Skip to content

Instantly share code, notes, and snippets.

@michelep

michelep/alerts_json.py

Last active Mar 2, 2021
Embed
What would you like to do?
WAZUH - active-response fetch alerts.json to extract alert data
#!/usr/bin/env python3
#
#
import os
import sys
from os.path import dirname, abspath
import re
import time
import requests
import urllib3
import json
urllib3.disable_warnings()
if len(sys.argv) < 5:
print("Require at least 5 params")
sys.exit(1)
try:
SELF=sys.argv[0]
ACTION=sys.argv[1]
USER=sys.argv[2]
if sys.argv[3]:
IP=sys.argv[3]
if sys.argv[4]:
ALERTID=sys.argv[4]
if sys.argv[5]:
RULEID=sys.argv[5]
except Exception:
print("Args exception!")
sys.exit(1)
# Fetch data from alerts log
ALERTS_LOG = '/var/ossec/logs/alerts/alerts.json'
post_data = {
"key": "",
"hostname": "",
}
post_args = {
"srcip": "srcip",
"dstip": "dstip",
"dstport": "port",
"user": "user",
"app": "service",
"msg": "reason",
"level": "level"
}
# ===============================================================
#
def fetch_alert(alertid):
with open(ALERTS_LOG) as fp:
line = fp.readline()
while line:
data_dict = json.loads(line)
if(data_dict["id"] == alertid):
return data_dict
line = fp.readline()
return False
# ===============================================================
# MAIN()
#
def main():
alert = fetch_alert(ALERTID)
if(alert):
# print(json.dumps(alert["data"],indent=4,sort_keys=True))
# Prepare post data
for (key,value) in post_args.items():
if key in alert["data"]:
post_data[value] = alert["data"][key].strip().replace(" ", "")
print(post_data)
# send data to my
if ACTION == "add":
res = requests.post('[API]', data=post_data, verify=False)
elif ACTION == "delete":
res = requests.post('[API]', data=post_data, verify=False)
print(res)
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment