diff --git a/wazuh-notify-go/notification/discord.go b/wazuh-notify-go/discord/discord.go similarity index 90% rename from wazuh-notify-go/notification/discord.go rename to wazuh-notify-go/discord/discord.go index 910a405..734bf5f 100644 --- a/wazuh-notify-go/notification/discord.go +++ b/wazuh-notify-go/discord/discord.go @@ -1,4 +1,4 @@ -package notification +package discord import ( "bytes" @@ -16,10 +16,10 @@ func SendDiscord(params types.Params) { "**Tags:** " + params.Tags + "\n\n" + params.General.Click - message := types.DiscordMessage{ + message := DiscordMessage{ Username: params.General.Sender, Content: params.Mention, - Embeds: []types.Embed{ + Embeds: []Embed{ { Title: params.General.Sender, Description: embedDescription, diff --git a/wazuh-notify-go/types/discord.go b/wazuh-notify-go/discord/types.go similarity index 95% rename from wazuh-notify-go/types/discord.go rename to wazuh-notify-go/discord/types.go index cd3f1fb..dbaa586 100644 --- a/wazuh-notify-go/types/discord.go +++ b/wazuh-notify-go/discord/types.go @@ -1,4 +1,4 @@ -package types +package discord type DiscordMessage struct { Username string `json:"username,omitempty"` diff --git a/wazuh-notify-go/main.go b/wazuh-notify-go/main.go index 1be83a6..ab6c2b2 100644 --- a/wazuh-notify-go/main.go +++ b/wazuh-notify-go/main.go @@ -4,7 +4,9 @@ import ( "strings" "wazuh-notify/log" "wazuh-notify/notification" + "wazuh-notify/ntfy" "wazuh-notify/services" + "wazuh-notify/slack" ) func main() { @@ -17,10 +19,10 @@ func main() { notification.SendDiscord(inputParams) case "ntfy": log.Log(target) - notification.SendNtfy(inputParams) + ntfy.SendNtfy(inputParams) case "slack": log.Log(target) - notification.SendSlack(inputParams) + slack.SendSlack(inputParams) } } log.CloseLogFile() diff --git a/wazuh-notify-go/notification/ntfy.go b/wazuh-notify-go/ntfy/ntfy.go similarity index 97% rename from wazuh-notify-go/notification/ntfy.go rename to wazuh-notify-go/ntfy/ntfy.go index f8332e9..d6a0dfd 100644 --- a/wazuh-notify-go/notification/ntfy.go +++ b/wazuh-notify-go/ntfy/ntfy.go @@ -1,4 +1,4 @@ -package notification +package ntfy import ( "net/http" diff --git a/wazuh-notify-go/ntfy/types.go b/wazuh-notify-go/ntfy/types.go new file mode 100644 index 0000000..19634d4 --- /dev/null +++ b/wazuh-notify-go/ntfy/types.go @@ -0,0 +1 @@ +package ntfy diff --git a/wazuh-notify-go/notification/slack.go b/wazuh-notify-go/slack/slack.go similarity index 91% rename from wazuh-notify-go/notification/slack.go rename to wazuh-notify-go/slack/slack.go index 524e4de..3aa6f4c 100644 --- a/wazuh-notify-go/notification/slack.go +++ b/wazuh-notify-go/slack/slack.go @@ -1,4 +1,4 @@ -package notification +package slack import ( "bytes" @@ -12,7 +12,7 @@ import ( func SendSlack(params types.Params) { - message := types.SlackMessage{ + message := SlackMessage{ Text: services.BuildMessage(params, "slack", params.MarkdownEmphasis.Slack) + "*Tags:* " + params.Tags + "\n\n" + params.General.Click, diff --git a/wazuh-notify-go/types/slack.go b/wazuh-notify-go/slack/types.go similarity index 82% rename from wazuh-notify-go/types/slack.go rename to wazuh-notify-go/slack/types.go index c986f98..cca8e79 100644 --- a/wazuh-notify-go/types/slack.go +++ b/wazuh-notify-go/slack/types.go @@ -1,4 +1,4 @@ -package types +package slack type SlackMessage struct { Text string `json:"text,omitempty"` diff --git a/wazuh-notify-go/types/ntfy.go b/wazuh-notify-go/types/ntfy.go deleted file mode 100644 index ab1254f..0000000 --- a/wazuh-notify-go/types/ntfy.go +++ /dev/null @@ -1 +0,0 @@ -package types diff --git a/wazuh-notify-go/types/types.go b/wazuh-notify-go/types/params.go similarity index 100% rename from wazuh-notify-go/types/types.go rename to wazuh-notify-go/types/params.go diff --git a/wazuh-notify-go/wazuh-notify-config.toml b/wazuh-notify-go/wazuh-notify-config.toml new file mode 100644 index 0000000..6aeb34c --- /dev/null +++ b/wazuh-notify-go/wazuh-notify-config.toml @@ -0,0 +1,84 @@ +############################################################################################################# +# This is the TOML config file for wazuh-notify (active response) for both the Python and Go implementation # +############################################################################################################# + +[general] +# Platforms in this string with comma seperated values are triggered. +targets = "slack, ntfy, discord" + +# Platforms in this string will enable sending the full event information. +full_alert = "" + +# Exclude rule events that are enabled in the ossec.conf active response definition. +# These settings provide an easier way to disable events from firing the notifiers. +excluded_rules = "99999, 00000" +excluded_agents = "99999" + +# The next 2 settings are used to add information to the messages. +sender = "Wazuh (IDS)" +click = "https://documentation.wazuh.com/" + +# Priority mapping from 0-15 (Wazuh threat levels) to 1-5 (in notifications) and their respective colors (Discord) +# https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html +# Enter threat_map as lists of integers, mention_threshold as integer and color as Hex integer +[[priority_map]] +threat_map = [15, 14, 13, 12] +mention_threshold = 1 +notify_threshold = 1 +color = 0xec3e40 # Red, SEVERE + +[[priority_map]] +threat_map = [11, 10, 9] +mention_threshold = 1 +notify_threshold = 1 +color = 0xff9b2b # Orange, HIGH + +[[priority_map]] +threat_map = [8, 7, 6] +mention_threshold = 5 +notify_threshold = 5 +color = 0xf5d800 # Yellow, ELEVATED + +[[priority_map]] +threat_map = [5, 4] +mention_threshold = 20 +notify_threshold = 5 +color = 0x377fc7 # Blue, GUARDED + +[[priority_map]] +threat_map = [3, 2, 1, 0] +mention_threshold = 20 +notify_threshold = 5 +color = 0x01a465 # Green, LOW + +################ End of priority mapping ################################## + +# Following parameter defines the markdown characters to emphasise the parameter names in the notification messages +[markdown_emphasis] +slack = "*" +ntfy = "**" +discord = "**" + +################################################################################## +# From here on the settings are ONLY used by the Python version of wazuh-notify. # +################################################################################## + +[python] + +# The next settings are used for testing and troubleshooting. + +# Test mode will add the example event in wazuh-notify-test-event.json instead of the message received through wazuh. +# This enables testing for particular events when the test event is customized. +test_mode = true + +# Enabling this parameter provides more logging to the wazuh-notifier log. +extended_logging = 2 + +# Enabling this parameter provides extended logging to the console. +extended_print = 2 + +# Below settings provide for a window that enable/disables events from firing the notifiers. +excluded_days = "" + +# Enter as a tuple of string values. Be aware of your regional settings. +excluded_hours = ["23:59", "00:00"] diff --git a/wazuh-notify-go/wazuh-notify-config.yaml b/wazuh-notify-go/wazuh-notify-config.yaml deleted file mode 100644 index f4013ff..0000000 --- a/wazuh-notify-go/wazuh-notify-config.yaml +++ /dev/null @@ -1,49 +0,0 @@ ---- -#start of yaml - -# This is the yaml config file for both the wazuh-ntfy-notifier.py and wazuh-discord-notifier.py. -# The yaml needs to be in the same folder as the wazuh-ntfy-notifier.py and wazuh-discord-notifier.py - -targets: "discord,ntfy,slack" -full_message: "ntfy" - -# Exclude rules that are listed in the ossec.conf active response definition. - -excluded_rules: "5401,5403" -excluded_agents: "999" - -# Priority mapping from 1-12 (Wazuh events) to 1-5 (Discord and ntfy notification) -# Discord mention after x amount of event fired times - -priority_map: - - - threat_map: [15,14,13,12] - mention_threshold: 1 - color: 0xcc3300 - - - threat_map: [11,10,9] - mention_threshold: 1 - color: 0xff9966 - - - threat_map: [8,7,6] - mention_threshold: 5 - color: 0xffcc00 - - - threat_map: [5,4] - mention_threshold: 5 - color: 0x99cc33 - - - threat_map: [3,2,1,0] - mention_threshold: 5 - color: 0x339900 - - -sender: "Wazuh (IDS)" -click: "https://google.com" - - -#end of yaml -... - - -