0x646e78 · August 29, 2015 14:22
diff --git a/gistfile1.sh b/gistfile1.sh
 #!/usr/bin/env bash
  
 # This requires bash 4+

 # $ ./ossec-syscheck-decoder.sh 
 # File: /etc/sudoers
 # Date: Tue Jun  2 15:45:45 AEST 2015
 # # of changes: 0 changes
 # File Size: 4002 Bytes
 # File Mode: 100440
 # ownership: 0:0
 # sha1sum: 7f8136e115bc8877afdda1cb9c357da7ecdbb8d2

  
 # https://groups.google.com/forum/m/#!topic/ossec-list/UuhauWUCxkU
 #
 #!++ 1486 : 33188 : 0 : 1 : a465a2fd02717050ca44d6cc24c5d458 : bd37d291ce34e363af853958a31f24c74bd85d4 !1330029335 /opt/syslog-ng/conf/sys  log-ng.conf
 #
 #First three characters are used to count the number of times a file has changed: 
 #
 #+++ 0 changes
 #!++  1 change
 #!!+   2 chnages
 #!!!    3 changes
 #!!?   more than 3 changes
 #
 #The rest of the line fields are:
 #
 #file_size : file_mode : uid : gid : md5sum : sha1sum !epoch_timestamp file_path
 #
 #File mode stores the result of (stat.st_mode), and contains file type code (to identify
 #if it is a symbolic link, directory, socket, registry key,...) and access permission bits.
 
 # A production log line:
 LOG='+++4002:33056:0:0:5da55a26faf886d0958f6adbae4078b2:7f8136e115bc8877afdda1cb9c357da7ecdbb8d2 !1433223945 /etc/sudoers'
  
 # Filename
 echo "File: ${LOG##* }"
  
 # TIMEDATE
 DELIM=${LOG##*:}
 DELIM=${DELIM##*!}
 EPOCH=$(echo $DELIM | cut -d" " -f1)
 DATE=$(date -d @$EPOCH)
 echo "Date: $DATE"
  
 # Count changes
 COUNT=${LOG:0:3}
 if [ ${COUNT} == '+++' ]; then
  COUNT=0
 elif [ ${COUNT} == '!++' ]; then
  COUNT=1
 elif [ $COUNT == '!!+' ]; then
  COUNT=2
 elif [ $COUNT == '!!!' ]; then
  COUNT=3
 elif [ $COUNT == '!!?' ]; then
  COUNT="3+"
 else
  COUNT="Unknown nuber of changes"
 fi
 echo "# of changes: $COUNT changes"
  
 # File Size
 SIZE=$(echo ${LOG:3} | cut -d":" -f 1)
 echo "File Size: $SIZE Bytes"
  
 # File mode
 printf "File Mode: \0%o\n" 33056
  
 # UID:GID
 OWN=$(echo ${LOG:3} | cut -d":" -f 3,4)
 echo "ownership: $OWN"
  
 # SHAsum:
 DELIM=${LOG##*:}
 SHA1=$(echo $DELIM | cut -d" " -f1)
 echo "sha1sum: $SHA1"
 echo
	#!/usr/bin/env bash

	# This requires bash 4+

	# $ ./ossec-syscheck-decoder.sh
	# File: /etc/sudoers
	# Date: Tue Jun 2 15:45:45 AEST 2015
	# # of changes: 0 changes
	# File Size: 4002 Bytes
	# File Mode: 100440
	# ownership: 0:0
	# sha1sum: 7f8136e115bc8877afdda1cb9c357da7ecdbb8d2


	# https://groups.google.com/forum/m/#!topic/ossec-list/UuhauWUCxkU
	#
	#!++ 1486 : 33188 : 0 : 1 : a465a2fd02717050ca44d6cc24c5d458 : bd37d291ce34e363af853958a31f24c74bd85d4 !1330029335 /opt/syslog-ng/conf/sys log-ng.conf
	#
	#First three characters are used to count the number of times a file has changed:
	#
	#+++ 0 changes
	#!++ 1 change
	#!!+ 2 chnages
	#!!! 3 changes
	#!!? more than 3 changes
	#
	#The rest of the line fields are:
	#
	#file_size : file_mode : uid : gid : md5sum : sha1sum !epoch_timestamp file_path
	#
	#File mode stores the result of (stat.st_mode), and contains file type code (to identify
	#if it is a symbolic link, directory, socket, registry key,...) and access permission bits.

	# A production log line:
	LOG='+++4002:33056:0:0:5da55a26faf886d0958f6adbae4078b2:7f8136e115bc8877afdda1cb9c357da7ecdbb8d2 !1433223945 /etc/sudoers'

	# Filename
	echo "File: ${LOG##* }"

	# TIMEDATE
	DELIM=${LOG##*:}
	DELIM=${DELIM##*!}
	EPOCH=$(echo $DELIM \| cut -d" " -f1)
	DATE=$(date -d @$EPOCH)
	echo "Date: $DATE"

	# Count changes
	COUNT=${LOG:0:3}
	if [ ${COUNT} == '+++' ]; then
	COUNT=0
	elif [ ${COUNT} == '!++' ]; then
	COUNT=1
	elif [ $COUNT == '!!+' ]; then
	COUNT=2
	elif [ $COUNT == '!!!' ]; then
	COUNT=3
	elif [ $COUNT == '!!?' ]; then
	COUNT="3+"
	else
	COUNT="Unknown nuber of changes"
	fi
	echo "# of changes: $COUNT changes"

	# File Size
	SIZE=$(echo ${LOG:3} \| cut -d":" -f 1)
	echo "File Size: $SIZE Bytes"

	# File mode
	printf "File Mode: \0%o\n" 33056

	# UID:GID
	OWN=$(echo ${LOG:3} \| cut -d":" -f 3,4)
	echo "ownership: $OWN"

	# SHAsum:
	DELIM=${LOG##*:}
	SHA1=$(echo $DELIM \| cut -d" " -f1)
	echo "sha1sum: $SHA1"
	echo