74 lines
2.5 KiB
Go
74 lines
2.5 KiB
Go
package common
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"os"
|
|
"slices"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
"wazuh-notify/config"
|
|
logger "wazuh-notify/log"
|
|
)
|
|
|
|
func ReadFile(path string) (*os.File, error) {
|
|
fmt.Printf("Reading from file: %s\n", path)
|
|
file, err := os.Open(path)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to open file %s: %w", path, err)
|
|
}
|
|
return file, nil
|
|
}
|
|
|
|
func BuildMessage(ar ActiveResponse, target string, emphasis string, priority int) string {
|
|
|
|
if slices.Contains(strings.Split(config.File.General.FullAlert, ","), target) {
|
|
fullAlert, _ := json.MarshalIndent(ar, "", " ")
|
|
fullAlertString := strings.ReplaceAll(string(fullAlert), `"`, "")
|
|
fullAlertString = strings.ReplaceAll(fullAlertString, "{", "")
|
|
fullAlertString = strings.ReplaceAll(fullAlertString, "}", "")
|
|
fullAlertString = strings.ReplaceAll(fullAlertString, "[", "")
|
|
fullAlertString = strings.ReplaceAll(fullAlertString, "]", "")
|
|
fullAlertString = strings.ReplaceAll(fullAlertString, " ,", "")
|
|
|
|
return "\n\n ```" +
|
|
fullAlertString +
|
|
"```\n\n"
|
|
} else {
|
|
return "\n\n" +
|
|
fmt.Sprintf("%sTimestamp:%s ", emphasis, emphasis) + time.Now().Format(time.DateTime) + "\n" +
|
|
fmt.Sprintf("%sAgent:%s ", emphasis, emphasis) + ar.Parameters.Alert.Agent.Name + "\n" +
|
|
fmt.Sprintf("%sEvent id:%s ", emphasis, emphasis) + ar.Parameters.Alert.Rule.ID + "\n" +
|
|
fmt.Sprintf("%sRule:%s ", emphasis, emphasis) + ar.Parameters.Alert.Rule.Description + "\n" +
|
|
fmt.Sprintf("%sDescription:%s ", emphasis, emphasis) + ar.Parameters.Alert.FullLog + "\n" +
|
|
fmt.Sprintf("%sThreat level:%s ", emphasis, emphasis) + strconv.Itoa(ar.Parameters.Alert.Rule.Level) + "\n" +
|
|
fmt.Sprintf("%sTimes fired:%s ", emphasis, emphasis) + strconv.Itoa(ar.Parameters.Alert.Rule.FiredTimes) +
|
|
"\n\n" +
|
|
fmt.Sprintf("%sPriority:%s ", emphasis, emphasis) + strconv.Itoa(priority) + "\n"
|
|
|
|
}
|
|
}
|
|
|
|
func Ignored(ar ActiveResponse) bool {
|
|
for _, rule := range strings.Split(config.File.General.ExcludedRules, ",") {
|
|
if rule == ar.Parameters.Alert.Rule.ID {
|
|
logger.Log("rule excluded")
|
|
return true
|
|
}
|
|
}
|
|
for _, agent := range strings.Split(config.File.General.ExcludedAgents, ",") {
|
|
if agent == ar.Parameters.Alert.Agent.ID {
|
|
logger.Log("agent excluded")
|
|
return true
|
|
}
|
|
}
|
|
for _, description := range config.File.General.ExcludeDescriptions {
|
|
if description != "" && strings.Contains(ar.Parameters.Alert.FullLog, description) {
|
|
logger.Log("excluded based on description")
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|