Hello team,
I made a post on the Wazuh list but no one responded. I saw some relevant
information in my research in OSSEC Github so thought I should post here.
Below is what I posted on the Wazuh List -
********
I am trying to understand how I can create an integration to an external
alert system via JSON/REST python script.
I have reviewed the existing Pagerduty, Slack and VirusTotal integration. I
tried creating a new file and copied all the relevant functions but that
did not work. Then I copied over my changes to the slack file and that
didn't work either. Wondering if there is any guidance / reference material
in the group here that I can review.
Would like to clear up that I am a noob coding enthusiast, so issue is most
likely in my code set, so looking for some help.
I am trying to post data to ServiceNOW dev instance for all Wazuh alerts
with Level 12 and above.
Here are my functions - That I think will get the alerts from Wazuh to post
(at the correct severity) want to add to a working integration script and
post alerts to a ServiceNow development instance.
def generate_msg(alert):
level = alert['rule']['level']
if ( level >= 12 ):
msg = {}
msg['source'] = "WAZUHPROBE"
msg['node'] = alert['src_ip']
msg['type'] = alert['status']
msg['resource'] = alert['program_name']
#adding in a severity map.
if (level <= 5):
snowsev = "0"
elif (level >= 5 and level <= 10):
snowsev = "4"
elif (level >= 11 and level <= 12):
snowsev = "3"
elif (level >= 13 and level <= 14):
snowsev = "2"
elif (level >= 15):
snowsev = "1"
else:
snowsev = "4"
msg['severity'] = snowsev
msg['metric_name'] = alert['system_name']
msg['description'] = alert['full_log']
agent = {"title": "Agent", "value": "({0}) -
{1}".format(alert['agent']['id'], alert['agent']['name'])}
location = {"title": "Location", "value": alert['location']}
rule = {"title": "Rule ID", "value": "{0} _(Level
{1})_".format(alert['rule']['id'], level)}
msg['additional_info'] = {[ agent, location, rule ]}
msg['ci_identifier'] = ""
msg['event_class'] = "Info Security Alert"
msg['message_key'] = ""
attach = { 'attachments': [ msg ] }
return json.dumps(attach)
else:
pass;
def send_msg(msg):
headers = {'Content-type': 'application/json', 'Accept': 'application/json'}
request = urllib2.Request(url=snowemurl, data=msg, headers=headers)
base64string = base64.urlsafe_b64encode('%s:%s' % (snowemuser,
snowempassword))
request.add_header("Authorization", "Basic %s" % base64string)
f = urllib2.urlopen(request)
f.read()
f.close()
But even with trying to maintain the same format and other existing
functions, I cannot get the script to work. I get errors in ossec.log
<https://lh3.googleusercontent.com/-znf6oJ1v-lo/WuBmqn0Ym9I/AAAAAAAAxBE/GfKsyaDItqsrN1Gtw5HIq4WiyZKdwlEMwCLcBGAs/s1600/2018-04-25%2B06_27_47-Windows7.png>
I am running Wazh Version 2.1.1
*******************************************************************end
*******************************
I have since figured out that in OSSEC original code, in the original slack
integration, it looks like the authors are tailing the
/var/ossec/logs/alerts/alerts.log. I tried running just the following via
console and it works.. so I can use this to write a shell script - with
curl to post JSON.
#!/bin/sh
# Change these values!
# SLACKUSER user who posts notifications
# CHANNEL which channel it should be posted
# SITE is the URL provided by the Slack's WebHook, something like:
# https://hooks.slack.com/services/TOKEN";
SLACKUSER="Dat"
CHANNEL="test"
SITE="TestSite"
SOURCE="ossec2slack"
# Checking user arguments
if [ "x$1" = "xdelete" ]; then
exit 0;
fi
ALERTID=$4
RULEID=$5
LOCAL=`dirname $0`;
ALERTTIME=`echo "$ALERTID" | cut -d "." -f 1`
ALERTLAST=`echo "$ALERTID" | cut -d "." -f 2`
# Logging
cd $LOCAL
cd ../
PWD=`pwd`
echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >>
${PWD}/../logs/active-responses.log
ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep
-v ".$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep
"Rule: " -A 4 | cut -c -139 | sed 's/\"//g'`
# add the agent ID
ALERTFULL=`echo ${6}; echo ${ALERTFULL}`
PAYLOAD='{"channel": "'"$CHANNEL"'", "username": "'"$SLACKUSER"'", "text":
"'"${ALERTFULL}"'"}'
# Output
echo "**************** \n" >> ${PWD}/../logs/active-responses.log
echo "**************** \n" >> ${PWD}/../logs/active-responses.log
echo "****************\n" >> ${PWD}/../logs/active-responses.log
echo
echo "$PAYLOAD" >> ${PWD}/../logs/active-responses.log
exit 1;
I was wondering if there is a better way or any one has some pointers to do
this in Java or Python in a way that this is integrated in the OSSEC
configuration. I am trying to keep this all contained so it doesn't break
upon next upgrade or changes are minimal during upgrade.
Thanks in advance && Any help/ guidance is much appreciated.
Thanks!
Dan
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
