Hello team, I made a post on the Wazuh list but no one responded. I saw some relevant information in my research in OSSEC Github so thought I should post here. Below is what I posted on the Wazuh List -
******** I am trying to understand how I can create an integration to an external alert system via JSON/REST python script. I have reviewed the existing Pagerduty, Slack and VirusTotal integration. I tried creating a new file and copied all the relevant functions but that did not work. Then I copied over my changes to the slack file and that didn't work either. Wondering if there is any guidance / reference material in the group here that I can review. Would like to clear up that I am a noob coding enthusiast, so issue is most likely in my code set, so looking for some help. I am trying to post data to ServiceNOW dev instance for all Wazuh alerts with Level 12 and above. Here are my functions - That I think will get the alerts from Wazuh to post (at the correct severity) want to add to a working integration script and post alerts to a ServiceNow development instance. def generate_msg(alert): level = alert['rule']['level'] if ( level >= 12 ): msg = {} msg['source'] = "WAZUHPROBE" msg['node'] = alert['src_ip'] msg['type'] = alert['status'] msg['resource'] = alert['program_name'] #adding in a severity map. if (level <= 5): snowsev = "0" elif (level >= 5 and level <= 10): snowsev = "4" elif (level >= 11 and level <= 12): snowsev = "3" elif (level >= 13 and level <= 14): snowsev = "2" elif (level >= 15): snowsev = "1" else: snowsev = "4" msg['severity'] = snowsev msg['metric_name'] = alert['system_name'] msg['description'] = alert['full_log'] agent = {"title": "Agent", "value": "({0}) - {1}".format(alert['agent']['id'], alert['agent']['name'])} location = {"title": "Location", "value": alert['location']} rule = {"title": "Rule ID", "value": "{0} _(Level {1})_".format(alert['rule']['id'], level)} msg['additional_info'] = {[ agent, location, rule ]} msg['ci_identifier'] = "" msg['event_class'] = "Info Security Alert" msg['message_key'] = "" attach = { 'attachments': [ msg ] } return json.dumps(attach) else: pass; def send_msg(msg): headers = {'Content-type': 'application/json', 'Accept': 'application/json'} request = urllib2.Request(url=snowemurl, data=msg, headers=headers) base64string = base64.urlsafe_b64encode('%s:%s' % (snowemuser, snowempassword)) request.add_header("Authorization", "Basic %s" % base64string) f = urllib2.urlopen(request) f.read() f.close() But even with trying to maintain the same format and other existing functions, I cannot get the script to work. I get errors in ossec.log <https://lh3.googleusercontent.com/-znf6oJ1v-lo/WuBmqn0Ym9I/AAAAAAAAxBE/GfKsyaDItqsrN1Gtw5HIq4WiyZKdwlEMwCLcBGAs/s1600/2018-04-25%2B06_27_47-Windows7.png> I am running Wazh Version 2.1.1 *******************************************************************end ******************************* I have since figured out that in OSSEC original code, in the original slack integration, it looks like the authors are tailing the /var/ossec/logs/alerts/alerts.log. I tried running just the following via console and it works.. so I can use this to write a shell script - with curl to post JSON. #!/bin/sh # Change these values! # SLACKUSER user who posts notifications # CHANNEL which channel it should be posted # SITE is the URL provided by the Slack's WebHook, something like: # https://hooks.slack.com/services/TOKEN" SLACKUSER="Dat" CHANNEL="test" SITE="TestSite" SOURCE="ossec2slack" # Checking user arguments if [ "x$1" = "xdelete" ]; then exit 0; fi ALERTID=$4 RULEID=$5 LOCAL=`dirname $0`; ALERTTIME=`echo "$ALERTID" | cut -d "." -f 1` ALERTLAST=`echo "$ALERTID" | cut -d "." -f 2` # Logging cd $LOCAL cd ../ PWD=`pwd` echo "`date` $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log ALERTFULL=`grep -A 10 "$ALERTTIME" ${PWD}/../logs/alerts/alerts.log | grep -v ".$ALERTLAST: " -A 10 | grep -v "Src IP: " | grep -v "User: " |grep "Rule: " -A 4 | cut -c -139 | sed 's/\"//g'` # add the agent ID ALERTFULL=`echo ${6}; echo ${ALERTFULL}` PAYLOAD='{"channel": "'"$CHANNEL"'", "username": "'"$SLACKUSER"'", "text": "'"${ALERTFULL}"'"}' # Output echo "**************** \n" >> ${PWD}/../logs/active-responses.log echo "**************** \n" >> ${PWD}/../logs/active-responses.log echo "****************\n" >> ${PWD}/../logs/active-responses.log echo echo "$PAYLOAD" >> ${PWD}/../logs/active-responses.log exit 1; I was wondering if there is a better way or any one has some pointers to do this in Java or Python in a way that this is integrated in the OSSEC configuration. I am trying to keep this all contained so it doesn't break upon next upgrade or changes are minimal during upgrade. Thanks in advance && Any help/ guidance is much appreciated. Thanks! Dan -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.