Make slack script more resiliant

active-response/ossec-slack.sh

@@ -26,11 +26,14 @@ echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
 ALERTTITLE=`grep -A 1 "$ALERTID" ${PWD}/../logs/alerts/alerts.log | tail -1`
 ALERTTEXT=`grep -A 10 "$ALERTID" ${PWD}/../logs/alerts/alerts.log | grep -v "Src IP: " | grep -v "User: " | grep "Rule: " -A 4 | sed '/^$/Q' | cut -c -139 | sed 's/\"//g'`
 
-LEVEL=`echo ${ALERTTEXT} | grep "(level [0-9]*)" | sed 's/^.*(level \([0-9]*\)).*$/\1/'`
+LEVEL=`echo "${ALERTTEXT}" | head -1 | sed 's/^.*(level \([0-9]*\)).*$/\1/'`
 COLOR="#D3D3D3"
-[ "${LEVEL}" -ge 4 ] && COLOR="#FFCC00"
-[ "${LEVEL}" -ge 7 ] && COLOR="#FF9966"
-[ "${LEVEL}" -ge 12 ] && COLOR="#CC3300"
+if [ "${LEVEL}" ]
+then
+  [ "${LEVEL}" -ge 4 ] && COLOR="#FFCC00"
+  [ "${LEVEL}" -ge 7 ] && COLOR="#FF9966"
+  [ "${LEVEL}" -ge 12 ] && COLOR="#CC3300"
+fi
 
 PAYLOAD='{"channel": "'"$CHANNEL"'", "username": "'"$SLACKUSER"'", "attachments": [ {"fallback": "'"$( printf "${ALERTTITLE}\n${ALERTTEXT}" )"'", "title": "'"${ALERTTITLE}"'", "text": "'"${ALERTTEXT}"'", "color": "'"${COLOR}"'"} ]}'