#!/bin/bash
#
# psad uses this script to do a dcop notify of events

# Variables (adjust as necessary)

PSAD_LOG_PATH="/var/log/psad"

# Collect the necessary information...
DANGER_LEVEL=`sudo grep -i Danger $PSAD_LOG_PATH/$1/*_email_alert`
OS_GUESS=`sudo grep -i guess $PSAD_LOG_PATH/$1/*_email_alert`
SIGNATURE=`sudo sed -n '/signatures/,/Whois/p' $PSAD_LOG_PATH/$1/*_email_alert | grep \"*\"`
SIG_NUM=`sudo sed -n '/signatures/,/Whois/p' $PSAD_LOG_PATH/$1/*_email_alert | grep \"*\" | wc -l`

# If this is a full-on port scan or vulnerability scan we don't want to see a huge list of signatures...
if [ $SIG_NUM -gt 10 ] ; then
	SIGNATURE="Loads of ports scanned.  Likely nmap or Nessus."
fi

# If the packtes don't match _any_ known signatures I don't need an alert telling me some machine probed port <whatever>...
if [ $SIG_NUM = 0 ] ; then
	exit
fi

# Check if espeak is installed.  If it is, use it
which espeak > /dev/null
if [ "$?" = "0" ]; then
	espeak -p 20 "we're under attack, we are, under attack" &
fi

# Pop up the alert...
dcop --all-users knotify Notify notify event "PSAD ALERT: $1" "$DANGER_LEVEL $(echo -e '\n ') $OS_GUESS $(echo -e '\n ') $SIGNATURE" "" "" 16 0