Re: How to create custom alert script to initiate ...

b_chris21 · ‎03-11-2022

Hello everyone,

I am trying to create a custom alert action where tcpdump capture will be triggered for the event's src and dest IPs.

I created a simple bash script for that:

#!/bin/bash
#Initiate tcpdump (3 dumps for 5mins each)
tcpdump -i ens33 -G 300 -W 3 -w /mnt/nfs/pcaps/pcap-%Y-%m-%d_%H.%M.%S

My problem is that this does not contain the src and dest IPs of the correlation event triggered. How can I pass these variables here in order not to capture the whole traffic, but only the one related between these two hosts?

Thanks

Chris

schose · ‎03-11-2022

Hi,

The alert action script receives the configuration and results from the stdin in json format..

example:

{

"app": "search",

"owner": "admin",

"results_file": "heregoesthecreditcardnumber",

"results_link": "heregoesthecreditcardnumber",

"search_uri": "/servicesNS/nobody/search/saved/searches/testalert",

"server_host": "art-mb-2.local",

"server_uri": "heregoesthecreditcardnumber",

"session_key": "heregoesthecreditcardnumber",

"sid": "scheduler__admin__search__testalert_at_1569508320_128",

"search_name": "testalert",

"configuration": {

"email": "andreas at batchworks.de",

"company": "batchworks",

"severity": "WARNING"

},

"result": {

"sourcetype": "splunkd",

"count": "80"

}

in "result" there are your search results.. read this in python like:

result = sys.stdin.read() settings = json.loads(result)regards,

Andreas

How to create custom alert script to initiate tcpdump?

alert action

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple

Are you a member of the Splunk Community?

How to create custom alert script to initiate tcpdump?

alert action

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple