From ac5d2babbd7a98891fb31e9230e0a7c4ea182357 Mon Sep 17 00:00:00 2001
From: dklein <dklein@afsgroup.nl>
Date: Fri, 29 Nov 2024 11:48:51 +0100
Subject: [PATCH] added filter based on description

---
 .github/workflows/golang.yml             |  1 +
 wazuh-notify-go/go.mod                   |  2 +-
 wazuh-notify-go/services/filters.go      |  7 +++++++
 wazuh-notify-go/types/params.go          | 13 +++++++------
 wazuh-notify-go/wazuh-notify-config.toml |  6 ++++++
 5 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/golang.yml b/.github/workflows/golang.yml
index 0413123..11a63bf 100644
--- a/.github/workflows/golang.yml
+++ b/.github/workflows/golang.yml
@@ -32,3 +32,4 @@ jobs:
         tag_name: Golang-vx.x.x
         files: |
           wazuh-notify-go/wazuh-notify
+          wazuh-notify-go/wazuh-notify-config.toml
diff --git a/wazuh-notify-go/go.mod b/wazuh-notify-go/go.mod
index 817cce4..6744fd6 100644
--- a/wazuh-notify-go/go.mod
+++ b/wazuh-notify-go/go.mod
@@ -1,6 +1,6 @@
 module wazuh-notify
 
-go 1.22
+go 1.23
 
 require (
 	github.com/BurntSushi/toml v1.4.0
diff --git a/wazuh-notify-go/services/filters.go b/wazuh-notify-go/services/filters.go
index 76f5316..3be4296 100644
--- a/wazuh-notify-go/services/filters.go
+++ b/wazuh-notify-go/services/filters.go
@@ -22,4 +22,11 @@ func Filter(params types.Params) {
 			os.Exit(0)
 		}
 	}
+	for _, description := range params.General.ExcludedDescription {
+		if strings.Contains(params.WazuhMessage.Parameters.Alert.FullLog, description) {
+			log.Log("excluded based on description")
+			log.CloseLogFile()
+			os.Exit(0)
+		}
+	}
 }
diff --git a/wazuh-notify-go/types/params.go b/wazuh-notify-go/types/params.go
index 186dabd..922c757 100644
--- a/wazuh-notify-go/types/params.go
+++ b/wazuh-notify-go/types/params.go
@@ -13,12 +13,13 @@ type Params struct {
 }
 
 type General struct {
-	Targets        string `toml:"targets"`
-	FullAlert      string `toml:"full_alert"`
-	ExcludedRules  string `toml:"excluded_rules"`
-	ExcludedAgents string `toml:"excluded_agents"`
-	Sender         string `toml:"sender"`
-	Click          string `toml:"click"`
+	Targets             string   `toml:"targets"`
+	FullAlert           string   `toml:"full_alert"`
+	ExcludedRules       string   `toml:"excluded_rules"`
+	ExcludedAgents      string   `toml:"excluded_agents"`
+	Sender              string   `toml:"sender"`
+	Click               string   `toml:"click"`
+	ExcludedDescription []string `toml:"exclude_descriptions"`
 }
 type PriorityMap struct {
 	ThreatMap        []int `toml:"threat_map"`
diff --git a/wazuh-notify-go/wazuh-notify-config.toml b/wazuh-notify-go/wazuh-notify-config.toml
index 2386e86..4737d00 100644
--- a/wazuh-notify-go/wazuh-notify-config.toml
+++ b/wazuh-notify-go/wazuh-notify-config.toml
@@ -14,6 +14,12 @@ full_alert = ""
 excluded_rules = "99999, 00000"
 excluded_agents = "99999"
 
+# Exclude specific rules by string contained in description
+# These settings provide an easier way to disable events from firing the notifiers.
+exclude_descriptions = [
+    ""
+]
+
 # The next 2 settings are used to add information to the messages.
 sender = "Wazuh (IDS)"
 click = "https://documentation.wazuh.com/"