How to create custom alert script to initiate tcpdump?

b_chris21 — Sat, 12 Mar 2022 05:09:09 GMT

Hello everyone,

I am trying to create a custom alert action where tcpdump capture will be triggered for the event's src and dest IPs.

I created a simple bash script for that:

#!/bin/bash #Initiate tcpdump (3 dumps for 5mins each) tcpdump -i ens33 -G 300 -W 3 -w /mnt/nfs/pcaps/pcap-%Y-%m-%d_%H.%M.%S

My problem is that this does not contain the src and dest IPs of the correlation event triggered. How can I pass these variables here in order not to capture the whole traffic, but only the one related between these two hosts?

Thanks

Chris

Re: How to create custom alert script to initiate tcpdump

schose — Fri, 11 Mar 2022 16:20:56 GMT

Hi,

The alert action script receives the configuration and results from the stdin in json format..

example:

{

"app": "search",

"owner": "admin",

"results_file": "heregoesthecreditcardnumber",

"results_link": "heregoesthecreditcardnumber",

"search_uri": "/servicesNS/nobody/search/saved/searches/testalert",

"server_host": "art-mb-2.local",

"server_uri": "heregoesthecreditcardnumber",

"session_key": "heregoesthecreditcardnumber",

"sid": "scheduler__admin__search__testalert_at_1569508320_128",

"search_name": "testalert",

"configuration": {

"email": "andreas at batchworks.de",

"company": "batchworks",

"severity": "WARNING"

"result": {

"sourcetype": "splunkd",

"count": "80"

}

in "result" there are your search results.. read this in python like:

result = sys.stdin.read() settings = json.loads(result)regards,

Andreas

topic How to create custom alert script to initiate tcpdump? in Alerting

How to create custom alert script to initiate tcpdump?

Re: How to create custom alert script to initiate tcpdump