Custom Integration

1,989 views
Skip to first unread message

Igor Garofano

unread,
Jun 28, 2021, 5:38:30 AM6/28/21
to Wazuh mailing list
Hello,

i'm trying to implement threatcrowd custom integration but i'm unable to run over alerts.json file.

I copied virustotal python script, and if i run with a test json with only firewall logs it correctly work.

But don't work automatically like virustotal, the integration in ossec.conf is defined as virustotal, i don't understand the 4 parameters of the python script where are passed?

Can you help me with that?

Igor Garofano

unread,
Jun 28, 2021, 5:40:11 AM6/28/21
to Wazuh mailing list
Attached python integration, and below integration conf on ossec.conf


  <integration>
   <name>thrcrwd</name>
   <group>fortigate</group>
   <level>10</level>
   <alert_format>json</alert_format>
  </integration>

thrcrwd.py

Igor Garofano

unread,
Jun 28, 2021, 9:46:28 AM6/28/21
to Wazuh mailing list
Just figure out from logs some permissions error:

Can you help me with that?

2021/06/28 15:28:32 ossec-integratord: ERROR: Couldn't execute command (/var/ossec/integrations/custom-thrcrwd /tmp/custom-thrcrwd-1624886912-220548317.alert    > /dev/null 2>&1). Check file and permissions.
2021/06/28 15:30:46 ossec-integratord: INFO: Enabling integration for: 'custom-thrcrwd'.
2021/06/28 15:30:50 ossec-integratord: ERROR: At wpopenv(): file '/var/ossec/integrations/custom-thrcrwd' has write permissions.
2021/06/28 15:30:50 ossec-integratord: ERROR: Couldn't execute command (/var/ossec/integrations/custom-thrcrwd /tmp/custom-thrcrwd-1624887050-1658639308.alert    > /dev/null 2>&1). Check file and permissions.
2021/06/28 15:32:22 ossec-integratord: INFO: Enabling integration for: 'custom-thrcrwd'.
2021/06/28 15:32:26 ossec-integratord: ERROR: At wpopenv(): file '/var/ossec/integrations/custom-thrcrwd' has write permissions.
2021/06/28 15:32:26 ossec-integratord: ERROR: Couldn't execute command (/var/ossec/integrations/custom-thrcrwd /tmp/custom-thrcrwd-1624887146--1569350983.alert    > /dev/null 2>&1). Check file and permissions.
2021/06/28 15:36:00 ossec-integratord: INFO: Enabling integration for: 'custom-thrcrwd'.
2021/06/28 15:36:04 ossec-integratord: ERROR: Couldn't execute command (/var/ossec/integrations/custom-thrcrwd /tmp/custom-thrcrwd-1624887364--1009800219.alert    > /dev/null 2>&1). Check file and permissions.
2021/06/28 15:39:49 ossec-integratord: INFO: Enabling integration for: 'custom-thrcrwd'.
2021/06/28 15:39:53 ossec-integratord: ERROR: Couldn't execute command (/var/ossec/integrations/custom-thrcrwd /tmp/custom-thrcrwd-1624887593--1568897486.alert    > /dev/null 2>&1). Check file and permissions.
2021/06/28 15:43:28 ossec-integratord: INFO: Enabling integration for: 'custom-thrcrwd'.
2021/06/28 15:43:32 ossec-integratord: ERROR: Couldn't execute command (/var/ossec/integrations/custom-thrcrwd /tmp/custom-thrcrwd-1624887812-1745234572.alert    > /dev/null 2>&1). Check file and permissions.
2021/06/28 15:45:17 ossec-integratord: INFO: Enabling integration for: 'custom-thrcrwd'.
2021/06/28 15:45:21 osse

Juan Nicolás Asselle

unread,
Jun 28, 2021, 12:04:45 PM6/28/21
to Wazuh mailing list

Hello!
In order to know what’s happening and causing this error, i will need some extra info:

  • Wazuh version
  • Check integration script permissions ls -l /var/ossec/integrations/custom-thrcrwd . They should have 750 root:ossec permissions.
  • Enable debug logs for integratord by executing echo "integrator.debug=2" >> /var/ossec/etc/local_internal_options.conf. Then restart wazuh manager and trigger someway the execution of such integration script and send to us ossec.log output

By other hand, the integration script parameters descriptions are

  • alert_file = sys.argv[1]
  • api_key = sys.argv[2]. Empty string if unused

  • hook_url = sys.argv[3]. Empty string if unused

  • debug = sys.argv[4]. Empty string if unused. Set to ‘debug’ if integratord is running with debug logs.

I’ve just open an issue to add this information in the documentation: Add parameter descriptions for custom integrations using integratord #3995

Thank you and I wait for this information to move forward.
Nico

Igor Garofano

unread,
Jun 28, 2021, 1:29:51 PM6/28/21
to Juan Nicolás Asselle, Wazuh mailing list
Hello Nico,

Thanks for your quick response.

Yes I was able to solve it with 750 root:ossec permission, now is working fine and correctly.

Yes, thanks for the explanation about the parameters :) this could help during onboarding new integrations :)

Have a nice day.

Best regards,


Igor Garofano

Cyber Security Specialist

+39-3922283057


EC-council CTIA, CEH v10, CHFI, ITIL v3, Splunk, IBM Qradar Siem Foundation, Oracle Cloud Architect Associate, Google Cloud Architect, NSE4.



--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/EA4ZA1h18Ns/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/24f154a6-8411-4a91-9a38-329187fd1f6en%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages