klein-projects/wazuh-notify
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

refactor files

Browse Source
This commit is contained in:
darius 2024-05-27 14:51:22 +02:00
parent ba49467acf
commit 05bd601f30
11 changed files with 97 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
wazuh-notify-go/notification/discord.go → wazuh-notify-go/discord/discord.go
View File

@ -1,4 +1,4 @@
package notification package discord
import ( import (
"bytes" "bytes"
@ -16,10 +16,10 @@ func SendDiscord(params types.Params) {
"**Tags:** " + params.Tags + "\n\n" + "**Tags:** " + params.Tags + "\n\n" +
params.General.Click params.General.Click
message := types.DiscordMessage{ message := DiscordMessage{
Username: params.General.Sender, Username: params.General.Sender,
Content: params.Mention, Content: params.Mention,
Embeds: []types.Embed{ Embeds: []Embed{
{ {
Title: params.General.Sender, Title: params.General.Sender,
Description: embedDescription, Description: embedDescription,

2
wazuh-notify-go/types/discord.go → wazuh-notify-go/discord/types.go
View File

@ -1,4 +1,4 @@
package types package discord
type DiscordMessage struct { type DiscordMessage struct {
Username string `json:"username,omitempty"` Username string `json:"username,omitempty"`

6
wazuh-notify-go/main.go
View File

@ -4,7 +4,9 @@ import (
"strings" "strings"
"wazuh-notify/log" "wazuh-notify/log"
"wazuh-notify/notification" "wazuh-notify/notification"
"wazuh-notify/ntfy"
"wazuh-notify/services" "wazuh-notify/services"
"wazuh-notify/slack"
) )
func main() { func main() {
@ -17,10 +19,10 @@ func main() {
notification.SendDiscord(inputParams) notification.SendDiscord(inputParams)
case "ntfy": case "ntfy":
log.Log(target) log.Log(target)
notification.SendNtfy(inputParams) ntfy.SendNtfy(inputParams)
case "slack": case "slack":
log.Log(target) log.Log(target)
notification.SendSlack(inputParams) slack.SendSlack(inputParams)
} }
} }
log.CloseLogFile() log.CloseLogFile()

2
wazuh-notify-go/notification/ntfy.go → wazuh-notify-go/ntfy/ntfy.go
View File

@ -1,4 +1,4 @@
package notification package ntfy
import ( import (
"net/http" "net/http"

1
wazuh-notify-go/ntfy/types.go Normal file
View File

@ -0,0 +1 @@
package ntfy

4
wazuh-notify-go/notification/slack.go → wazuh-notify-go/slack/slack.go
View File

@ -1,4 +1,4 @@
package notification package slack
import ( import (
"bytes" "bytes"
@ -12,7 +12,7 @@ import (
func SendSlack(params types.Params) { func SendSlack(params types.Params) {
message := types.SlackMessage{ message := SlackMessage{
Text: services.BuildMessage(params, "slack", params.MarkdownEmphasis.Slack) + Text: services.BuildMessage(params, "slack", params.MarkdownEmphasis.Slack) +
"*Tags:* " + params.Tags + "\n\n" + "*Tags:* " + params.Tags + "\n\n" +
params.General.Click, params.General.Click,

2
wazuh-notify-go/types/slack.go → wazuh-notify-go/slack/types.go
View File

@ -1,4 +1,4 @@
package types package slack
type SlackMessage struct { type SlackMessage struct {
Text string `json:"text,omitempty"` Text string `json:"text,omitempty"`

1
wazuh-notify-go/types/ntfy.go
View File

@ -1 +0,0 @@
package types

0
wazuh-notify-go/types/types.go → wazuh-notify-go/types/params.go
View File

84
wazuh-notify-go/wazuh-notify-config.toml Normal file
View File

@ -0,0 +1,84 @@
#############################################################################################################
# This is the TOML config file for wazuh-notify (active response) for both the Python and Go implementation #
#############################################################################################################
[general]
# Platforms in this string with comma seperated values are triggered.
targets = "slack, ntfy, discord"
# Platforms in this string will enable sending the full event information.
full_alert = ""
# Exclude rule events that are enabled in the ossec.conf active response definition.
# These settings provide an easier way to disable events from firing the notifiers.
excluded_rules = "99999, 00000"
excluded_agents = "99999"
# The next 2 settings are used to add information to the messages.
sender = "Wazuh (IDS)"
click = "https://documentation.wazuh.com/"
# Priority mapping from 0-15 (Wazuh threat levels) to 1-5 (in notifications) and their respective colors (Discord)
# https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html
# Enter threat_map as lists of integers, mention_threshold as integer and color as Hex integer
[[priority_map]]
threat_map = [15, 14, 13, 12]
mention_threshold = 1
notify_threshold = 1
color = 0xec3e40 # Red, SEVERE
[[priority_map]]
threat_map = [11, 10, 9]
mention_threshold = 1
notify_threshold = 1
color = 0xff9b2b # Orange, HIGH
[[priority_map]]
threat_map = [8, 7, 6]
mention_threshold = 5
notify_threshold = 5
color = 0xf5d800 # Yellow, ELEVATED
[[priority_map]]
threat_map = [5, 4]
mention_threshold = 20
notify_threshold = 5
color = 0x377fc7 # Blue, GUARDED
[[priority_map]]
threat_map = [3, 2, 1, 0]
mention_threshold = 20
notify_threshold = 5
color = 0x01a465 # Green, LOW
################ End of priority mapping ##################################
# Following parameter defines the markdown characters to emphasise the parameter names in the notification messages
[markdown_emphasis]
slack = "*"
ntfy = "**"
discord = "**"
##################################################################################
# From here on the settings are ONLY used by the Python version of wazuh-notify. #
##################################################################################
[python]
# The next settings are used for testing and troubleshooting.
# Test mode will add the example event in wazuh-notify-test-event.json instead of the message received through wazuh.
# This enables testing for particular events when the test event is customized.
test_mode = true
# Enabling this parameter provides more logging to the wazuh-notifier log.
extended_logging = 2
# Enabling this parameter provides extended logging to the console.
extended_print = 2
# Below settings provide for a window that enable/disables events from firing the notifiers.
excluded_days = ""
# Enter as a tuple of string values. Be aware of your regional settings.
excluded_hours = ["23:59", "00:00"]

49
wazuh-notify-go/wazuh-notify-config.yaml
View File

@ -1,49 +0,0 @@
---
#start of yaml
# This is the yaml config file for both the wazuh-ntfy-notifier.py and wazuh-discord-notifier.py.
# The yaml needs to be in the same folder as the wazuh-ntfy-notifier.py and wazuh-discord-notifier.py
targets: "discord,ntfy,slack"
full_message: "ntfy"
# Exclude rules that are listed in the ossec.conf active response definition.
excluded_rules: "5401,5403"
excluded_agents: "999"
# Priority mapping from 1-12 (Wazuh events) to 1-5 (Discord and ntfy notification)
# Discord mention after x amount of event fired times
priority_map:
-
threat_map: [15,14,13,12]
mention_threshold: 1
color: 0xcc3300
-
threat_map: [11,10,9]
mention_threshold: 1
color: 0xff9966
-
threat_map: [8,7,6]
mention_threshold: 5
color: 0xffcc00
-
threat_map: [5,4]
mention_threshold: 5
color: 0x99cc33
-
threat_map: [3,2,1,0]
mention_threshold: 5
color: 0x339900
sender: "Wazuh (IDS)"
click: "https://google.com"
#end of yaml
...