#!/usr/local/bin/bash

rm /tmp/tmp_ips /tmp/tmp_emails 

export filter1="(Admin_file|DNS|SCAN|RDP|cross site|119:15:1|1:1066:7|1:1067:7|1:969:8|Tcp Options|calendar|\} 192|0.0.0.0|SHELLCODE|Spyware|Bogon|xperimental|ortscan|icmp|ODING|FTP|1:2006402:6|122:4:0|1:2006380:10|1:8428:8|1:1463:8|1:2001682:8|1:3825:2|1:1852:4|ICQ|AIM|Known|SOCKSv4 Inbound|nc.exe|AOL|IRC|portscan|SHELLCODE|Dshield Block|NMAP|ussian|MSN|ICMP|less than 5|roxy|2001331|2003099|1:2000419:11|1:2001329:8)"

tail -n 5000 /var/log/snort/alert.fast | egrep -vi "$filter1" | egrep -vi "(1:969:8|Spamhaus|ClamAV|Admin_files|DNS|SCAN|Mambo|emote|SQL|oll|Morfeus)"

echo sleep 10
sleep 10

tail -n 5000 /var/log/snort/alert.fast   | egrep -vi "$filter1" | sed 's/.*} //g' | sed 's/:.*//g' | sed 's/ -> .*//g' | awk '!x[$0]++' > /tmp/tmp_ips


export database1=`cat /data/snort_db`

for i in `cat /tmp/tmp_ips`
do



if [[ "$i"  == `grep $i /data/snort_db` ]]
then
for q in `whois $i|grep -o "[[:alnum:][:graph:]]*@[[:alnum:][:graph:]]*" |egrep -v "(nic)"|  awk '!x[$0]++'`
do

echo WARNING: This is a security alert from rmccurdy.com > /tmp/tmp_message
echo $i on your network MAY be compromised >> /tmp/tmp_message
echo any questions please contact rmccurdyjob@yahoo.com  >> /tmp/tmp_message
echo 'Here are some replies from this service http://rmccurdy.com/scripts/replies.txt' >> /tmp/tmp_message
echo here are more triggers from this ip >> /tmp/tmp_message
echo 'All times are EST ( UTC -5)'  >> /tmp/tmp_message

tail -n 5000 /var/log/snort/alert.fast   | grep $i|sed 's/192.168.1.101/rmccurdy.com/g' >> /tmp/tmp_message
echo Here are web server logs from that ip if any >> /tmp/tmp_message
grep $i  /usr/httpd-access.log |tail >> /tmp/tmp_message

echo ----
echo mailing $q
tail -n 5000 /var/log/snort/alert.fast   | grep $i|sed 's/192.168.1.101/rmccurdy.com/g' |head

cat /tmp/tmp_message | mailx -s "SECURITY_ALERT" $q
done

#else
#echo ------

fi
done
cat /tmp/tmp_ips >> /data/snort_db
echo /data/snort_db
echo /tmp/tmp_message