klein-projects/wazuh-notify
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

Purge of old files

Browse Source
This commit is contained in:
Rudi klein 2024-05-18 21:30:17 +02:00
parent 5fa2bc0338
commit e0a99d1c7a
7 changed files with 0 additions and 723 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
test.go
View File

@ -1,11 +0,0 @@
package main
import (
"fmt"
"os"
)
func main() {
fmt.Println("hier")
os.Stderr.Write([]byte("hier2"))
}

128
wazuh-active-response.py
View File

@ -1,128 +0,0 @@
#!/usr/bin/env python3
# This script is adapted version of the Python active response script sample, provided by Wazuh, in the documentation:
# https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html
# It is provided under the below copyright statement:
#
# Copyright (C) 2015-2022, Wazuh Inc.
# All rights reserved.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
#
# This adapted version is free software. Rudi Klein, april 2024
import os
import sys
from wazuh_notifier_module import construct_basic_message
from wazuh_notifier_module import get_config
from wazuh_notifier_module import parameters_deconstruct
from wazuh_notifier_module import set_environment
from wazuh_notifier_module import threat_mapping
# Path variable assignments
wazuh_path, ar_path, config_path, notifier_path = set_environment()
def main(argv):
# validate json and get command
# data = load_message(argv)
# This example event can be used for troubleshooting. Comment out the line above and uncomment the line below.
data: dict = {"version": 1, "origin": {"name": "worker01", "module": "wazuh-execd"}, "command": "add",
"parameters": {"extra_args": [], "alert": {"timestamp": "2021-02-01T20:58:44.830+0000",
"rule": {"level": 15,
"description": "Shellshock attack detected",
"id": "31168", "mitre": {"id": ["T1068", "T1190"],
"tactic": [
"Privilege Escalation",
"Initial Access"],
"technique": [
"Exploitation for Privilege Escalation",
"Exploit Public-Facing Application"]},
"info": "CVE-2014-6271https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271",
"firedtimes": 2, "mail": "true",
"groups": ["web", "accesslog", "attack"],
"pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"],
"nist_800_53": ["SI.4"],
"tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]},
"agent": {"id": "000", "name": "wazuh-server"},
"manager": {"name": "wazuh-server"},
"id": "1612213124.6448363",
"full_log": "192.168.0.223 - - [01/Feb/2021:20:58:43 +0000] \"GET / HTTP/1.1\" 200 612 \"-\" \"() { :; }; /bin/cat /etc/passwd\"",
"decoder": {"name": "web-accesslog"},
"data": {"protocol": "GET", "srcip": "192.168.0.223",
"id": "200", "url": "/"},
"location": "/var/log/nginx/access.log"},
"program": "/var/ossec/active-response/bin/firewall-drop"}}
alert = data["parameters"]["alert"]
# Get the threat level from the event (message)
threat_level = data["parameters"]["alert"]["rule"]["level"]
parameters: dict = parameters_deconstruct(argv, alert)
# Get the YAML config if any
config: dict = get_config()
# Get the mapping between threat level (event) and priority (Discord/ntfy)
threat_priority = threat_mapping(threat_level, config.get('np_1'), config.get('np_2'),
config.get('np_3'), config.get('np_4'), config.get('np_5'))
if "discord" in config["targets"]:
accent: str = "**"
elif "ntfy" in config["targets"]:
accent: str = ""
else:
accent: str = ""
notifier_message: str = construct_basic_message(argv, accent,
parameters.get('a_id', '000'),
parameters.get('a_name', 'agent not found'),
parameters.get('e_id', '9999'),
parameters.get('e_description', 'Event not found'),
parameters.get('e_level', '9999'),
parameters.get('e_fired_times', '3')
)
if "discord" in config["targets"]:
discord_notifier: str = '{0}/active-response/bin/wazuh-discord-notifier.py'.format(wazuh_path)
discord_exec: str = "python3 " + discord_notifier + " "
discord_message: str = notifier_message
if "discord" in config["full_message"]:
discord_message: str = (discord_message + "\n" + accent + "__Full event__" +
accent + parameters['e_full_event'] + '"')
else:
discord_message: str = discord_message + '"'
discord_command: str = discord_exec + discord_message
os.system(discord_command)
if "ntfy" in config["targets"]:
ntfy_notifier: str = '{0}/active-response/bin/wazuh-ntfy-notifier.py'.format(wazuh_path)
ntfy_exec: str = "python3 " + ntfy_notifier + " "
ntfy_message: str = notifier_message
# If the full message flag is set, the full message PLUS the closing parenthesis will be added
if "ntfy" in config["full_message"]:
ntfy_message: str = ntfy_message + "\n" + "Full event" + parameters['e_full_event'] + '"'
else:
ntfy_message: str = ntfy_message + '"'
ntfy_command: str = ntfy_exec + ntfy_message
os.system(ntfy_command)
if __name__ == "__main__":
main(sys.argv)

66
wazuh-discord-notifier.py
View File

@ -1,66 +0,0 @@
#!/usr/bin/env python3
# This script is free software.
#
# Copyright (C) 2024, Rudi Klein.
# All rights reserved.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
#
# This script is executed by the active response script (wazuh-active-response.py), which is triggered by rules firing.
#
# Discord is a voice, video and text communication service used by over a hundred million people to hang out and talk
# with their friends and communities. It allows for receiving message using webhooks.
# For more information: https://discord.com.
import requests
from wazuh_notifier_module import color_mapping
from wazuh_notifier_module import get_arguments
from wazuh_notifier_module import get_config
from wazuh_notifier_module import get_env
from wazuh_notifier_module import set_environment
from wazuh_notifier_module import set_time
# Get path values
wazuh_path, ar_path, config_path, notifier_path = set_environment()
# Get time value
now_message, now_logging = set_time()
# Get some paths.
discord_url, ntfy_url = get_env()
# Get the yaml config
config: dict = get_config()
# the POST builder. Prepares https and sends the request.
def discord_command(n_url, n_sender, n_destination, n_priority, n_message, n_tags, n_click):
color = color_mapping(n_priority)
x_message = (now_message +
"\n\n" + n_message + "\n\n" +
"Priority: " + n_priority + "\n" +
"Tags: " + n_tags + "\n\n" + n_click
)
n_data = {"username": n_sender, "embeds": [{"color": color, "description": x_message, "title": n_destination}]}
requests.post(n_url, json=n_data)
# Remove 1st argument from the list of command line arguments
# argument_list: list = sys.argv[1:]
notifier = "discord"
url, sender, destination, priority, message, tags, click = get_arguments()
# Finally, execute the POST request
discord_command(discord_url, sender, destination, priority, message, tags, click)

31
wazuh-notifier-config.yaml
View File

@ -1,31 +0,0 @@
---
#start of yaml
# This is the yaml config file for both the wazuh-ntfy-notifier.py and wazuh-discord-notifier.py.
# The yaml needs to be in the same folder as the wazuh-ntfy-notifier.py and wazuh-discord-notifier.py
# COMMON (custom-wazuh-notifiers.py) configuration settings start here.
# 1 = messages will be sent through this message server. 0 = messages will NOT be sent through this message server.
targets: "discord,ntfy"
# Exclude rules that are listed in the ossec.conf active response definition.
excluded_rules: "5401, 5403"
excluded_agents: "999"
# Priority mapping from 1-12 (Wazuh events) to 1-5 (Discord and ntfy notification)
notifier_priority_1: 12, 11, 10
notifier_priority_2: 9, 8
notifier_priority_3: 7, 6
notifier_priority_4: 5, 4
notifier_priority_5: 3 ,2, 1
sender: "Wazuh (IDS)"
click: "https://google.com"
#end of yaml
...

86
wazuh-notifier.py
View File

@ -1,86 +0,0 @@
#!/usr/bin/env python3
# This script is free software.
#
# Copyright (C) 2024, Rudi Klein.
# All rights reserved.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
#
# This script is executed by the active response script (wazuh-active-response.py), which is triggered by rules firing.
#
# Discord is a voice, video and text communication service used by over a hundred million people to hang out and talk
# with their friends and communities. It allows for receiving message using webhooks.
# For more information: https://discord.com.
import json
import requests
from wazuh_notifier_module import get_arguments
from wazuh_notifier_module import get_env
from wazuh_notifier_module import get_yaml_config
from wazuh_notifier_module import set_environment
from wazuh_notifier_module import set_time
from wazuh_notifier_module import threat_priority_mapping
# Setup the environment
# Get time value
now_message, now_logging = set_time()
# Get .env values
discord_webhook, ntfy_webhook = get_env()
# Get path values
wazuh_path, ar_path, config_path = set_environment()
# the POST builders for the targets. Prepares https and sends the request.
def discord_command(url, sender, destination, priority, message, tags, click):
x_message = (now_message +
"\n\n" + message + "\n\n" +
"Priority: " + priority + "\n" +
"Tags: " + tags + "\n\n" + click
)
data = {"username": sender, "embeds": [{"description": x_message, "title": destination}]}
requests.post(url, json=data)
def ntfy_command(url, sender, destination, priority, message, tags, click):
header = ""
if sender != "": header = header + '"Title"' + ": " + '"' + sender + '"' + ", "
if tags != "": header = header + '"Tags"' + ": " + '"' + tags + '"' + ", "
if click != "": header = header + '"Click"' + ": " + '"' + click + '"' + ", "
if priority != "": header = header + '"Priority"' + ": " + '"' + priority + '"'
header = json.loads("{" + header + "}")
x_message = now_message + "\n\n" + message
# todo POST the request **** NEEDS future TRY ****
requests.post(url + destination, data=x_message, headers=header)
# Get the YAML config if any
config: dict = get_yaml_config()
# Get the command line arguments
if get_arguments() is None:
url, sender, destination, message, priority, tags, click = "", "", "", "", "", "", ""
else:
url, sender, destination, priority, message, tags, click = get_arguments()
# Get the threat level from the event (message)
threat_level = message[message.find('Threat level:') + 13:message.find('Threat level:') + 15].replace(" ", "")
# Get the mapping between threat level (event) and priority (Discord/ntfy)
threat_priority = threat_priority_mapping(threat_level, config.get('np_1'), config.get('np_2'),
config.get('np_3'), config.get('np_4'), config.get('np_5'))
# Finally, execute the POST request
# discord_command(discord_webhook, sender, destination, priority, message, tags, click)

100
wazuh-ntfy-notifier.py
View File

@ -1,100 +0,0 @@
#!/usr/bin/env python3
# This script is free software.
#
# Copyright (C) 2024, Rudi Klein.
# All rights reserved.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
#
# This script is executed by the active response script (wazuh-active-response.py), which is triggered by rules firing.
#
# ntfy (pronounced notify) is a simple HTTP-based pub-sub notification service.
# It allows you to send notifications to your phone or desktop via scripts from any computer, and/or using a REST API.
# It's infinitely flexible, and 100% free software. For more information: https://ntfy.sh.
import json
import sys
import requests
from wazuh_notifier_module import get_arguments as ga
from wazuh_notifier_module import get_yaml_config as yc
from wazuh_notifier_module import set_basic_defaults as bd
from wazuh_notifier_module import set_environment as se
from wazuh_notifier_module import set_time as st
from wazuh_notifier_module import threat_priority_mapping as tpm
# Get path values
wazuh_path, ar_path, config_path = se()
# Get time value
now_message, now_logging = st()
# the POST builder
def ntfy_command(n_server, n_sender, n_destination, n_priority, n_message, n_tags, n_click):
n_header = ""
if n_sender != "": n_header = n_header + '"Title"' + ": " + '"' + n_sender + '"' + ", "
if n_tags != "": n_header = n_header + '"Tags"' + ": " + '"' + n_tags + '"' + ", "
if n_click != "": n_header = n_header + '"Click"' + ": " + '"' + n_click + '"' + ", "
if n_priority != "": n_header = n_header + '"Priority"' + ": " + '"' + n_priority + '"'
n_header = json.loads("{" + n_header + "}")
x_message = now_message + "\n\n" + n_message
# todo POST the request **** NEEDS future TRY ****
requests.post(n_server + n_destination, data=x_message, headers=n_header)
# Remove 1st argument from the list of command line arguments
argument_list = sys.argv[1:]
# Short options
options: str = "u:s:d:p:m:t:c:hv"
# Long options
long_options: list = ["server=", "sender=", "destination=", "priority=", "message=", "tags=", "click", "help", "view"]
# Defining who I am
notifier = "ntfy"
# Retrieve the hard-coded basic defaults.
(d_server, d_sender, d_destination, d_priority, d_message, d_tags, d_click, d_notifier_priority_1,
d_notifier_priority_2, d_notifier_priority_3, d_notifier_priority_4, d_notifier_priority_5) = bd(notifier)
# Use the values from the config yaml if available. Overrides the basic defaults.
yc_args = [notifier, d_server, d_sender, d_destination, d_priority, d_message, d_tags, d_click, d_notifier_priority_1,
d_notifier_priority_2, d_notifier_priority_3, d_notifier_priority_4, d_notifier_priority_5]
(server, sender, destination, priority, message, tags, click, notifier_priority_1, notifier_priority_2,
notifier_priority_3, notifier_priority_4, notifier_priority_5) = yc(*yc_args)
# Get params during execution. Params found here, override minimal defaults and/or config settings.
# noinspection PyRedeclaration
a_sender, a_destination, a_message, a_priority, a_tags, a_click = ga(notifier, options, long_options)
if a_sender != '': sender = a_sender
if a_destination != '': destination = a_destination
if a_priority != "": priority = a_priority
if a_tags != "": tags = a_tags
if a_click != "": click = a_click
# Get the threat level from the message and map it to priority
threat_level = message[message.find('Threat level:') + 13:message.find('Threat level:') + 15].replace(" ", "")
# Get the mapping between threat level (event) and priority (Discord/ntfy)
# noinspection PyRedeclaration
priority = tpm(threat_level, notifier_priority_1, notifier_priority_2, notifier_priority_3,
notifier_priority_4, notifier_priority_5)
# Finally, execute the POST request
ntfy_command(server, sender, destination, priority, message, tags, click)

301
wazuh_notifier_module.py
View File

@ -1,301 +0,0 @@
import datetime
import getopt
import json
import os
import sys
import time
from os.path import join, dirname
from pathlib import PureWindowsPath, PurePosixPath
import yaml
from dotenv import load_dotenv
def set_environment() -> tuple:
# todo fix reference when running manually/in process
set_wazuh_path = "/home/rudi/pycharm"
# set_wazuh_path = os.path.abspath(os.path.join(__file__, "../../.."))
set_ar_path = '{0}/logs/active-responses.log'.format(set_wazuh_path)
set_config_path = '{0}/etc/wazuh-notify-config.yaml'.format(set_wazuh_path)
set_notifier_path = '{0}/active-response/bin'.format(set_wazuh_path)
return set_wazuh_path, set_ar_path, set_config_path, set_notifier_path
# Define paths: wazuh_path = wazuh root directory
# ar_path = active-responses.log path,
# config_path = wazuh-notifier-wazuh-notify-config.yaml
wazuh_path, ar_path, config_path, notifier_path = set_environment()
# Debug writer
def write_debug_file(ar_name, msg):
with open(ar_path, mode="a") as log_file:
ar_name_posix = str(PurePosixPath(PureWindowsPath(ar_name[ar_name.find("active-response"):])))
log_file.write(
str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name_posix + ": " + msg + "\n")
def get_env():
try:
dotenv_path = join(dirname(__file__), '.env')
load_dotenv(dotenv_path)
if not os.path.isfile(dotenv_path):
raise Exception(dotenv_path, "file not found")
# Retrieve url from .env
discord_url = os.getenv("DISCORD_URL")
ntfy_url = os.getenv("NTFY_URL")
except Exception as err:
# output error, and return with an error code
print(str(Exception(err.args)))
exit(err)
return discord_url, ntfy_url
# Set structured timestamp for logging and discord/ntfy message.
def set_time():
now_message = time.strftime('%a, %d %b %Y %H:%M:%S')
now_logging = time.strftime('%Y/%m/%d %H:%M:%S')
return now_message, now_logging
# Import configuration settings from wazuh-notify-config.yaml
def import_config():
try:
_, _, this_config_path, _ = set_environment()
with open(this_config_path, 'r') as ntfier_config:
config: dict = yaml.safe_load(ntfier_config)
return config
except (FileNotFoundError, PermissionError, OSError):
return None
# Process configuration settings from wazuh-notify-config.yaml
def get_config():
config = import_config()
config['np_5'] = config.get('np_1', [15, 14, 13, 12])
config['np_4'] = config.get('np_2', [11, 10, 9])
config['np_3'] = config.get('np_3', [8, 7, 6])
config['np_2'] = config.get('np_4', [5, 4])
config['np_1'] = config.get('np_5', [3, 2, 1, 0])
config['targets'] = config.get('targets', 'ntfy, discord')
config['excluded_rules'] = config.get('excluded_rules', '')
config['excluded_agents'] = config.get('excluded_agents', '')
config['sender'] = 'Wazuh (IDS)'
config['click'] = 'https://wazuh.org'
return config
# Show configuration settings from wazuh-notify-config.yaml
def view_config():
_, _, this_config_path, _ = set_environment()
try:
with open(this_config_path, 'r') as ntfier_config:
print(ntfier_config.read())
except (FileNotFoundError, PermissionError, OSError):
print(this_config_path + " does not exist or is not accessible")
return
# Logging the Wazuh active Response request
def ar_log():
now = set_time()
_, this_ar_path, _, _ = set_environment()
msg = '{0} {1} {2}'.format(now, os.path.realpath(__file__), 'Post JSON Alert')
f = open(this_ar_path, 'a')
f.write(msg + '\n')
f.close()
def threat_mapping(threat_level, np_1, np_2, np_3, np_4, np_5):
# Map threat level v/s priority
if threat_level in np_1:
priority_mapping = "1"
elif threat_level in np_2:
priority_mapping = "2"
elif threat_level in np_3:
priority_mapping = "3"
elif threat_level in np_4:
priority_mapping = "4"
elif threat_level in np_5:
priority_mapping = "5"
else:
priority_mapping = "3"
return priority_mapping
def color_mapping(priority):
# Map priority to color
if priority == 1:
priority_color = 0x339900
elif priority == 2:
priority_color = 0x99cc33
elif priority == 3:
priority_color = 0xffcc00
elif priority == 4:
priority_color = 0xff9966
elif priority == 5:
priority_color = 0xcc3300
else:
priority_color = 0xffcc00
return priority_color
def get_arguments():
# Get params during execution. Params found here, override minimal defaults and/or config settings.
# Short options
options: str = "u:s:p:m:t:c:hv"
# Long options
long_options: list = ["url=", "sender=", "destination=", "priority=", "message=", "tags=", "click=", "help",
"view"]
help_text: str = """
-u, --url is the url for the server, ending with a "/".
-s, --sender is the sender of the message, either an app name or a person.
-d, --destination is the NTFY subscription or Discord title, to send the message to.
-p, --priority is the priority of the message, ranging from 1 (lowest), to 5 (highest).
-m, --message is the text of the message to be sent.
-t, --tags is an arbitrary strings of tags (keywords), seperated by a "," (comma).
-c, --click is a link (URL) that can be followed by tapping/clicking inside the message.
-h, --help shows this help message. Must have no value argument.
-v, --view show config.
"""
url: str
sender: str
destination: str
message: str
priority: int
tags: str
click: str
url, sender, destination, message, priority, tags, click = "", "", "", "", 0, "", ""
argument_list: list = sys.argv[1:]
if not argument_list:
return url, sender, destination, message, priority, tags, click
else:
try:
# Parsing argument
arguments, values = getopt.getopt(argument_list, options, long_options)
# checking each argument
for current_argument, current_value in arguments:
if current_argument in ("-h", "--help"):
print(help_text)
exit()
elif current_argument in ("-v", "--view"):
view_config()
exit()
elif current_argument in ("-u", "--url"):
url: str = current_value
elif current_argument in ("-s", "--sender"):
sender: str = current_value
elif current_argument in ("-d", "--destination"):
destination: str = current_value
elif current_argument in ("-p", "--priority"):
priority: int = current_value
elif current_argument in ("-m", "--message"):
message: str = current_value
elif current_argument in ("-t", "--tags"):
tags: str = current_value
elif current_argument in ("-c", "--click"):
click: str = current_value
except getopt.error as err:
# output error, and return with an error code
print(str(err))
return url, sender, destination, message, priority, tags, click
def load_message(argv):
# get alert from stdin
input_str: str = ""
for line in sys.stdin:
input_str: str = line
break
data: json = json.loads(input_str)
if data.get("command") == "add":
return data
else:
# todo fix error message
sys.exit(1)
def parameters_deconstruct(argv, event_keys):
config: dict = get_config()
a_id: str = str(event_keys["agent"]["id"])
a_name: str = str(event_keys["agent"]["name"])
e_id: str = str(event_keys["rule"]["id"])
e_description: str = str(event_keys["rule"]["description"])
e_level: str = str(event_keys["rule"]["level"])
e_fired_times: str = str(event_keys["rule"]["firedtimes"])
e_full_event: str = str(json.dumps(event_keys, indent=4).replace('"', '')
.replace('{', '')
.replace('}', '')
.replace('[', '')
.replace(']', '')
)
if e_id not in config["excluded_rules"] or a_id not in config["excluded_agents"]:
parameters: dict = dict(a_id=a_id, a_name=a_name, e_id=e_id, e_description=e_description, e_level=e_level,
e_fired_times=e_fired_times, e_full_event=e_full_event)
return parameters
def construct_basic_message(argv, accent: str, a_id: str, a_name: str, e_id: str, e_description: str, e_level: str,
e_fired_times: str) -> str:
# Adding the BOLD text string to the Discord message. Ntfy has a different message format.
basic_message: str = ("--message " + '"' +
accent + "Agent: " + accent + a_name + " (" + a_id + ")" + "\n" +
accent + "Event id: " + accent + e_id + "\n" +
accent + "Description: " + accent + e_description + "\n" +
accent + "Threat level: " + accent + e_level + "\n" +
# Watch this last addition to the string. It should include the closing quote for the
# basic_message string. It must be closed by -> '"'. This will be done outside this function
# in order to enable another specific addition (event_full_message) in the calling procedure.
accent + "Times fired: " + accent + e_fired_times + "\n")
return basic_message