From 09eb6b13bd99962b956034f33759b213a640c38c Mon Sep 17 00:00:00 2001 From: Rudi Klein Date: Thu, 23 May 2024 17:32:58 +0200 Subject: [PATCH] improved installation doc --- Writerside/topics/Tutorial.md | 49 ----- Writerside/topics/Wazuh-notifier.md | 300 ++++++++++++++++++---------- 2 files changed, 196 insertions(+), 153 deletions(-) delete mode 100644 Writerside/topics/Tutorial.md diff --git a/Writerside/topics/Tutorial.md b/Writerside/topics/Tutorial.md deleted file mode 100644 index 1ced58f..0000000 --- a/Writerside/topics/Tutorial.md +++ /dev/null @@ -1,49 +0,0 @@ -# Tutorial - -Tutorials are learning-oriented articles that help users to go through a process and achieve a deliverable. -Start with an introduction: for whom is this tutorial and what the reader will achieve by reading it. -Answer the question: "Why should I follow this?" - -Provide a short outline for the tutorial. -In this tutorial, you will learn how to: -* Do this -* Deal with that - -## Before you start - -List the prerequisites that are required or recommended. - -Make sure that: -- First prerequisite -- Second prerequisite - -## Part 1 - -Describe what the user will learn and accomplish in the first part, -then write a step-by-step procedure but on a real-world example. - -1. Execute the following command in the terminal: - - ```bash - run this --that - ``` - -2. Step with a [link](https://www.jetbrains.com) - -3. Final step in part 1. - -## Part 2 - -This is the second part of the tutorial: - -1. Step 1 -2. Step 2 -3. Step n - -## What you've learned {id="what-learned"} - -Summarize what the reader achieved by completing this tutorial. - - - - diff --git a/Writerside/topics/Wazuh-notifier.md b/Writerside/topics/Wazuh-notifier.md index 77af421..22996e6 100644 --- a/Writerside/topics/Wazuh-notifier.md +++ b/Writerside/topics/Wazuh-notifier.md @@ -1,178 +1,264 @@ # Wazuh notify -Wazuh notifier enables the Wazuh manager to be notified when selected events occur, using 3 messaging platforms: ntfy.sh, Discord and Slack. +## Table of Contents -## Contents +- [Introduction](#introduction) +- [Installation](#installation) +- [Configuration](#configuration) +- [The YAML configuration](#the-yaml-configuration) -There are 2 implementations of Wazuh notify. One written in Golang and the other in Python. Both implementations have similar functionality, but the Python version is slightly more configurable. -Wazuh notify is a stateless implementation and only notifies, triggered by selected rules. +## Introduction + +Wazuh notifier enables the Wazuh manager to be notified when selected events occur, using 3 messaging platforms: +ntfy.sh, Discord and Slack. + +There are 2 implementations of Wazuh notify. One written in Golang and the other in Python. Both implementations have +similar functionality, but the Python version is slightly more configurable. + +Wazuh notify is a stateless implementation and only notifies, triggered by selected rules, agents, or threat levels. Wazuh notify is triggered by configuring the **ossec.conf** and adding an **active response configuration.** -## Installation ## +## Installation -### Step 1 ### +### Step 1: download Download the files from https://github.com/kleinprojects/wazuh-notify to your server. -### Step 2 ### +### Step 2: copy files + +#### _Python_ {id="python_1"} + +##### Copy the 2 Python scripts to the /var/ossec/active-response/bin/ folder -#### Python #### -Copy the 2 Python scripts to the /var/ossec/active-response/bin/ folder ``` -$ cp /wazuh-*.py /var/ossec/active-response/bin/ +$ sudo cp /wazuh-*.py /var/ossec/active-response/bin/ ``` -Set the correct ownership -``` -$ chown root:wazuh /var/ossec/active-response/bin/wazuh-notify.py -$ chown root:wazuh /var/ossec/active-response/bin/wazuh_notify_module.py -``` -Set the correct permissions -``` -$ chmod uog+rx /var/ossec/active-response/bin/wazuh-notify.py -$ chmod uog+rx /var/ossec/active-response/bin/wazuh_notify_module.py -``` -#### Golang #### -Copy the Go executable to the /var/ossec/active-response/bin/ folder +##### Set the correct ownership {id="set-the-correct-ownership_1"} + +``` +$ sudo chown root:wazuh /var/ossec/active-response/bin/wazuh-notify.py +$ sudo chown root:wazuh /var/ossec/active-response/bin/wazuh_notify_module.py +``` + +##### Set the correct permissions {id="set-the-correct-permissions_1"} + +``` +$ sudo chmod uog+rx /var/ossec/active-response/bin/wazuh-notify.py +$ sudo chmod uog+rx /var/ossec/active-response/bin/wazuh_notify_module.py +``` + +#### _Golang_ {id="golang_1"} + +##### Copy the Go executable to the /var/ossec/active-response/bin/ folder + ``` -$ cp /wazuh-notify /var/ossec/active-response/bin/ -``` -Set the correct ownership -``` -$ chown root:wazuh /var/ossec/active-response/bin/wazuh-notify -``` -Set the correct permissions -``` -$ chmod uog+rx /var/ossec/active-response/bin/wazuh-notify +$ sudo cp /wazuh-notify /var/ossec/active-response/bin/ ``` -### Step 3 ### -Copy the YAML file to /var/ossec/etc/ +##### the correct ownership {id="set-the-correct-ownership_2"} + ``` -$ cp /wazuh-notify-config.yaml /var/ossec/etc/ +$ sudo chown root:wazuh /var/ossec/active-response/bin/wazuh-notify ``` -Set the correct ownership +##### Set the correct permissions {id="set-the-correct-permissions_2"} + ``` -$ chown root:wazuh /var/ossec/etc/wazuh-notify-config.yaml +$ sudo chmod uog+rx /var/ossec/active-response/bin/wazuh-notify ``` -Set the correct permissions +### Step 3 + +##### Copy the YAML file to /var/ossec/etc/ + ``` -$ chmod uog+r /var/ossec/etc/wazuh-notify-config.yaml +$ sudo cp /wazuh-notify-config.yaml /var/ossec/etc/ ``` -### Step 4 ### +##### Set the correct ownership {id="set-the-correct-ownership_3"} -#### for Golang #### +``` +$ sudo chown root:wazuh /var/ossec/etc/wazuh-notify-config.yaml +``` + +##### Set the correct permissions {id="set-the-correct-permissions_3"} + +``` +$ sudo chmod uog+r /var/ossec/etc/wazuh-notify-config.yaml +``` + +### Step 4 + +##### Create an .env file in /var/ossec/etc/ + +``` +$ sudo touch /var/ossec/etc/.env +``` + +#### Set the correct ownership {id="set-the-correct-ownership_4"} + +``` +$ sudo chown root:wazuh /var/ossec/etc/wazuh-notify-config.yaml +``` + +#### Set the correct permissions {id="set-the-correct-permissions_4"} + +``` +$ sudo chmod uog+r /var/ossec/etc/wazuh-notify-config.yaml +``` + +## Configuration + +#### Golang {id="golang_2"} Modify the /var/ossec/etc/ossec.conf configuration file and add the following
-``` - - wazuh-notify-go - wazuh-notify - yes - -``` + +Command section ``` - - wazuh-notify-go - server - - - -``` -#### for Python #### -``` - - wazuh-notify-py - wazuh-notify.py - yes - + +wazuh-notify-go +wazuh-notify +yes + ``` -``` - - wazuh-notify-py - server - - - -``` -NOTE: The `````` in the `````` section needs to be the same as the `````` in the `````` section. -The `````` section describes the program that is executed. The `````` section describes the trigger that runs the ``````. +Active response section -Add the rules you want to be informed about between the ``````, with the rules id's separated by comma's. +``` + +wazuh-notify-go +server + + + +``` + +#### Python {id="python_2"} + +Command section + +``` + +wazuh-notify-py +wazuh-notify.py +yes + +``` + +Active response section + +``` + +wazuh-notify-py +server + + + +``` + +### NOTE: + +The `````` in the `````` section needs to be the same as the `````` in +the `````` section. +The `````` section describes the program that is executed. The `````` section describes the +trigger that runs the ``````. + +Add the rules you want to be informed about between the ``````, with the rules id's separated by +comma's. Example: ```5402, 3461, 8777
``` (Please refer to the Wazuh online documentation for more information [^Wazuh docs]) [^Wazuh docs]: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html - -## The YAML configuration ## +## The YAML configuration This is the yaml config file for wazuh-active-response (for both the Python and Go version) -Platforms in this string with comma separated values are triggered. +The targets setting defines the platforms where notifications will be sent to. +Platforms in this comma-separated string will receive notifications. + ``` -targets: "slack, ntfy, discord" +targets: "slack, ntfy, discord" ``` -Platforms in this string will enable the sending of the full event information. + +Platforms in this comma-separated string will receive the full event information. + ``` -full_message: "" +full_message: "" ``` -Exclude rule events that are enabled in the ossec.conf active response definition. + +Exclude_rules and excluded_agents will disable notification for these particular events or agents that are enabled in +the ossec.conf active response definition. These settings provide an easier way to disable events from firing. No need to restart Wazuh-manager. + +Enter rule numbers as a string with comma-separated values. +Enter numeric agent id's as a string with comma-separated values. + ``` -excluded_rules: "99999, 00000" # Rule numbers. Enter as a string with comma separated values -excluded_agents: "99999" # Numeric agent id. Enter as a string with comma separated values +excluded_rules: "99999, 00000" +excluded_agents: "99999" ``` -Priority mapping from 0-15 (Wazuh threat levels) to 1-5 (in notifications). -https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html -Enter the values for the threat_map as lists of integers, mention_thresholds as integers and colors as Hex integers -The mention_threshold, combined with the number of times a rule is fired, will force a mention to the recipient. + +There is a mapping from Wazuh threat levels (0-15) to priorities (1-5) in notifications. +https://documentation.wazuh.com/current/user-manual/ruleset/rules-classification.html +Enter the values for the threat_map as lists of integers, mention_thresholds as integers and colors as Hex integers. +The mention_threshold, relates to the number of times a rule has been fired. When the times fired is equal to or greater +than the mention_threshold, the recipient will receive a Discord mention in addition to the normal message. This is a list notation. + ``` priority_map: - threat_map: [ 15,14,13,12 ] - mention_threshold: 1 - color: 0xcc3300 +mention_threshold: 1 +color: 0xcc3300 - threat_map: [ 11,10,9 ] - mention_threshold: 1 - color: 0xff9966 +mention_threshold: 1 +color: 0xff9966 - threat_map: [ 8,7,6 ] - mention_threshold: 5 - color: 0xffcc00 +mention_threshold: 5 +color: 0xffcc00 - threat_map: [ 5,4 ] - mention_threshold: 20 - color: 0x99cc33 +mention_threshold: 20 +color: 0x99cc33 - threat_map: [ 3,2,1,0 ] - mention_threshold: 20 - color: 0x339900 +mention_threshold: 20 +color: 0x339900 ``` + The next 2 settings are used to add information to the messages. +Sender translate to the ``` username ``` field in Discord and to the ```title``` field in ntfy.sh. It is not used for +Slack. +Click adds an arbitrary URL to the message. + ``` sender: "Wazuh (IDS)" click: "https://documentation.wazuh.com/" ``` -### From here on the settings are ONLY used by the Python version of wazuh-notify. ### + +### From here on the settings are ONLY used by the Python version of wazuh-notify. Below settings provide for a window that enable/disables events from firing the notifiers. Enter ```excluded_days``` as a string with comma separated values. Be aware of your regional settings. + ``` excluded_days: "" ``` + Enter ```excluded_hours``` as a tuple of string values. Be aware of your regional settings. + ``` -excluded_hours: [ "23:59", "00:00" ] +excluded_hours: [ "23:59", "00:00" ] ``` -The following parameters define the markdown characters used to emphasise the parameter names in the notification messages (Markdown style) +The following parameters define the markdown characters used to emphasise the parameter names in the notification +messages (Markdown style) This is a dictionary (object) notation. + ``` markdown_emphasis: slack: "*" @@ -180,20 +266,26 @@ ntfy: "**" discord: "**" ``` -The next settings are used for testing. -Test mode will add an example event contained in wazuh-notify-test-event.json instead of the message received through Wazuh. -Changing this value to ```True``` enables testing for particular events when the test event is customized. +The next settings are used for testing purposes. + +Test mode will add an example event (wazuh-notify-test-event.json) instead of the message received through Wazuh. +This enables testing for particular events when the test event is customized. + ``` test_mode: False ``` -Setting this parameter provides more logging to the wazuh-notifier log. Possible values are -0 (almost no logging), -1 (basic logging) and + +Setting this parameter provides more logging to the wazuh-notifier log. Possible values are +0 (almost no logging), +1 (basic logging) and 2 (verbose logging) + ``` extended_logging: 2 ``` + Enabling this parameter provides extended logging to the console (see extended logging). + ``` extended_print: 0 ```