[ossec-list] Integrations to external system via JSON/REST.

[Dan Tembe]

Hello team, 

I made a post on the Wazuh list but no one responded. I saw some relevant 
information in my research in OSSEC Github so thought I should post here. 
Below is what I posted on the Wazuh List - 

********
I am trying to understand how I can  create an integration to an external 
alert system via JSON/REST python script. 

I have reviewed the existing Pagerduty, Slack and VirusTotal integration. I 
tried creating a new file and copied all the relevant functions but that 
did not work. Then I copied over my changes to the slack file and that 
didn't work either. Wondering if there is any guidance / reference material 
in the group here that I can review.

Would like to clear up that I am a noob coding enthusiast, so issue is most 
likely in my code set, so looking for some help. 

I am trying to post data to ServiceNOW dev instance for all Wazuh alerts 
with Level 12 and above. 


Here are my functions - That I think will get the alerts from Wazuh to post 
(at the correct severity)  want to add to a working integration script and 
post alerts to a ServiceNow development instance. 

def generate_msg(alert):

    level = alert['rule']['level']

    if ( level >= 12 ):

        msg = {}
        msg['source'] = "WAZUHPROBE"
        msg['node'] = alert['src_ip']
        msg['type'] = alert['status']
        msg['resource'] = alert['program_name']

        #adding in a severity map.
        if (level <= 5):
            snowsev = "0"
        elif (level >= 5 and level <= 10):
            snowsev = "4"
        elif (level >= 11 and level <= 12):
            snowsev = "3"
        elif (level >= 13 and level <= 14):
            snowsev = "2"
        elif (level >= 15):
            snowsev = "1"
        else:
            snowsev = "4"

        msg['severity'] = snowsev
        msg['metric_name'] = alert['system_name']
        msg['description'] = alert['full_log']
        agent = {"title": "Agent", "value": "({0}) - 
{1}".format(alert['agent']['id'], alert['agent']['name'])}
        location = {"title": "Location", "value": alert['location']}
        rule = {"title": "Rule ID", "value": "{0} _(Level 
{1})_".format(alert['rule']['id'], level)}
        msg['additional_info'] = {[ agent, location, rule ]}
        msg['ci_identifier'] = ""
        msg['event_class'] = "Info Security Alert"
        msg['message_key'] = ""
        attach = { 'attachments': [ msg ] }

        return json.dumps(attach)
    else:
        pass;

def send_msg(msg):

    headers = {'Content-type': 'application/json', 'Accept': 'application/json'}
    request = urllib2.Request(url=snowemurl, data=msg, headers=headers)
    base64string = base64.urlsafe_b64encode('%s:%s' % (snowemuser, 
snowempassword))
    request.add_header("Authorization", "Basic %s" % base64string)
    f = urllib2.urlopen(request)
    f.read()
    f.close()


But even with trying to maintain the same format and other existing 
functions, I cannot get the script to work. I get errors in ossec.log

<https://lh3.googleusercontent.com/-znf6oJ1v-lo/WuBmqn0Ym9I/AAAAAAAAxBE/GfKsyaDItqsrN1Gtw5HIq4WiyZKdwlEMwCLcBGAs/s1600/2018-04-25%2B06_27_47-Windows7.png>



I am running Wazh Version 2.1.1 
*******************************************************************end 
*******************************


I have since figured out that in OSSEC original code, in the original slack 
integration, it looks like the authors are tailing the 
/var/ossec/logs/alerts/alerts.log. I tried running just the following via 
console and it works.. so I can use this to write a shell script - with 
curl to post JSON.

#!/bin/sh

# Change these values!
# SLACKUSER user who posts notifications
# CHANNEL which channel it should be posted
# SITE is the URL provided by the Slack's WebHook, something like:
# https://hooks.slack.com/services/TOKEN";
SLACKUSER="Dat"
CHANNEL="test"
SITE="TestSite"
SOURCE="ossec2slack"

# Checking user arguments
if [ "x$1" = "xdelete" ]; then
    exit 0;
fi
ALERTID=$4
RULEID=$5
LOCAL=`dirname $0`;
ALERTTIME=`echo "$ALERTID" | cut -d  "." -f 1`
ALERTLAST=`echo "$ALERTID" | cut -d  "." -f 2`

# Logging
cd $LOCAL
cd ../
PWD=`pwd`
 echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> 
${PWD}/../logs/active-responses.log
 ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep 
-v ".$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep 
"Rule: " -A 4 | cut -c -139 | sed 's/\"//g'`
 
# add the agent ID
ALERTFULL=`echo ${6}; echo ${ALERTFULL}`

 PAYLOAD='{"channel": "'"$CHANNEL"'", "username": "'"$SLACKUSER"'", "text": 
"'"${ALERTFULL}"'"}'


# Output 
echo "**************** \n" >> ${PWD}/../logs/active-responses.log
echo "**************** \n" >> ${PWD}/../logs/active-responses.log
echo "****************\n"  >> ${PWD}/../logs/active-responses.log
echo 
echo "$PAYLOAD" >> ${PWD}/../logs/active-responses.log 

exit 1;


I was wondering if there is a better way or any one has some pointers to do 
this in Java or Python in a way that this is integrated in the OSSEC 
configuration. I am trying to keep this all contained so it doesn't break 
upon next upgrade or changes are minimal during upgrade. 
Thanks in advance && Any help/ guidance is much appreciated. 
Thanks!
Dan

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.