Discord Alert
Pertama, menambahkan file konfigurasi pada /var/ossec/integrations/.
Terdapat 2 pilihan custom-discord, yaitu:
- Dengan Log
- Tanpa Log
Dengan Log
#!/usr/bin/env python
# Copyright (C) 2015, Wazuh Inc.
# March 13, 2018.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
import json
import sys
import time
import os
try:
import requests
from requests.auth import HTTPBasicAuth
except Exception as e:
print("No module 'requests' found. Install: pip install requests")
sys.exit(1)
# ossec.conf configuration:
# <integration>
# <name>slack</name>
# <hook_url>https://hooks.slack.com/services/XXXXXXXXXXXXXX</hook_url>
# <alert_format>json</alert_format>
# </integration>
# Global vars
debug_enabled = False
pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
json_alert = {}
now = time.strftime("%a %b %d %H:%M:%S %Z %Y")
# Set paths
log_file = '{0}/logs/integrations.log'.format(pwd)
def main(args):
debug("# Starting")
# Read args
alert_file_location = args[1]
webhook = args[3]
debug("# Webhook")
debug(webhook)
debug("# File location")
debug(alert_file_location)
# Load alert. Parse JSON object.
with open(alert_file_location) as alert_file:
json_alert = json.load(alert_file)
debug("# Processing alert")
debug(json_alert)
debug("# Generating message")
msg = generate_msg(json_alert)
debug(msg)
debug("# Sending message")
send_msg(msg, webhook)
def debug(msg):
# debug log
deb = True
if deb == True:
msg = "{0}: {1}\n".format(now, msg)
print(msg)
f = open(log_file, "a")
f.write(msg)
f.close()
def generate_msg(alert):
#save the rule level
level = alert['rule']['level']
#compare rules level to set colors of the alert
if (level <= 4):
#green
color = "3731970"
elif (level >= 5 and level <= 12):
#yellow
color = "15919874"
else:
#red
color = "15870466"
if 'agentless' in alert:
agent_ = 'agentless'
else:
agent_ = alert['agent']['name']
#data that the webhook will receive and use to display the alert in discord chat
payload = json.dumps({
"embeds": [
{
"title": "Wazuh Alert - Rule {}".format(alert['rule']['id']),
"color": "{}".format(color),
"description": "{}".format(alert['rule']['description']),
"fields": [
{
"name": "Agent",
"value": "{}".format(agent_),
"inline": True
},
{
"name": "Location",
"value": "{}".format(alert['location']),
"inline": True
},
{
"name": "Rule Level",
"value": "{}".format(alert['rule']['level']),
"inline": True
}
],
"footer": {
"text": "{}".format(alert['full_log'])
}
}
]
})
return payload
def send_msg(msg, url):
headers = {'content-type': 'application/json', 'Accept-Charset': 'UTF-8'}
res = requests.post(url, data=msg, headers=headers)
debug(res)
if __name__ == "__main__":
try:
# Read arguments
bad_arguments = False
if len(sys.argv) >= 4:
msg = '{0} {1} {2} {3} {4}'.format(
now,
sys.argv[1],
sys.argv[2],
sys.argv[3],
sys.argv[4] if len(sys.argv) > 4 else '',
)
debug_enabled = (len(sys.argv) > 4 and sys.argv[4] == 'debug')
else:
msg = '{0} Wrong arguments'.format(now)
bad_arguments = True
# Logging the call
f = open(log_file, 'a')
f.write(msg + '\n')
f.close()
if bad_arguments:
debug("# Exiting: Bad arguments.")
sys.exit(1)
# Main function
main(sys.argv)
except Exception as e:
debug(str(e))
raiseTnapa Log
#!/usr/bin/env python
# Copyright (C) 2015, Wazuh Inc.
# March 13, 2018.
#
# This program is free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
import json
import sys
import time
import os
try:
import requests
from requests.auth import HTTPBasicAuth
except Exception as e:
print("No module 'requests' found. Install: pip install requests")
sys.exit(1)
# ossec.conf configuration:
# <integration>
# <name>slack</name>
# <hook_url>https://hooks.slack.com/services/XXXXXXXXXXXXXX</hook_url>
# <alert_format>json</alert_format>
# </integration>
# Global vars
debug_enabled = False
pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
json_alert = {}
now = time.strftime("%a %b %d %H:%M:%S %Z %Y")
# Set paths
log_file = '{0}/logs/integrations.log'.format(pwd)
def main(args):
debug("# Starting")
# Read args
alert_file_location = args[1]
webhook = args[3]
debug("# Webhook")
debug(webhook)
debug("# File location")
debug(alert_file_location)
# Load alert. Parse JSON object.
with open(alert_file_location) as alert_file:
json_alert = json.load(alert_file)
debug("# Processing alert")
debug(json_alert)
debug("# Generating message")
msg = generate_msg(json_alert)
debug(msg)
debug("# Sending message")
send_msg(msg, webhook)
def debug(msg):
# debug log
deb = True
if deb == True:
msg = "{0}: {1}\n".format(now, msg)
print(msg)
f = open(log_file, "a")
f.write(msg)
f.close()
def generate_msg(alert):
#save the rule level
level = alert['rule']['level']
#compare rules level to set colors of the alert
if (level <= 4):
#green
color = "3731970"
elif (level >= 5 and level <= 12):
#yellow
color = "15919874"
else:
#red
color = "15870466"
if 'agentless' in alert:
agent_ = 'agentless'
else:
agent_ = alert['agent']['name']
#data that the webhook will receive and use to display the alert in discord chat
payload = json.dumps({
"embeds": [
{
"title": "Wazuh Alert - Rule {}".format(alert['rule']['id']),
"color": "{}".format(color),
"description": "{}".format(alert['rule']['description']),
"fields": [
{
"name": "Agent",
"value": "{}".format(agent_),
"inline": True
},
{
"name": "Location",
"value": "{}".format(alert['location']),
"inline": True
},
{
"name": "Rule Level",
"value": "{}".format(alert['rule']['level']),
"inline": True
}
]
}
]
})
return payload
def send_msg(msg, url):
headers = {'content-type': 'application/json', 'Accept-Charset': 'UTF-8'}
res = requests.post(url, data=msg, headers=headers)
debug(res)
if __name__ == "__main__":
try:
# Read arguments
bad_arguments = False
if len(sys.argv) >= 4:
msg = '{0} {1} {2} {3} {4}'.format(
now,
sys.argv[1],
sys.argv[2],
sys.argv[3],
sys.argv[4] if len(sys.argv) > 4 else '',
)
debug_enabled = (len(sys.argv) > 4 and sys.argv[4] == 'debug')
else:
msg = '{0} Wrong arguments'.format(now)
bad_arguments = True
# Logging the call
f = open(log_file, 'a')
f.write(msg + '\n')
f.close()
if bad_arguments:
debug("# Exiting: Bad arguments.")
sys.exit(1)
# Main function
main(sys.argv)
except Exception as e:
debug(str(e))
raiseSalin file slack menjadi custom-discord dan buat file custom-discord.py seperti diatas.
Kedua, menambahkan konfigurasi pada /var/ossec/etc/ossec.conf
/var/ossec/etc/ossec.conf
<integration>
<name>custom-discord</name>
<hook_url>API DISCORD</hook_url>
<level>7</level>
<alert_format>json</alert_format>
</integration>Tambahan untuk konfigurasi diatas
<group>suricata,sysmon</group>
<level>12</level>
<rule_id>1299,1300</rule_id>Ketiga, mengubah file permission di dalam /var/ossec/integrations/
chmod 750 custom-*chown root:wazuh custom-*Keempat, menambahkan block file untuk test alert discord pada /var/ossec/etc/ossec.conf
touch /var/log/test.log/var/ossec/etc/ossec.conf
<localfile>
<location>/var/log/test.log</location>
<log_format>syslog</log_format>
</localfile>Kelima, membuat rule baru khusus untuk memantik alert discord kita pada /var/ossec/etc/rules/local_rules.xml
/var/ossec/etc/rules/local_rules.xml
<rule id="119999" level="12">
<regex>^test$</regex>
<description>Test rule to configure integration</description>
</rule>Keenam. memulai ulang wazuh dan memantik alert discord
/var/ossec/bin/wazuh-control restartecho "test" >> /var/log/test.log