WAZUH - active-response fetch alerts.json to extract alert data
#!/usr/bin/env python3 | |
# | |
# | |
import os | |
import sys | |
from os.path import dirname, abspath | |
import re | |
import time | |
import requests | |
import urllib3 | |
import json | |
urllib3.disable_warnings() | |
if len(sys.argv) < 5: | |
print("Require at least 5 params") | |
sys.exit(1) | |
try: | |
SELF=sys.argv[0] | |
ACTION=sys.argv[1] | |
USER=sys.argv[2] | |
if sys.argv[3]: | |
IP=sys.argv[3] | |
if sys.argv[4]: | |
ALERTID=sys.argv[4] | |
if sys.argv[5]: | |
RULEID=sys.argv[5] | |
except Exception: | |
print("Args exception!") | |
sys.exit(1) | |
# Fetch data from alerts log | |
ALERTS_LOG = '/var/ossec/logs/alerts/alerts.json' | |
post_data = { | |
"key": "", | |
"hostname": "", | |
} | |
post_args = { | |
"srcip": "srcip", | |
"dstip": "dstip", | |
"dstport": "port", | |
"user": "user", | |
"app": "service", | |
"msg": "reason", | |
"level": "level" | |
} | |
# =============================================================== | |
# | |
def fetch_alert(alertid): | |
with open(ALERTS_LOG) as fp: | |
line = fp.readline() | |
while line: | |
data_dict = json.loads(line) | |
if(data_dict["id"] == alertid): | |
return data_dict | |
line = fp.readline() | |
return False | |
# =============================================================== | |
# MAIN() | |
# | |
def main(): | |
alert = fetch_alert(ALERTID) | |
if(alert): | |
# print(json.dumps(alert["data"],indent=4,sort_keys=True)) | |
# Prepare post data | |
for (key,value) in post_args.items(): | |
if key in alert["data"]: | |
post_data[value] = alert["data"][key].strip().replace(" ", "") | |
print(post_data) | |
# send data to my | |
if ACTION == "add": | |
res = requests.post('[API]', data=post_data, verify=False) | |
elif ACTION == "delete": | |
res = requests.post('[API]', data=post_data, verify=False) | |
print(res) | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment