From f6bd69c4f5f5ea7904196fd3695b25e1bfd7bb16 Mon Sep 17 00:00:00 2001 From: Rudi Klein Date: Mon, 29 Apr 2024 19:28:48 +0200 Subject: [PATCH] after fix --- custom-active-response.py | 55 ++++++++++++++++++++++++++++---------- wazuh-notifier-config.yaml | 2 +- wazuh_notifier_lib.py | 2 +- 3 files changed, 43 insertions(+), 16 deletions(-) diff --git a/custom-active-response.py b/custom-active-response.py index 59bfbbb..52b7439 100755 --- a/custom-active-response.py +++ b/custom-active-response.py @@ -1,22 +1,33 @@ -#!/usr/bin/python3 -# Copyright (C) 2015-2022, Wazuh Inc. -# All rights reserved. +#!/usr/bin/env python3 -# This program is free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. + +# This script is adapted version of the Python active response script sample, provided by Wazuh, in the documentation: +# https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html) +# It is provided under the below copyright statement: +# +# Copyright (C) 2015-2022, Wazuh Inc. +# All rights reserved. +# +# This program is free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation. +# +# This version has changes in +# 1) the first lines of code with the assignments, and +# 2) the Start Custom Action Add section +# This version is free software. Rudi Klein, april 2024 import os import sys import json import datetime from pathlib import PureWindowsPath, PurePosixPath +from wazuh_notifier_lib import set_env as se +from wazuh_notifier_lib import set_time as st +from wazuh_notifier_lib import import_config as ic -if os.name == 'nt': - LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log" -else: - LOG_FILE = "/var/ossec/logs/active-responses.log" +wazuh_path, ar_path, config_path = se() ADD_COMMAND = 0 DELETE_COMMAND = 1 @@ -33,7 +44,7 @@ class message: def write_debug_file(ar_name, msg): - with open(LOG_FILE, mode="a") as log_file: + with open(ar_path, mode="a") as log_file: ar_name_posix = str(PurePosixPath(PureWindowsPath(ar_name[ar_name.find("active-response"):]))) log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name_posix + ": " + msg +"\n") @@ -144,8 +155,24 @@ def main(argv): """ Start Custom Action Add """ - with open("ar-test-result.txt", mode="a") as test_file: - test_file.write("Active response triggered by rule ID: <" + str(keys) + ">\n") + if 1 == 1: + + discord_notifier = '{0}/active-response/bin/wazuh-discord-notifier.py'.format(wazuh_path) + discord_exec = "python3 " + discord_notifier + " " + write_debug_file(argv[0], "Start Discord notifier") + discord_params = "--message " + '"' + str(keys) + '"' + discord_command = discord_exec + discord_params + os.system(discord_command) + + + if str(ic("discord_enabled")) == "1": + + ntfy_notifier = '{0}/active-response/bin/wazuh-ntfy-notifier.py'.format(wazuh_path) + ntfy_exec = "python3 " + ntfy_notifier + " " + write_debug_file(argv[0], "Start NTFY notifier") + ntfy_params = "-d __KleinTest --message " + '"' + str(keys) + '"' + ntfier_command = ntfy_exec + ntfy_params + os.system(ntfier_command) """ End Custom Action Add """ diff --git a/wazuh-notifier-config.yaml b/wazuh-notifier-config.yaml index 22c3698..d29e81b 100755 --- a/wazuh-notifier-config.yaml +++ b/wazuh-notifier-config.yaml @@ -28,7 +28,7 @@ ntfy_enabled: 1 ntfy_server: "https://ntfy.sh/" ntfy_sender: "Wazuh (IDS)" -ntfy_destination: "none" +ntfy_destination: "__KleinTest" ntfy_priority: "5" ntfy_message: "Test message" ntfy_tags: "information, testing, yaml" diff --git a/wazuh_notifier_lib.py b/wazuh_notifier_lib.py index ec51953..70c81d3 100755 --- a/wazuh_notifier_lib.py +++ b/wazuh_notifier_lib.py @@ -19,7 +19,7 @@ def set_env(): wazuh_path = os.path.abspath(os.path.join(__file__, "../../..")) ar_path = '{0}/logs/active-responses.log'.format(wazuh_path) - config_path = 'wazuh-notifier-config.yaml'.format(wazuh_path) + config_path = '{0}/etc/wazuh-notifier-config.yaml'.format(wazuh_path) return wazuh_path, ar_path, config_path