From 4e6dfd6b76a5a5108eae172acf39e9abb87bda96 Mon Sep 17 00:00:00 2001
From: Rudi Klein <rudi.klein@rudiklein.nl>
Date: Sat, 4 May 2024 22:24:42 +0200
Subject: [PATCH] docs

---
 Writerside/c.list                   |   6 ++
 Writerside/cfg/buildprofiles.xml    |  12 +++
 Writerside/notifier.tree            |  11 +++
 Writerside/topics/Tutorial.md       |  49 +++++++++++
 Writerside/topics/Wazuh-notifier.md | 126 ++++++++++++++++++++++++++++
 Writerside/v.list                   |   5 ++
 Writerside/writerside.cfg           |   8 ++
 7 files changed, 217 insertions(+)
 create mode 100644 Writerside/c.list
 create mode 100644 Writerside/cfg/buildprofiles.xml
 create mode 100644 Writerside/notifier.tree
 create mode 100644 Writerside/topics/Tutorial.md
 create mode 100644 Writerside/topics/Wazuh-notifier.md
 create mode 100644 Writerside/v.list
 create mode 100644 Writerside/writerside.cfg

diff --git a/Writerside/c.list b/Writerside/c.list
new file mode 100644
index 0000000..c4c77a2
--- /dev/null
+++ b/Writerside/c.list
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE categories
+        SYSTEM "https://resources.jetbrains.com/writerside/1.0/categories.dtd">
+<categories>
+    <category id="wrs" name="Writerside documentation" order="1"/>
+</categories>
\ No newline at end of file
diff --git a/Writerside/cfg/buildprofiles.xml b/Writerside/cfg/buildprofiles.xml
new file mode 100644
index 0000000..39ea138
--- /dev/null
+++ b/Writerside/cfg/buildprofiles.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<buildprofiles xsi:noNamespaceSchemaLocation="https://resources.jetbrains.com/writerside/1.0/build-profiles.xsd"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <variables></variables>
+    <build-profile instance="notifier">
+        <variables>
+            <noindex-content>false</noindex-content>
+        </variables>
+    </build-profile>
+
+</buildprofiles>
diff --git a/Writerside/notifier.tree b/Writerside/notifier.tree
new file mode 100644
index 0000000..3da815d
--- /dev/null
+++ b/Writerside/notifier.tree
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE instance-profile
+        SYSTEM "https://resources.jetbrains.com/writerside/1.0/product-profile.dtd">
+
+<instance-profile id="notifier"
+                 name="notifier"
+                 start-page="Wazuh-notifier.md">
+
+    <toc-element topic="Wazuh-notifier.md"/>
+    <toc-element topic="Tutorial.md"/>
+</instance-profile>
\ No newline at end of file
diff --git a/Writerside/topics/Tutorial.md b/Writerside/topics/Tutorial.md
new file mode 100644
index 0000000..1ced58f
--- /dev/null
+++ b/Writerside/topics/Tutorial.md
@@ -0,0 +1,49 @@
+# Tutorial
+
+Tutorials are learning-oriented articles that help users to go through a process and achieve a deliverable.
+Start with an introduction: for whom is this tutorial and what the reader will achieve by reading it.
+Answer the question: "Why should I follow this?"
+
+Provide a short outline for the tutorial.
+In this tutorial, you will learn how to:
+* Do this
+* Deal with that
+
+## Before you start
+
+List the prerequisites that are required or recommended.
+
+Make sure that:
+- First prerequisite
+- Second prerequisite
+
+## Part 1
+
+Describe what the user will learn and accomplish in the first part,
+then write a step-by-step procedure but on a real-world example.
+
+1. Execute the following command in the terminal:
+
+   ```bash
+    run this --that
+   ```
+
+2. Step with a [link](https://www.jetbrains.com)
+
+3. Final step in part 1.
+
+## Part 2
+
+This is the second part of the tutorial:
+
+1. Step 1
+2. Step 2
+3. Step n
+
+## What you've learned {id="what-learned"}
+
+Summarize what the reader achieved by completing this tutorial.
+
+<seealso>
+<!--Give some related links to how-to articles-->
+</seealso>
diff --git a/Writerside/topics/Wazuh-notifier.md b/Writerside/topics/Wazuh-notifier.md
new file mode 100644
index 0000000..16b890c
--- /dev/null
+++ b/Writerside/topics/Wazuh-notifier.md
@@ -0,0 +1,126 @@
+# Wazuh notifier
+
+Wazuh notifier enables the Wazuh manager to be notified when selected events occur.
+
+## Contents
+
+The main script is a custom active response Python script: wazuh-active-response.py.<br/>
+The actual sending of the messages is done by 2 notifier Python scripts:<br/>
+**Discord notifier**: wazuh-discord-notifier.py, and **NTFY.sh notifier**: wazuh-ntfy-notifier.py<br/>
+A YAML configuration: wazuh-notifier-config.yaml, and a Python module: wazuh_notifier_lib.py
+
+Wazuh notifier is a stateless implementation and only notifies, using the Discord and/or NTFY.sh messaging services.
+
+The Wazuh notifier is triggered by configuring the **ossec.conf** and adding an **active response configuration.**
+
+## Installation ##
+
+### Step 1 ###
+
+Download the files from https://github.com/RudiKlein/wazuh-notifier to your server.
+
+### Step 2 ###
+
+Copy the 4 Python files to the /var/ossec/active-response/bin/ folder
+
+``` 
+$ cp <folder contaning downloaded Wazuh notifier files>/wazuh-*.py /var/ossec/active-response/bin/
+```
+
+Set the correct ownership
+
+```
+$ chown root:wazuh /var/ossec/active-response/bin/wazuh-*.py
+```
+
+Set the correct permissions
+
+```
+$ chmod uog+rx /var/ossec/active-response/bin/wazuh-*.py
+```
+
+### Step 3 ###
+
+Copy the YAML file to /var/ossec/etc/
+
+```
+$ cp <folder contaning downloaded Wazuh notifier files>/wazuh-notifier-config.yaml /var/ossec/etc/
+```
+
+Set the correct ownership
+
+```
+$ chown root:wazuh /var/ossec/etc/wazuh-notifier-config.yaml
+```
+
+Set the correct permissions
+
+```
+$ chmod uog+r /var/ossec/etc/wazuh-notifier-config.yaml
+```
+
+### Step 4 ###
+
+Modify the ossec.conf configuration file and add the following<br/>
+
+```
+  <command>
+    <name>wazuh-active-response</name>
+    <executable>wazuh-active-response.py</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+```
+
+```
+  <active-response>
+    <command>wazuh-active-response</command>
+    <location>server</location>
+    <level></level>
+    <rules_id></rules_id>
+  </active-response>
+```
+
+Add the rules you want to be informed about between the <rules_id></rules_id>, with the rules id's seperated by comma's.
+Example: <rules_id>5402, 3461, 8777</rules_id><br/>
+(Please refer to the Wazuh online documentation for more information [^Wazuh docs])
+
+[^Wazuh docs]: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html
+
+## The Active Response module ##
+
+The wazuh-active-response.py acts as the interface between Wazuh and the messaging notifiers for Discord and ntfy.
+It is based on the example active response Python script in the [^Wazuh docs].
+
+## The Discord notifier ##
+
+## The ntfy.sh notifier ##
+
+## The YAML configuration ##
+
+**Enable/disable the notifiers**<br/>
+
+```
+discord_enabled: 1 (0 if not set in the yaml configuration)
+ntfy_enabled: 1  (0 if not set in the yaml configuration)
+```
+
+**Exclude rules that are enabled in the ossec.conf active response definition.**<br/>
+This prevents the need to alter the ossec.conf for temporary rule disabling and stopping/starting wazuh-manager.
+Additionally, agents can also be excluded from notifications.
+
+```
+excluded_rules: "5401, 5402, 5403"
+excluded_agents: "999"
+```
+
+Default settings for the ntfy notifier. This overrules the hardcoded defaults.
+
+```
+ntfy_server: "https://ntfy.sh/"
+ntfy_sender: "Wazuh (IDS)"
+ntfy_destination: "__KleinTest"
+ntfy_priority: "5"
+ntfy_message: "Test message"
+ntfy_tags: "information, testing, yaml"
+ntfy_click: "https://google.com"
+```
\ No newline at end of file
diff --git a/Writerside/v.list b/Writerside/v.list
new file mode 100644
index 0000000..2d12cb3
--- /dev/null
+++ b/Writerside/v.list
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE vars SYSTEM "https://resources.jetbrains.com/writerside/1.0/vars.dtd">
+<vars>
+    <var name="product" value="Writerside"/>
+</vars>
diff --git a/Writerside/writerside.cfg b/Writerside/writerside.cfg
new file mode 100644
index 0000000..3e5b483
--- /dev/null
+++ b/Writerside/writerside.cfg
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE ihp SYSTEM "https://resources.jetbrains.com/writerside/1.0/ihp.dtd">
+
+<ihp version="2.0">
+    <topics dir="topics" web-path="topics"/>
+    <images dir="images" web-path="images"/>
+    <instance src="notifier.tree"/>
+</ihp>
\ No newline at end of file