    slackalert
+    # Unban actions if used
+    exit 0
+fi
+
+if [ "$4" = "ban" ]; then
+    # Email Alert:
+    echo "${fastnetmon_output}" | mail -s "FastNetMon Alert: IP $1 blocked because of $2 attack with power $3 pps" $email_notify;
+    # Slack Alert:
+    slackalert
+    # You can add ban code here!
+    # iptables -A INPUT -s $1 -j DROP
+    # iptables -A INPUT -d $1 -j DROP
+    exit 0
+fi
+
+if [ "$4" = "attack_details" ]; then
+    # Email Alert:
+    echo "${fastnetmon_output}" | mail -s "FastNetMon Analysis: IP $1 blocked because of $2 attack with power $3 pps" $email_notify;
+    # Slack Alert:
+    slackalert
+    exit 0
+fi