diff --git a/wazuh-notify-go/notification/discord.go b/wazuh-notify-go/notification/discord.go index 372d8b2..aa46484 100644 --- a/wazuh-notify-go/notification/discord.go +++ b/wazuh-notify-go/notification/discord.go @@ -6,21 +6,43 @@ import ( "log" "net/http" "os" + "slices" "strconv" + "strings" "wazuh-notify/types" ) func SendDiscord(params types.Params) { - embedDescription := "\n\n" + - "**Agent:** " + params.WazuhMessage.Parameters.Alert.Agent.Name + "\n" + - "**Event id:** " + params.WazuhMessage.Parameters.Alert.Rule.ID + "\n" + - "**Description:** " + params.WazuhMessage.Parameters.Alert.Rule.Description + "\n" + - "**Threat level:** " + strconv.Itoa(params.WazuhMessage.Parameters.Alert.Rule.Level) + "\n" + - "**Times fired:** " + strconv.Itoa(params.WazuhMessage.Parameters.Alert.Rule.Firedtimes) + - "\n\n" + - "Priority: " + strconv.Itoa(params.Priority) + "\n" + - "Tags: " + params.Tags + "\n\n" + - params.Click + + var embedDescription string + + if slices.Contains(strings.Split(params.FullMessage, ","), "discord") { + fullMessage, _ := json.MarshalIndent(params.WazuhMessage, "", " ") + fullMessageString := strings.ReplaceAll(string(fullMessage), `"`, "") + fullMessageString = strings.ReplaceAll(fullMessageString, "{", "") + fullMessageString = strings.ReplaceAll(fullMessageString, "}", "") + fullMessageString = strings.ReplaceAll(fullMessageString, "[", "") + fullMessageString = strings.ReplaceAll(fullMessageString, "]", "") + fullMessageString = strings.ReplaceAll(fullMessageString, " ,", "") + + embedDescription = "\n\n ```" + + fullMessageString + + "```\n\n" + + "Priority: " + strconv.Itoa(params.Priority) + "\n" + + "Tags: " + params.Tags + "\n\n" + + params.Click + } else { + embedDescription = "\n\n" + + "**Agent:** " + params.WazuhMessage.Parameters.Alert.Agent.Name + "\n" + + "**Event id:** " + params.WazuhMessage.Parameters.Alert.Rule.ID + "\n" + + "**Description:** " + params.WazuhMessage.Parameters.Alert.Rule.Description + "\n" + + "**Threat level:** " + strconv.Itoa(params.WazuhMessage.Parameters.Alert.Rule.Level) + "\n" + + "**Times fired:** " + strconv.Itoa(params.WazuhMessage.Parameters.Alert.Rule.Firedtimes) + + "\n\n" + + "Priority: " + strconv.Itoa(params.Priority) + "\n" + + "Tags: " + params.Tags + "\n\n" + + params.Click + } var color int diff --git a/wazuh-notify-go/services/filters.go b/wazuh-notify-go/services/filters.go new file mode 100644 index 0000000..8f630b3 --- /dev/null +++ b/wazuh-notify-go/services/filters.go @@ -0,0 +1,24 @@ +package services + +import ( + "os" + "strings" + "wazuh-notify/log" +) + +func Filter() { + for _, rule := range strings.Split(inputParams.ExcludedRules, ",") { + if rule == inputParams.WazuhMessage.Parameters.Alert.Rule.ID { + log.Log("rule excluded") + log.CloseLogFile() + os.Exit(0) + } + } + for _, agent := range strings.Split(inputParams.ExcludedAgents, ",") { + if agent == inputParams.WazuhMessage.Parameters.Alert.Agent.ID { + log.Log("agent excluded") + log.CloseLogFile() + os.Exit(0) + } + } +} diff --git a/wazuh-notify-go/services/init.go b/wazuh-notify-go/services/init.go index f6f14a7..df7fd29 100644 --- a/wazuh-notify-go/services/init.go +++ b/wazuh-notify-go/services/init.go @@ -56,6 +56,9 @@ func InitNotify() types.Params { log.Log(string(inputParamString)) inputParams.Targets = configParams.Targets + inputParams.FullMessage = configParams.FullMessage + inputParams.ExcludedAgents = configParams.ExcludedAgents + inputParams.ExcludedRules = configParams.ExcludedRules wazuhInput() @@ -73,6 +76,8 @@ func wazuhInput() { inputParams.WazuhMessage = wazuhData + Filter() + log.Log("Wazuh data loaded") inputParamString, _ := json.Marshal(inputParams) log.Log(string(inputParamString)) diff --git a/wazuh-notify-go/types/types.go b/wazuh-notify-go/types/types.go index 75a77e2..6293259 100644 --- a/wazuh-notify-go/types/types.go +++ b/wazuh-notify-go/types/types.go @@ -1,18 +1,21 @@ package types type Params struct { - Url string - Sender string `yaml:"sender,omitempty"` - Priority int - Tags string - Click string `yaml:"click,omitempty"` - Targets string `yaml:"targets,omitempty"` - WazuhMessage WazuhMessage - Priority1 []int `yaml:"priority_1"` - Priority2 []int `yaml:"priority_2"` - Priority3 []int `yaml:"priority_3"` - Priority4 []int `yaml:"priority_4"` - Priority5 []int `yaml:"priority_5"` + Url string + Sender string `yaml:"sender,omitempty"` + Priority int + Tags string + Click string `yaml:"click,omitempty"` + Targets string `yaml:"targets,omitempty"` + FullMessage string `yaml:"full_message,omitempty"` + ExcludedRules string `yaml:"excluded_rules,omitempty"` + ExcludedAgents string `yaml:"excluded_agents,omitempty"` + WazuhMessage WazuhMessage + Priority1 []int `yaml:"priority_1"` + Priority2 []int `yaml:"priority_2"` + Priority3 []int `yaml:"priority_3"` + Priority4 []int `yaml:"priority_4"` + Priority5 []int `yaml:"priority_5"` } type Message struct { diff --git a/wazuh-notify-go/wazuh-notify-config.yaml b/wazuh-notify-go/wazuh-notify-config.yaml index 0721c5f..e3ea1f6 100644 --- a/wazuh-notify-go/wazuh-notify-config.yaml +++ b/wazuh-notify-go/wazuh-notify-config.yaml @@ -9,16 +9,16 @@ full_message: "discord,ntfy" # Exclude rules that are listed in the ossec.conf active response definition. -excluded_rules: "5401, 5403" +excluded_rules: "5401,5403" excluded_agents: "999" # Priority mapping from 1-12 (Wazuh events) to 1-5 (Discord and ntfy notification) -priority_5: [ 15,14,13,12 ] -priority_4: [ 11,10,9 ] -priority_3: [ 8,7,6 ] -priority_2: [ 5,4 ] -priority_1: [ 3,2,1,0 ] +priority_5: [15,14,13,12] +priority_4: [11,10,9] +priority_3: [8,7,6] +priority_2: [5,4] +priority_1: [3,2,1,0] sender: "Wazuh (IDS)" click: "https://google.com"