exclude rules added

full message added
2024-05-10 14:23:54 +02:00 · 2024-05-10 14:23:54 +02:00 · cc7f93ba64
commit cc7f93ba64
parent 7e95376a22
5 changed files with 82 additions and 28 deletions
--- a/wazuh-notify-go/notification/discord.go
+++ b/wazuh-notify-go/notification/discord.go
@ -6,21 +6,43 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"slices"
 	"strconv"
+	"strings"
 	"wazuh-notify/types"
 )

 func SendDiscord(params types.Params) {
-	embedDescription := "\n\n" +
-		"**Agent:** " + params.WazuhMessage.Parameters.Alert.Agent.Name + "\n" +
-		"**Event id:** " + params.WazuhMessage.Parameters.Alert.Rule.ID + "\n" +
-		"**Description:** " + params.WazuhMessage.Parameters.Alert.Rule.Description + "\n" +
-		"**Threat level:** " + strconv.Itoa(params.WazuhMessage.Parameters.Alert.Rule.Level) + "\n" +
-		"**Times fired:** " + strconv.Itoa(params.WazuhMessage.Parameters.Alert.Rule.Firedtimes) +
-		"\n\n" +
-		"Priority: " + strconv.Itoa(params.Priority) + "\n" +
-		"Tags: " + params.Tags + "\n\n" +
-		params.Click
+
+	var embedDescription string
+
+	if slices.Contains(strings.Split(params.FullMessage, ","), "discord") {
+		fullMessage, _ := json.MarshalIndent(params.WazuhMessage, "", "  ")
+		fullMessageString := strings.ReplaceAll(string(fullMessage), `"`, "")
+		fullMessageString = strings.ReplaceAll(fullMessageString, "{", "")
+		fullMessageString = strings.ReplaceAll(fullMessageString, "}", "")
+		fullMessageString = strings.ReplaceAll(fullMessageString, "[", "")
+		fullMessageString = strings.ReplaceAll(fullMessageString, "]", "")
+		fullMessageString = strings.ReplaceAll(fullMessageString, " ,", "")
+
+		embedDescription = "\n\n ```" +
+			fullMessageString +
+			"```\n\n" +
+			"Priority: " + strconv.Itoa(params.Priority) + "\n" +
+			"Tags: " + params.Tags + "\n\n" +
+			params.Click
+	} else {
+		embedDescription = "\n\n" +
+			"**Agent:** " + params.WazuhMessage.Parameters.Alert.Agent.Name + "\n" +
+			"**Event id:** " + params.WazuhMessage.Parameters.Alert.Rule.ID + "\n" +
+			"**Description:** " + params.WazuhMessage.Parameters.Alert.Rule.Description + "\n" +
+			"**Threat level:** " + strconv.Itoa(params.WazuhMessage.Parameters.Alert.Rule.Level) + "\n" +
+			"**Times fired:** " + strconv.Itoa(params.WazuhMessage.Parameters.Alert.Rule.Firedtimes) +
+			"\n\n" +
+			"Priority: " + strconv.Itoa(params.Priority) + "\n" +
+			"Tags: " + params.Tags + "\n\n" +
+			params.Click
+	}

 	var color int

--- a/wazuh-notify-go/services/filters.go
+++ b/wazuh-notify-go/services/filters.go
@ -0,0 +1,24 @@
+package services
+
+import (
+	"os"
+	"strings"
+	"wazuh-notify/log"
+)
+
+func Filter() {
+	for _, rule := range strings.Split(inputParams.ExcludedRules, ",") {
+		if rule == inputParams.WazuhMessage.Parameters.Alert.Rule.ID {
+			log.Log("rule excluded")
+			log.CloseLogFile()
+			os.Exit(0)
+		}
+	}
+	for _, agent := range strings.Split(inputParams.ExcludedAgents, ",") {
+		if agent == inputParams.WazuhMessage.Parameters.Alert.Agent.ID {
+			log.Log("agent excluded")
+			log.CloseLogFile()
+			os.Exit(0)
+		}
+	}
+}
--- a/wazuh-notify-go/services/init.go
+++ b/wazuh-notify-go/services/init.go
@ -56,6 +56,9 @@ func InitNotify() types.Params {
 	log.Log(string(inputParamString))

 	inputParams.Targets = configParams.Targets
+	inputParams.FullMessage = configParams.FullMessage
+	inputParams.ExcludedAgents = configParams.ExcludedAgents
+	inputParams.ExcludedRules = configParams.ExcludedRules

 	wazuhInput()

@ -73,6 +76,8 @@ func wazuhInput() {

 	inputParams.WazuhMessage = wazuhData

+	Filter()
+
 	log.Log("Wazuh data loaded")
 	inputParamString, _ := json.Marshal(inputParams)
 	log.Log(string(inputParamString))
--- a/wazuh-notify-go/types/types.go
+++ b/wazuh-notify-go/types/types.go
@ -1,18 +1,21 @@
 package types

 type Params struct {
-	Url          string
-	Sender       string `yaml:"sender,omitempty"`
-	Priority     int
-	Tags         string
-	Click        string `yaml:"click,omitempty"`
-	Targets      string `yaml:"targets,omitempty"`
-	WazuhMessage WazuhMessage
-	Priority1    []int `yaml:"priority_1"`
-	Priority2    []int `yaml:"priority_2"`
-	Priority3    []int `yaml:"priority_3"`
-	Priority4    []int `yaml:"priority_4"`
-	Priority5    []int `yaml:"priority_5"`
+	Url            string
+	Sender         string `yaml:"sender,omitempty"`
+	Priority       int
+	Tags           string
+	Click          string `yaml:"click,omitempty"`
+	Targets        string `yaml:"targets,omitempty"`
+	FullMessage    string `yaml:"full_message,omitempty"`
+	ExcludedRules  string `yaml:"excluded_rules,omitempty"`
+	ExcludedAgents string `yaml:"excluded_agents,omitempty"`
+	WazuhMessage   WazuhMessage
+	Priority1      []int `yaml:"priority_1"`
+	Priority2      []int `yaml:"priority_2"`
+	Priority3      []int `yaml:"priority_3"`
+	Priority4      []int `yaml:"priority_4"`
+	Priority5      []int `yaml:"priority_5"`
 }

 type Message struct {
--- a/wazuh-notify-go/wazuh-notify-config.yaml
+++ b/wazuh-notify-go/wazuh-notify-config.yaml
@ -9,16 +9,16 @@ full_message: "discord,ntfy"

 # Exclude rules that are listed in the ossec.conf active response definition.

-excluded_rules: "5401, 5403"
+excluded_rules: "5401,5403"
 excluded_agents: "999"

 # Priority mapping from 1-12 (Wazuh events) to 1-5 (Discord and ntfy notification)

-priority_5: [ 15,14,13,12 ]
-priority_4: [ 11,10,9 ]
-priority_3: [ 8,7,6 ]
-priority_2: [ 5,4 ]
-priority_1: [ 3,2,1,0 ]
+priority_5: [15,14,13,12]
+priority_4: [11,10,9]
+priority_3: [8,7,6]
+priority_2: [5,4]
+priority_1: [3,2,1,0]

 sender: "Wazuh (IDS)"
 click: "https://google.com"