diff --git a/test.go b/test.go deleted file mode 100644 index 7bfc947..0000000 --- a/test.go +++ /dev/null @@ -1,11 +0,0 @@ -package main - -import ( - "fmt" - "os" -) - -func main() { - fmt.Println("hier") - os.Stderr.Write([]byte("hier2")) -} diff --git a/wazuh-active-response.py b/wazuh-active-response.py deleted file mode 100755 index 8e54941..0000000 --- a/wazuh-active-response.py +++ /dev/null @@ -1,128 +0,0 @@ -#!/usr/bin/env python3 - -# This script is adapted version of the Python active response script sample, provided by Wazuh, in the documentation: -# https://documentation.wazuh.com/current/user-manual/capabilities/active-response/custom-active-response-scripts.html -# It is provided under the below copyright statement: -# -# Copyright (C) 2015-2022, Wazuh Inc. -# All rights reserved. -# -# This program is free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. -# -# This adapted version is free software. Rudi Klein, april 2024 - -import os -import sys - -from wazuh_notifier_module import construct_basic_message -from wazuh_notifier_module import get_config -from wazuh_notifier_module import parameters_deconstruct -from wazuh_notifier_module import set_environment -from wazuh_notifier_module import threat_mapping - -# Path variable assignments - -wazuh_path, ar_path, config_path, notifier_path = set_environment() - - -def main(argv): - - # validate json and get command - - # data = load_message(argv) - # This example event can be used for troubleshooting. Comment out the line above and uncomment the line below. - data: dict = {"version": 1, "origin": {"name": "worker01", "module": "wazuh-execd"}, "command": "add", - "parameters": {"extra_args": [], "alert": {"timestamp": "2021-02-01T20:58:44.830+0000", - "rule": {"level": 15, - "description": "Shellshock attack detected", - "id": "31168", "mitre": {"id": ["T1068", "T1190"], - "tactic": [ - "Privilege Escalation", - "Initial Access"], - "technique": [ - "Exploitation for Privilege Escalation", - "Exploit Public-Facing Application"]}, - "info": "CVE-2014-6271https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271", - "firedtimes": 2, "mail": "true", - "groups": ["web", "accesslog", "attack"], - "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], - "nist_800_53": ["SI.4"], - "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"]}, - "agent": {"id": "000", "name": "wazuh-server"}, - "manager": {"name": "wazuh-server"}, - "id": "1612213124.6448363", - "full_log": "192.168.0.223 - - [01/Feb/2021:20:58:43 +0000] \"GET / HTTP/1.1\" 200 612 \"-\" \"() { :; }; /bin/cat /etc/passwd\"", - "decoder": {"name": "web-accesslog"}, - "data": {"protocol": "GET", "srcip": "192.168.0.223", - "id": "200", "url": "/"}, - "location": "/var/log/nginx/access.log"}, - "program": "/var/ossec/active-response/bin/firewall-drop"}} - - alert = data["parameters"]["alert"] - - # Get the threat level from the event (message) - threat_level = data["parameters"]["alert"]["rule"]["level"] - - parameters: dict = parameters_deconstruct(argv, alert) - - # Get the YAML config if any - config: dict = get_config() - - # Get the mapping between threat level (event) and priority (Discord/ntfy) - threat_priority = threat_mapping(threat_level, config.get('np_1'), config.get('np_2'), - config.get('np_3'), config.get('np_4'), config.get('np_5')) - - if "discord" in config["targets"]: - accent: str = "**" - elif "ntfy" in config["targets"]: - accent: str = "" - else: - accent: str = "" - - notifier_message: str = construct_basic_message(argv, accent, - parameters.get('a_id', '000'), - parameters.get('a_name', 'agent not found'), - parameters.get('e_id', '9999'), - parameters.get('e_description', 'Event not found'), - parameters.get('e_level', '9999'), - parameters.get('e_fired_times', '3') - ) - - if "discord" in config["targets"]: - - discord_notifier: str = '{0}/active-response/bin/wazuh-discord-notifier.py'.format(wazuh_path) - discord_exec: str = "python3 " + discord_notifier + " " - - discord_message: str = notifier_message - - if "discord" in config["full_message"]: - discord_message: str = (discord_message + "\n" + accent + "__Full event__" + - accent + parameters['e_full_event'] + '"') - else: - discord_message: str = discord_message + '"' - - discord_command: str = discord_exec + discord_message - os.system(discord_command) - - if "ntfy" in config["targets"]: - - ntfy_notifier: str = '{0}/active-response/bin/wazuh-ntfy-notifier.py'.format(wazuh_path) - ntfy_exec: str = "python3 " + ntfy_notifier + " " - ntfy_message: str = notifier_message - - # If the full message flag is set, the full message PLUS the closing parenthesis will be added - if "ntfy" in config["full_message"]: - ntfy_message: str = ntfy_message + "\n" + "Full event" + parameters['e_full_event'] + '"' - - else: - ntfy_message: str = ntfy_message + '"' - - ntfy_command: str = ntfy_exec + ntfy_message - os.system(ntfy_command) - - -if __name__ == "__main__": - main(sys.argv) diff --git a/wazuh-discord-notifier.py b/wazuh-discord-notifier.py deleted file mode 100755 index 4dd58e6..0000000 --- a/wazuh-discord-notifier.py +++ /dev/null @@ -1,66 +0,0 @@ -#!/usr/bin/env python3 - -# This script is free software. -# -# Copyright (C) 2024, Rudi Klein. -# All rights reserved. -# -# This program is free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. -# -# This script is executed by the active response script (wazuh-active-response.py), which is triggered by rules firing. -# -# Discord is a voice, video and text communication service used by over a hundred million people to hang out and talk -# with their friends and communities. It allows for receiving message using webhooks. -# For more information: https://discord.com. - - -import requests - -from wazuh_notifier_module import color_mapping -from wazuh_notifier_module import get_arguments -from wazuh_notifier_module import get_config -from wazuh_notifier_module import get_env -from wazuh_notifier_module import set_environment -from wazuh_notifier_module import set_time - -# Get path values -wazuh_path, ar_path, config_path, notifier_path = set_environment() - -# Get time value -now_message, now_logging = set_time() - -# Get some paths. -discord_url, ntfy_url = get_env() - -# Get the yaml config -config: dict = get_config() - -# the POST builder. Prepares https and sends the request. - - -def discord_command(n_url, n_sender, n_destination, n_priority, n_message, n_tags, n_click): - color = color_mapping(n_priority) - - x_message = (now_message + - "\n\n" + n_message + "\n\n" + - "Priority: " + n_priority + "\n" + - "Tags: " + n_tags + "\n\n" + n_click - ) - n_data = {"username": n_sender, "embeds": [{"color": color, "description": x_message, "title": n_destination}]} - - requests.post(n_url, json=n_data) - - -# Remove 1st argument from the list of command line arguments -# argument_list: list = sys.argv[1:] - -notifier = "discord" - -url, sender, destination, priority, message, tags, click = get_arguments() - - -# Finally, execute the POST request -discord_command(discord_url, sender, destination, priority, message, tags, click) diff --git a/wazuh-notifier-config.yaml b/wazuh-notifier-config.yaml deleted file mode 100755 index 2fbe808..0000000 --- a/wazuh-notifier-config.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -#start of yaml - -# This is the yaml config file for both the wazuh-ntfy-notifier.py and wazuh-discord-notifier.py. -# The yaml needs to be in the same folder as the wazuh-ntfy-notifier.py and wazuh-discord-notifier.py - -# COMMON (custom-wazuh-notifiers.py) configuration settings start here. -# 1 = messages will be sent through this message server. 0 = messages will NOT be sent through this message server. - -targets: "discord,ntfy" - -# Exclude rules that are listed in the ossec.conf active response definition. - -excluded_rules: "5401, 5403" -excluded_agents: "999" - -# Priority mapping from 1-12 (Wazuh events) to 1-5 (Discord and ntfy notification) - -notifier_priority_1: 12, 11, 10 -notifier_priority_2: 9, 8 -notifier_priority_3: 7, 6 -notifier_priority_4: 5, 4 -notifier_priority_5: 3 ,2, 1 - -sender: "Wazuh (IDS)" -click: "https://google.com" - - -#end of yaml -... - diff --git a/wazuh-notifier.py b/wazuh-notifier.py deleted file mode 100755 index c13bbc8..0000000 --- a/wazuh-notifier.py +++ /dev/null @@ -1,86 +0,0 @@ -#!/usr/bin/env python3 - -# This script is free software. -# -# Copyright (C) 2024, Rudi Klein. -# All rights reserved. -# -# This program is free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. -# -# This script is executed by the active response script (wazuh-active-response.py), which is triggered by rules firing. -# -# Discord is a voice, video and text communication service used by over a hundred million people to hang out and talk -# with their friends and communities. It allows for receiving message using webhooks. -# For more information: https://discord.com. - - -import json - -import requests - -from wazuh_notifier_module import get_arguments -from wazuh_notifier_module import get_env -from wazuh_notifier_module import get_yaml_config -from wazuh_notifier_module import set_environment -from wazuh_notifier_module import set_time -from wazuh_notifier_module import threat_priority_mapping - -# Setup the environment - -# Get time value -now_message, now_logging = set_time() - -# Get .env values -discord_webhook, ntfy_webhook = get_env() - -# Get path values -wazuh_path, ar_path, config_path = set_environment() - - -# the POST builders for the targets. Prepares https and sends the request. - -def discord_command(url, sender, destination, priority, message, tags, click): - x_message = (now_message + - "\n\n" + message + "\n\n" + - "Priority: " + priority + "\n" + - "Tags: " + tags + "\n\n" + click - ) - data = {"username": sender, "embeds": [{"description": x_message, "title": destination}]} - - requests.post(url, json=data) - - -def ntfy_command(url, sender, destination, priority, message, tags, click): - header = "" - if sender != "": header = header + '"Title"' + ": " + '"' + sender + '"' + ", " - if tags != "": header = header + '"Tags"' + ": " + '"' + tags + '"' + ", " - if click != "": header = header + '"Click"' + ": " + '"' + click + '"' + ", " - if priority != "": header = header + '"Priority"' + ": " + '"' + priority + '"' - header = json.loads("{" + header + "}") - x_message = now_message + "\n\n" + message - - # todo POST the request **** NEEDS future TRY **** - requests.post(url + destination, data=x_message, headers=header) - - -# Get the YAML config if any -config: dict = get_yaml_config() - -# Get the command line arguments -if get_arguments() is None: - url, sender, destination, message, priority, tags, click = "", "", "", "", "", "", "" -else: - url, sender, destination, priority, message, tags, click = get_arguments() - -# Get the threat level from the event (message) -threat_level = message[message.find('Threat level:') + 13:message.find('Threat level:') + 15].replace(" ", "") - -# Get the mapping between threat level (event) and priority (Discord/ntfy) -threat_priority = threat_priority_mapping(threat_level, config.get('np_1'), config.get('np_2'), - config.get('np_3'), config.get('np_4'), config.get('np_5')) - -# Finally, execute the POST request -# discord_command(discord_webhook, sender, destination, priority, message, tags, click) diff --git a/wazuh-ntfy-notifier.py b/wazuh-ntfy-notifier.py deleted file mode 100755 index 19cd77a..0000000 --- a/wazuh-ntfy-notifier.py +++ /dev/null @@ -1,100 +0,0 @@ -#!/usr/bin/env python3 - -# This script is free software. -# -# Copyright (C) 2024, Rudi Klein. -# All rights reserved. -# -# This program is free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. -# -# This script is executed by the active response script (wazuh-active-response.py), which is triggered by rules firing. -# -# ntfy (pronounced notify) is a simple HTTP-based pub-sub notification service. -# It allows you to send notifications to your phone or desktop via scripts from any computer, and/or using a REST API. -# It's infinitely flexible, and 100% free software. For more information: https://ntfy.sh. - -import json -import sys - -import requests - -from wazuh_notifier_module import get_arguments as ga -from wazuh_notifier_module import get_yaml_config as yc -from wazuh_notifier_module import set_basic_defaults as bd -from wazuh_notifier_module import set_environment as se -from wazuh_notifier_module import set_time as st -from wazuh_notifier_module import threat_priority_mapping as tpm - -# Get path values -wazuh_path, ar_path, config_path = se() - -# Get time value -now_message, now_logging = st() - -# the POST builder - - -def ntfy_command(n_server, n_sender, n_destination, n_priority, n_message, n_tags, n_click): - n_header = "" - if n_sender != "": n_header = n_header + '"Title"' + ": " + '"' + n_sender + '"' + ", " - if n_tags != "": n_header = n_header + '"Tags"' + ": " + '"' + n_tags + '"' + ", " - if n_click != "": n_header = n_header + '"Click"' + ": " + '"' + n_click + '"' + ", " - if n_priority != "": n_header = n_header + '"Priority"' + ": " + '"' + n_priority + '"' - n_header = json.loads("{" + n_header + "}") - x_message = now_message + "\n\n" + n_message - -# todo POST the request **** NEEDS future TRY **** - requests.post(n_server + n_destination, data=x_message, headers=n_header) - - -# Remove 1st argument from the list of command line arguments -argument_list = sys.argv[1:] - -# Short options -options: str = "u:s:d:p:m:t:c:hv" - -# Long options -long_options: list = ["server=", "sender=", "destination=", "priority=", "message=", "tags=", "click", "help", "view"] - -# Defining who I am -notifier = "ntfy" - -# Retrieve the hard-coded basic defaults. -(d_server, d_sender, d_destination, d_priority, d_message, d_tags, d_click, d_notifier_priority_1, - d_notifier_priority_2, d_notifier_priority_3, d_notifier_priority_4, d_notifier_priority_5) = bd(notifier) - -# Use the values from the config yaml if available. Overrides the basic defaults. -yc_args = [notifier, d_server, d_sender, d_destination, d_priority, d_message, d_tags, d_click, d_notifier_priority_1, - d_notifier_priority_2, d_notifier_priority_3, d_notifier_priority_4, d_notifier_priority_5] - -(server, sender, destination, priority, message, tags, click, notifier_priority_1, notifier_priority_2, - notifier_priority_3, notifier_priority_4, notifier_priority_5) = yc(*yc_args) - -# Get params during execution. Params found here, override minimal defaults and/or config settings. - -# noinspection PyRedeclaration -a_sender, a_destination, a_message, a_priority, a_tags, a_click = ga(notifier, options, long_options) - -if a_sender != '': sender = a_sender -if a_destination != '': destination = a_destination -if a_priority != "": priority = a_priority -if a_tags != "": tags = a_tags -if a_click != "": click = a_click - -# Get the threat level from the message and map it to priority - -threat_level = message[message.find('Threat level:') + 13:message.find('Threat level:') + 15].replace(" ", "") - -# Get the mapping between threat level (event) and priority (Discord/ntfy) - -# noinspection PyRedeclaration -priority = tpm(threat_level, notifier_priority_1, notifier_priority_2, notifier_priority_3, - notifier_priority_4, notifier_priority_5) - - -# Finally, execute the POST request -ntfy_command(server, sender, destination, priority, message, tags, click) - diff --git a/wazuh_notifier_module.py b/wazuh_notifier_module.py deleted file mode 100755 index 515d8d3..0000000 --- a/wazuh_notifier_module.py +++ /dev/null @@ -1,301 +0,0 @@ -import datetime -import getopt -import json -import os -import sys -import time -from os.path import join, dirname -from pathlib import PureWindowsPath, PurePosixPath - -import yaml -from dotenv import load_dotenv - - -def set_environment() -> tuple: - # todo fix reference when running manually/in process - - set_wazuh_path = "/home/rudi/pycharm" - # set_wazuh_path = os.path.abspath(os.path.join(__file__, "../../..")) - set_ar_path = '{0}/logs/active-responses.log'.format(set_wazuh_path) - set_config_path = '{0}/etc/wazuh-notify-config.yaml'.format(set_wazuh_path) - set_notifier_path = '{0}/active-response/bin'.format(set_wazuh_path) - - return set_wazuh_path, set_ar_path, set_config_path, set_notifier_path - - -# Define paths: wazuh_path = wazuh root directory -# ar_path = active-responses.log path, -# config_path = wazuh-notifier-wazuh-notify-config.yaml - -wazuh_path, ar_path, config_path, notifier_path = set_environment() - - -# Debug writer -def write_debug_file(ar_name, msg): - with open(ar_path, mode="a") as log_file: - ar_name_posix = str(PurePosixPath(PureWindowsPath(ar_name[ar_name.find("active-response"):]))) - log_file.write( - str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name_posix + ": " + msg + "\n") - - -def get_env(): - try: - dotenv_path = join(dirname(__file__), '.env') - load_dotenv(dotenv_path) - if not os.path.isfile(dotenv_path): - raise Exception(dotenv_path, "file not found") - - # Retrieve url from .env - discord_url = os.getenv("DISCORD_URL") - ntfy_url = os.getenv("NTFY_URL") - - except Exception as err: - # output error, and return with an error code - print(str(Exception(err.args))) - exit(err) - - return discord_url, ntfy_url - - -# Set structured timestamp for logging and discord/ntfy message. - - -def set_time(): - now_message = time.strftime('%a, %d %b %Y %H:%M:%S') - now_logging = time.strftime('%Y/%m/%d %H:%M:%S') - return now_message, now_logging - - -# Import configuration settings from wazuh-notify-config.yaml - - -def import_config(): - try: - _, _, this_config_path, _ = set_environment() - - with open(this_config_path, 'r') as ntfier_config: - config: dict = yaml.safe_load(ntfier_config) - return config - except (FileNotFoundError, PermissionError, OSError): - return None - - -# Process configuration settings from wazuh-notify-config.yaml - - -def get_config(): - config = import_config() - - config['np_5'] = config.get('np_1', [15, 14, 13, 12]) - config['np_4'] = config.get('np_2', [11, 10, 9]) - config['np_3'] = config.get('np_3', [8, 7, 6]) - config['np_2'] = config.get('np_4', [5, 4]) - config['np_1'] = config.get('np_5', [3, 2, 1, 0]) - config['targets'] = config.get('targets', 'ntfy, discord') - config['excluded_rules'] = config.get('excluded_rules', '') - config['excluded_agents'] = config.get('excluded_agents', '') - config['sender'] = 'Wazuh (IDS)' - config['click'] = 'https://wazuh.org' - - return config - - -# Show configuration settings from wazuh-notify-config.yaml - - -def view_config(): - _, _, this_config_path, _ = set_environment() - - try: - with open(this_config_path, 'r') as ntfier_config: - print(ntfier_config.read()) - except (FileNotFoundError, PermissionError, OSError): - print(this_config_path + " does not exist or is not accessible") - return - - -# Logging the Wazuh active Response request - - -def ar_log(): - now = set_time() - _, this_ar_path, _, _ = set_environment() - msg = '{0} {1} {2}'.format(now, os.path.realpath(__file__), 'Post JSON Alert') - f = open(this_ar_path, 'a') - f.write(msg + '\n') - f.close() - - -def threat_mapping(threat_level, np_1, np_2, np_3, np_4, np_5): - # Map threat level v/s priority - - if threat_level in np_1: - priority_mapping = "1" - elif threat_level in np_2: - priority_mapping = "2" - elif threat_level in np_3: - priority_mapping = "3" - elif threat_level in np_4: - priority_mapping = "4" - elif threat_level in np_5: - priority_mapping = "5" - else: - priority_mapping = "3" - - return priority_mapping - - -def color_mapping(priority): - # Map priority to color - - if priority == 1: - priority_color = 0x339900 - elif priority == 2: - priority_color = 0x99cc33 - elif priority == 3: - priority_color = 0xffcc00 - elif priority == 4: - priority_color = 0xff9966 - elif priority == 5: - priority_color = 0xcc3300 - else: - priority_color = 0xffcc00 - - return priority_color - - -def get_arguments(): - # Get params during execution. Params found here, override minimal defaults and/or config settings. - - # Short options - options: str = "u:s:p:m:t:c:hv" - - # Long options - long_options: list = ["url=", "sender=", "destination=", "priority=", "message=", "tags=", "click=", "help", - "view"] - - help_text: str = """ - -u, --url is the url for the server, ending with a "/". - -s, --sender is the sender of the message, either an app name or a person. - -d, --destination is the NTFY subscription or Discord title, to send the message to. - -p, --priority is the priority of the message, ranging from 1 (lowest), to 5 (highest). - -m, --message is the text of the message to be sent. - -t, --tags is an arbitrary strings of tags (keywords), seperated by a "," (comma). - -c, --click is a link (URL) that can be followed by tapping/clicking inside the message. - -h, --help shows this help message. Must have no value argument. - -v, --view show config. - - """ - url: str - sender: str - destination: str - message: str - priority: int - tags: str - click: str - - url, sender, destination, message, priority, tags, click = "", "", "", "", 0, "", "" - - argument_list: list = sys.argv[1:] - - if not argument_list: - return url, sender, destination, message, priority, tags, click - - else: - - try: - # Parsing argument - arguments, values = getopt.getopt(argument_list, options, long_options) - - # checking each argument - for current_argument, current_value in arguments: - - if current_argument in ("-h", "--help"): - print(help_text) - exit() - - elif current_argument in ("-v", "--view"): - view_config() - exit() - - elif current_argument in ("-u", "--url"): - url: str = current_value - - elif current_argument in ("-s", "--sender"): - sender: str = current_value - - elif current_argument in ("-d", "--destination"): - destination: str = current_value - - elif current_argument in ("-p", "--priority"): - priority: int = current_value - - elif current_argument in ("-m", "--message"): - message: str = current_value - - elif current_argument in ("-t", "--tags"): - tags: str = current_value - - elif current_argument in ("-c", "--click"): - click: str = current_value - - except getopt.error as err: - # output error, and return with an error code - print(str(err)) - - return url, sender, destination, message, priority, tags, click - - -def load_message(argv): - # get alert from stdin - input_str: str = "" - for line in sys.stdin: - input_str: str = line - break - - data: json = json.loads(input_str) - - if data.get("command") == "add": - return data - else: - # todo fix error message - sys.exit(1) - - -def parameters_deconstruct(argv, event_keys): - config: dict = get_config() - - a_id: str = str(event_keys["agent"]["id"]) - a_name: str = str(event_keys["agent"]["name"]) - e_id: str = str(event_keys["rule"]["id"]) - e_description: str = str(event_keys["rule"]["description"]) - e_level: str = str(event_keys["rule"]["level"]) - e_fired_times: str = str(event_keys["rule"]["firedtimes"]) - e_full_event: str = str(json.dumps(event_keys, indent=4).replace('"', '') - .replace('{', '') - .replace('}', '') - .replace('[', '') - .replace(']', '') - ) - - if e_id not in config["excluded_rules"] or a_id not in config["excluded_agents"]: - parameters: dict = dict(a_id=a_id, a_name=a_name, e_id=e_id, e_description=e_description, e_level=e_level, - e_fired_times=e_fired_times, e_full_event=e_full_event) - return parameters - - -def construct_basic_message(argv, accent: str, a_id: str, a_name: str, e_id: str, e_description: str, e_level: str, - e_fired_times: str) -> str: - # Adding the BOLD text string to the Discord message. Ntfy has a different message format. - - basic_message: str = ("--message " + '"' + - accent + "Agent: " + accent + a_name + " (" + a_id + ")" + "\n" + - accent + "Event id: " + accent + e_id + "\n" + - accent + "Description: " + accent + e_description + "\n" + - accent + "Threat level: " + accent + e_level + "\n" + - # Watch this last addition to the string. It should include the closing quote for the - # basic_message string. It must be closed by -> '"'. This will be done outside this function - # in order to enable another specific addition (event_full_message) in the calling procedure. - accent + "Times fired: " + accent + e_fired_times + "\n") - - return basic_message