Wazuh 4.3.x active response script

ip-block.sh

#!/bin/sh

LOCAL=`dirname $0`
ME=`basename "$0"`

read -r LINE

cd $LOCAL
cd ../
PWD=`pwd`

# Logging the call

MYALERT=$(mktemp --suffix ".log")

echo ${LINE} > $MYALERT

RESULT=`/usr/bin/python3 /var/ossec/active-response/bin/ip-block.py ${MYALERT} 2>&1`

echo "`date` ${ME} ${MYALERT}: ${RESULT}" >> ${PWD}/../logs/active-responses.log

exit 0

and, in ip-block.py, i have:

#!/usr/bin/env python3
#
#
import os
import sys
import json

urllib3.disable_warnings()

if len(sys.argv) < 1:
    print("Require at least 1 params")
    sys.exit(1)

try:
   SELF=sys.argv[0]
   ALERTFILE=sys.argv[1]
except Exception:
   print("Args exception!")
   sys.exit(1)

# ===============================================================
# MAIN()
#
def main():
   try:
      fp = open(ALERTFILE)
      ALERT = json.load(fp)
   except Exception as e:
      print("Error while load JSON from file %s: %s"%(ALERTFILE,e))

   ALERTDATA = ALERT["parameters"]["alert"]

# use your alert data
# ...


if __name__ == "__main__":
    main()