From 1557a1dd072ebad7aa65cd28dd03f3666eecfd1c Mon Sep 17 00:00:00 2001 From: darius Date: Mon, 27 May 2024 13:01:39 +0200 Subject: [PATCH] yaml to toml --- wazuh-notify-go/go.mod | 2 ++ wazuh-notify-go/go.sum | 2 ++ wazuh-notify-go/main.go | 2 +- wazuh-notify-go/notification/discord.go | 10 +++--- wazuh-notify-go/notification/ntfy.go | 10 +++--- wazuh-notify-go/notification/slack.go | 19 +++-------- wazuh-notify-go/services/filters.go | 4 +-- wazuh-notify-go/services/init.go | 34 ++++++++++---------- wazuh-notify-go/types/types.go | 41 +++++++++++++++--------- wazuh-notify-go/wazuh-notify-config.yaml | 2 +- 10 files changed, 65 insertions(+), 61 deletions(-) diff --git a/wazuh-notify-go/go.mod b/wazuh-notify-go/go.mod index 5897e35..463f281 100644 --- a/wazuh-notify-go/go.mod +++ b/wazuh-notify-go/go.mod @@ -6,3 +6,5 @@ require ( github.com/joho/godotenv v1.5.1 gopkg.in/yaml.v2 v2.4.0 ) + +require github.com/BurntSushi/toml v1.4.0 // indirect diff --git a/wazuh-notify-go/go.sum b/wazuh-notify-go/go.sum index f7e7502..4261ff8 100644 --- a/wazuh-notify-go/go.sum +++ b/wazuh-notify-go/go.sum @@ -1,3 +1,5 @@ +github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0= +github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0= github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= diff --git a/wazuh-notify-go/main.go b/wazuh-notify-go/main.go index 3e34362..1be83a6 100644 --- a/wazuh-notify-go/main.go +++ b/wazuh-notify-go/main.go @@ -10,7 +10,7 @@ import ( func main() { inputParams := services.InitNotify() - for _, target := range strings.Split(inputParams.Targets, ",") { + for _, target := range strings.Split(inputParams.General.Targets, ", ") { switch target { case "discord": log.Log(target) diff --git a/wazuh-notify-go/notification/discord.go b/wazuh-notify-go/notification/discord.go index 4241b36..0360ad0 100644 --- a/wazuh-notify-go/notification/discord.go +++ b/wazuh-notify-go/notification/discord.go @@ -17,7 +17,7 @@ func SendDiscord(params types.Params) { var embedDescription string - if slices.Contains(strings.Split(params.FullAlert, ","), "discord") { + if slices.Contains(strings.Split(params.General.FullAlert, ","), "discord") { fullAlert, _ := json.MarshalIndent(params.WazuhMessage, "", " ") fullAlertString := strings.ReplaceAll(string(fullAlert), `"`, "") fullAlertString = strings.ReplaceAll(fullAlertString, "{", "") @@ -31,7 +31,7 @@ func SendDiscord(params types.Params) { "```\n\n" + "Priority: " + strconv.Itoa(params.Priority) + "\n" + "Tags: " + params.Tags + "\n\n" + - params.Click + params.General.Click } else { embedDescription = "\n\n" + "**Timestamp: **" + time.Now().Format(time.DateTime) + "\n" + @@ -44,15 +44,15 @@ func SendDiscord(params types.Params) { "\n\n" + "Priority: " + strconv.Itoa(params.Priority) + "\n" + "Tags: " + params.Tags + "\n\n" + - params.Click + params.General.Click } message := types.Message{ - Username: params.Sender, + Username: params.General.Sender, Content: params.Mention, Embeds: []types.Embed{ { - Title: params.Sender, + Title: params.General.Sender, Description: embedDescription, Color: params.Color, }, diff --git a/wazuh-notify-go/notification/ntfy.go b/wazuh-notify-go/notification/ntfy.go index c408d95..f9eb109 100644 --- a/wazuh-notify-go/notification/ntfy.go +++ b/wazuh-notify-go/notification/ntfy.go @@ -15,7 +15,7 @@ func SendNtfy(params types.Params) { var payload string - if slices.Contains(strings.Split(params.FullAlert, ","), "discord") { + if slices.Contains(strings.Split(params.General.FullAlert, ","), "discord") { fullAlert, _ := json.MarshalIndent(params.WazuhMessage, "", " ") fullAlertString := strings.ReplaceAll(string(fullAlert), `"`, "") fullAlertString = strings.ReplaceAll(fullAlertString, "{", "") @@ -39,14 +39,14 @@ func SendNtfy(params types.Params) { req, _ := http.NewRequest("POST", os.Getenv("NTFY_URL"), strings.NewReader(payload)) req.Header.Set("Content-Type", "text/plain") - if params.Sender != "" { - req.Header.Add("Title", params.Sender) + if params.General.Sender != "" { + req.Header.Add("Title", params.General.Sender) } if params.Tags != "" { req.Header.Add("Tags", params.Tags) } - if params.Click != "" { - req.Header.Add("Click", params.Click) + if params.General.Click != "" { + req.Header.Add("Click", params.General.Click) } if params.Priority != 0 { req.Header.Add("Priority", strconv.Itoa(params.Priority)) diff --git a/wazuh-notify-go/notification/slack.go b/wazuh-notify-go/notification/slack.go index 375a3ea..e2cdf96 100644 --- a/wazuh-notify-go/notification/slack.go +++ b/wazuh-notify-go/notification/slack.go @@ -3,6 +3,7 @@ package notification import ( "bytes" "encoding/json" + "fmt" "log" "net/http" "os" @@ -17,7 +18,7 @@ func SendSlack(params types.Params) { var embedDescription string - if slices.Contains(strings.Split(params.FullAlert, ","), "slack") { + if slices.Contains(strings.Split(params.General.FullAlert, ","), "slack") { fullAlert, _ := json.MarshalIndent(params.WazuhMessage, "", " ") fullAlertString := strings.ReplaceAll(string(fullAlert), `"`, "") fullAlertString = strings.ReplaceAll(fullAlertString, "{", "") @@ -31,7 +32,7 @@ func SendSlack(params types.Params) { "```\n\n" + "Priority: " + strconv.Itoa(params.Priority) + "\n" + "Tags: " + params.Tags + "\n\n" + - params.Click + params.General.Click } else { embedDescription = "\n\n" + "**Timestamp: **" + time.Now().Format(time.DateTime) + "\n" + @@ -44,20 +45,10 @@ func SendSlack(params types.Params) { "\n\n" + "Priority: " + strconv.Itoa(params.Priority) + "\n" + "Tags: " + params.Tags + "\n\n" + - params.Click + params.General.Click } - message := types.Message{ - Username: params.Sender, - Content: params.Mention, - Embeds: []types.Embed{ - { - Title: params.Sender, - Description: embedDescription, - Color: params.Color, - }, - }, - } + message := fmt.Sprintf("{\"text\": %s}", embedDescription) payload := new(bytes.Buffer) diff --git a/wazuh-notify-go/services/filters.go b/wazuh-notify-go/services/filters.go index 8f630b3..373016f 100644 --- a/wazuh-notify-go/services/filters.go +++ b/wazuh-notify-go/services/filters.go @@ -7,14 +7,14 @@ import ( ) func Filter() { - for _, rule := range strings.Split(inputParams.ExcludedRules, ",") { + for _, rule := range strings.Split(inputParams.General.ExcludedRules, ",") { if rule == inputParams.WazuhMessage.Parameters.Alert.Rule.ID { log.Log("rule excluded") log.CloseLogFile() os.Exit(0) } } - for _, agent := range strings.Split(inputParams.ExcludedAgents, ",") { + for _, agent := range strings.Split(inputParams.General.ExcludedAgents, ",") { if agent == inputParams.WazuhMessage.Parameters.Alert.Agent.ID { log.Log("agent excluded") log.CloseLogFile() diff --git a/wazuh-notify-go/services/init.go b/wazuh-notify-go/services/init.go index 707b63a..c8f8450 100644 --- a/wazuh-notify-go/services/init.go +++ b/wazuh-notify-go/services/init.go @@ -4,8 +4,8 @@ import ( "bufio" "encoding/json" "flag" + "github.com/BurntSushi/toml" "github.com/joho/godotenv" - "gopkg.in/yaml.v2" "os" "path" "slices" @@ -32,12 +32,12 @@ func InitNotify() types.Params { log.Log("env loaded") } - yamlFile, err := os.ReadFile(path.Join(BaseDirPath, "../../etc/wazuh-notify-config.yaml")) + tomlFile, err := os.ReadFile(path.Join(BaseDirPath, "../../etc/wazuh-notify-config.toml")) if err != nil { - log.Log("yaml failed to load") - yamlFile, err = os.ReadFile(path.Join(BaseDirPath, "wazuh-notify-config.yaml")) + log.Log("toml failed to load") + tomlFile, err = os.ReadFile(path.Join(BaseDirPath, "wazuh-notify-config.toml")) } - err = yaml.Unmarshal(yamlFile, &configParams) + err = toml.Unmarshal(tomlFile, &configParams) if err != nil { print(err) } @@ -47,11 +47,11 @@ func InitNotify() types.Params { log.Log(string(configParamString)) flag.StringVar(&inputParams.Url, "url", "", "is the webhook URL of the Discord server. It is stored in .env.") - flag.StringVar(&inputParams.Click, "click", configParams.Click, "is a link (URL) that can be followed by tapping/clicking inside the message. Default is https://google.com.") + flag.StringVar(&inputParams.General.Click, "click", configParams.General.Click, "is a link (URL) that can be followed by tapping/clicking inside the message. Default is https://google.com.") flag.IntVar(&inputParams.Priority, "priority", 0, "is the priority of the message, ranging from 1 (highest), to 5 (lowest). Default is 5.") - flag.StringVar(&inputParams.Sender, "sender", configParams.Sender, "is the sender of the message, either an app name or a person. The default is \"Security message\".") + flag.StringVar(&inputParams.General.Sender, "sender", configParams.General.Sender, "is the sender of the message, either an app name or a person. The default is \"Security message\".") flag.StringVar(&inputParams.Tags, "tags", "", "is an arbitrary strings of tags (keywords), seperated by a \",\" (comma). Default is \"informational,testing,hard-coded\".") - flag.StringVar(&inputParams.Targets, "targets", "", "is a list of targets to send notifications to. Default is \"discord\".") + flag.StringVar(&inputParams.General.Targets, "targets", "", "is a list of targets to send notifications to. Default is \"discord\".") flag.Parse() @@ -59,11 +59,11 @@ func InitNotify() types.Params { inputParamString, _ := json.Marshal(inputParams) log.Log(string(inputParamString)) - inputParams.Targets = configParams.Targets - inputParams.FullAlert = configParams.FullAlert - inputParams.ExcludedAgents = configParams.ExcludedAgents - inputParams.ExcludedRules = configParams.ExcludedRules - inputParams.PriorityMaps = configParams.PriorityMaps + inputParams.General.Targets = configParams.General.Targets + inputParams.General.FullAlert = configParams.General.FullAlert + inputParams.General.ExcludedAgents = configParams.General.ExcludedAgents + inputParams.General.ExcludedRules = configParams.General.ExcludedRules + inputParams.PriorityMap = configParams.PriorityMap wazuhInput() @@ -79,10 +79,10 @@ func wazuhInput() { inputParams.WazuhMessage = wazuhData - for i, _ := range configParams.PriorityMaps { - if slices.Contains(configParams.PriorityMaps[i].ThreatMap, wazuhData.Parameters.Alert.Rule.Level) { - inputParams.Color = inputParams.PriorityMaps[i].Color - if inputParams.WazuhMessage.Parameters.Alert.Rule.Firedtimes >= inputParams.PriorityMaps[i].MentionThreshold { + for i, _ := range configParams.PriorityMap { + if slices.Contains(configParams.PriorityMap[i].ThreatMap, wazuhData.Parameters.Alert.Rule.Level) { + inputParams.Color = inputParams.PriorityMap[i].Color + if inputParams.WazuhMessage.Parameters.Alert.Rule.Firedtimes >= inputParams.PriorityMap[i].MentionThreshold { inputParams.Mention = "@here" } inputParams.Priority = 5 - i diff --git a/wazuh-notify-go/types/types.go b/wazuh-notify-go/types/types.go index 436cfd9..f20f8ff 100644 --- a/wazuh-notify-go/types/types.go +++ b/wazuh-notify-go/types/types.go @@ -1,25 +1,34 @@ package types type Params struct { - Url string - Sender string `yaml:"sender,omitempty"` - Priority int - Tags string - Click string `yaml:"click,omitempty"` - Targets string `yaml:"targets,omitempty"` - FullAlert string `yaml:"full_message,omitempty"` - ExcludedRules string `yaml:"excluded_rules,omitempty"` - ExcludedAgents string `yaml:"excluded_agents,omitempty"` - Color int - Mention string - WazuhMessage WazuhMessage - PriorityMaps []PriorityMap `yaml:"priority_map"` + General General `toml:"general"` + Url string + Priority int + Tags string + Color int + Mention string + WazuhMessage WazuhMessage + PriorityMap []PriorityMap `toml:"priority_map"` + MarkdownEmphasis MarkdownEmphasis `toml:"markdown_emphasis"` } +type General struct { + Targets string `toml:"targets"` + FullAlert string `toml:"full_alert"` + ExcludedRules string `toml:"excluded_rules"` + ExcludedAgents string `toml:"excluded_agents"` + Sender string `toml:"sender"` + Click string `toml:"click"` +} type PriorityMap struct { - ThreatMap []int `yaml:"threat_map"` - MentionThreshold int `yaml:"mention_threshold"` - Color int `yaml:"color"` + ThreatMap []int `toml:"threat_map"` + MentionThreshold int `toml:"mention_threshold"` + Color int `toml:"color"` +} +type MarkdownEmphasis struct { + Slack string `toml:"slack"` + Ntfy string `toml:"ntfy"` + Discord string `toml:"discord"` } type Message struct { diff --git a/wazuh-notify-go/wazuh-notify-config.yaml b/wazuh-notify-go/wazuh-notify-config.yaml index e455811..f4013ff 100644 --- a/wazuh-notify-go/wazuh-notify-config.yaml +++ b/wazuh-notify-go/wazuh-notify-config.yaml @@ -4,7 +4,7 @@ # This is the yaml config file for both the wazuh-ntfy-notifier.py and wazuh-discord-notifier.py. # The yaml needs to be in the same folder as the wazuh-ntfy-notifier.py and wazuh-discord-notifier.py -targets: "discord,ntfy" +targets: "discord,ntfy,slack" full_message: "ntfy" # Exclude rules that are listed in the ossec.conf active response definition.