Debugging User Alert Scripts

Peter_Baumann · ‎2020-03-24

Hi all,

We try to setup a user alert script 1 which is blocking hosts when there is an event for "sweep scan" or "host port scan" in the core protections.

We setup the script in Global Properties -- Log and Alerts -- Alerts -- Run UserDefinded Script (alert no. 1).
The script is in $CPDIR/bin/scriptname.sh

In the core protections "sweep scan" and "host port scan" we select Logging settings -- Track -- User Alert 1.

The result is that the script is not running.

So how can we debug the starting of the script?
Is there any logfile which shows when the management system tries to start the script etc.?

Thanks,
Peter

PhoneBoy · ‎2020-03-24

What is your precise User Defined script call in Global Properties?

Peter_Baumann · ‎2020-03-24

scriptname.sh

David_T · ‎2020-03-26

i added a custom debug command do the script.

echo "$(date) ---- " >> /tmp/debug.txt

with that i can now see that the call to the script works.

but the parameter handling in the script does not work.

i saw in another thread in checkmates that i have to read the input with the following command:

read input

and i can output the result to the debug file:

echo $input >> /tmp/debug

i know need to get the source ip from the input. i think i need to do this with an regex.

Does someone knows a better way to read the values from the log entry in my script?

PhoneBoy · ‎2020-03-26

You should specify the full pathname to execute the script in Global Properties.
And you have to process input from standard input.

Are you a member of CheckMates?

Debugging User Alert Scripts