Integrations to external system via JSON/REST.

1,095 views

Skip to first unread message

Dan Tembe

unread,

Apr 25, 2018, 7:32:25 AM4/25/18

to Wazuh mailing list

Hello Folks.

I am trying to understand how I can (instead of using emails) create an integration to an external alert system via JSON/REST python script. I have reviewed the existing Pagerduty, Slack and VirusTotal integration. I tried creating a new file and copied all the relevant functions but that did not work. Then I copied over my changes to the slack file and that didn't work either. Wondering if there is any guidance / reference material in the group here that I can review.

Would like to clear up that I am a noob coding enthusiast, so issue is most likely in my code set, so looking for some help.

I am trying to post data to ServiceNOW dev instance for all Wazuh alerts with Level 12 and above.

Here are my functions - That I think will get the alerts from Wazuh to post (at the correct severity) want to add to a working integration script and post alerts to a ServiceNow development instance.

def generate_msg(alert):

    level = alert['rule']['level']

    if ( level >= 12 ):

        msg = {}
        msg['source'] = "WAZUHPROBE"
        msg['node'] = alert['src_ip']
        msg['type'] = alert['status']
        msg['resource'] = alert['program_name']

        #adding in a severity map.
        if (level <= 5):
            snowsev = "0"
        elif (level >= 5 and level <= 10):
            snowsev = "4"
        elif (level >= 11 and level <= 12):
            snowsev = "3"
        elif (level >= 13 and level <= 14):
            snowsev = "2"
        elif (level >= 15):
            snowsev = "1"
        else:
            snowsev = "4"

        msg['severity'] = snowsev
        msg['metric_name'] = alert['system_name']
        msg['description'] = alert['full_log']
        agent = {"title": "Agent", "value": "({0}) - {1}".format(alert['agent']['id'], alert['agent']['name'])}
        location = {"title": "Location", "value": alert['location']}
        rule = {"title": "Rule ID", "value": "{0} _(Level {1})_".format(alert['rule']['id'], level)}
        msg['additional_info'] = {[ agent, location, rule ]}
        msg['ci_identifier'] = ""
        msg['event_class'] = "Info Security Alert"
        msg['message_key'] = ""
        attach = { 'attachments': [ msg ] }

        return json.dumps(attach)
    else:
        pass;

def send_msg(msg):

    headers = {'Content-type': 'application/json', 'Accept': 'application/json'}
    request = urllib2.Request(url=snowemurl, data=msg, headers=headers)
    base64string = base64.urlsafe_b64encode('%s:%s' % (snowemuser, snowempassword))
    request.add_header("Authorization", "Basic %s" % base64string)
    f = urllib2.urlopen(request)
    f.read()
    f.close()

But even with trying to maintain the same format and other existing functions, I cannot get the script to work. I get errors in ossec.log

I am running Wazh Version 2.1.1

Any help/ guidance is much appreciated.

Thanks!

Dan

alberto....@wazuh.com

unread,

Apr 27, 2018, 8:12:04 AM4/27/18

to Wazuh mailing list

Hello Dan

Sorry for the late response. I recommend you create a new file for your integration script. Please put in the new file the same permissions and owner as slack, virustotal and pagerduty (750 root:ossec).

Before all that, I highly recommend you to be sure of the correct behavior of your script. You can try to debug it, execute it, etc. Try to insert a ticket separately of wazuh, only with the script and fake data.

Then, once we are sure that the integration script works, let's see what could be happening in Wazuh. So, first we could disable integratord daemon with:

/var/ossec/bin/ossec-control disable integrator

We need to configure the section as in this example:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/integration.html#configuration-example

And restart the manager with /var/ossec/bin/ossec-control restart

Now, we could execute integratord with debug mode enabled:

/var/ossec/bin/ossec-integratord -ddd

Please, share the output with us so we can analyze it.

Several of our customers have integration with Service Now working fine.

Hope it help,

Best regards,

Alberto R.

Dan Tembe

unread,

Apr 27, 2018, 9:07:46 AM4/27/18

to Wazuh mailing list

Hello Alberto,

Firstly, many thanks for your response and guidance. I will now start down the path you have posted and respond back.

Some updates since my original post. I realized that in my version of Wazuh, my slack integration was a shell script instead of a python script, so I restarted working on the shell script instead, using slack as my base. Also, no matter what I named my integration, I was not able to enable the integration (I don't recall the exact error but it had to do with pagerduty or slack being the only integrations allowed).

So far. I am able to enable the slack integration & post to slack. So I figured my integration code block in ossec.conf was OK.

Second, I tested posting the curl to service-now dev via command line to check the JSON format and that worked (after few changes). Then I maintained the slack code as close to original and only changed relevant parts to post to SNOW Dev, but that fails.

Here is my current script -

#!/bin/sh
# Slack Integration
# Author: Daniel B. Cid
# Last modified: Jan 02, 2015

ALERTFILE=$1
APIKEY=$2
WEBHOOK= $3

LOCAL=`dirname $0`;
SERVER=`hostname`
cd $LOCAL
cd ../
PWD=`pwd`


# Logging the call
echo "`date` $0 $1 $2 $3 $4 $5 $6 $7" >> ${PWD}/logs/integrations.log


# IP Address must be provided
if [ "x${WEBHOOK}" = "x" ]; then
   echo "$0: Missing argument <alertfile> <unused> (webhook)" 
   exit 1;
fi


ls $ALERTFILE >/dev/null 2>&1
if [ ! $? = 0 ]; then
    echo "$0: Missing file: <alertfile>"
    exit 1;
fi


. $ALERTFILE 
postfile=`mktemp`


echo '{"source":"Wazuh", "node":"'$alertlocation'", "metric_name":"'$ruledescription'", "event_class":"Information_Security", "resource":"CI-TSE", "severity":"'$alertlevel'", "description": "'$alertlog'"}' > $postfile



res=`curl -v -H "Accept: application/json" -H "Content-Type: application/json" -X POST --data @$postfile -u username:password "$WEBHOOK"`

echo $res | grep "ok" >/dev/null 2>&1
if [ $? = 0 ]; then
    echo "`date` $0 Slack integration ran successfully" >> ${PWD}/logs/integrations.log
else
    echo "`date` $0 Slack integration failed to run. Either invalid hook url or payload." >> ${PWD}/logs/integrations.log
fi

rm -f $postfile

exit 0;

And the error from ossec.log


2018/04/27 07:56:24 ossec-integratord: DEBUG: sending new alert.
2018/04/27 07:56:24 ossec-integratord: DEBUG: skipping: integration disabled
2018/04/27 07:56:24 ossec-integratord: DEBUG: waiting for available alerts...
2018/04/27 07:56:25 ossec-integratord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/04/27 07:56:25 ossec-integratord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/04/27 07:56:25 ossec-integratord: INFO: (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
2018/04/27 07:56:27 ossec-integratord: INFO: Started (pid: 24901).
2018/04/27 07:56:27 ossec-integratord: INFO: Enabling integration for: 'slack'.
2018/04/27 07:56:47 ossec-integratord: ERROR: Unable to run integration for slack -> /var/ossec/integrations/slack

and message from integration.log (changed URL Name but in my testing I was using the correct table/instance)


Fri Apr 27 07:56:47 CDT 2018 /var/ossec/integrations/slack /tmp/slack-1524833807-209446882.alert  https://myinstance.service-now.com/api/now/table/em_event
vice-now.com/api/now/table/em_event
Fri Apr 27 07:21:00 CDT 2018 /var/ossec/integrations/slack /tmp/slack-1524831660-1656879806.alert  https://myinstance.service-now.com/api/now/table/em_event
Fri Apr 27 07:23:37 CDT 2018 /var/ossec/integrations/slack /tmp/slack-1524831817-1319013571.alert  https://myinstance.service-now.com/api/now/table/em_event
Fri Apr 27 07:25:32 CDT 2018 /var/ossec/integrations/slack /tmp/slack-1524831932--461989833.alert  https://myinstance.service-now.com/api/now/table/em_event
Fri Apr 27 07:28:49 CDT 2018 /var/ossec/integrations/slack /tmp/slack-1524832128-1821763492.alert  https://myinstance.service-now.com/api/now/table/em_event
Fri Apr 27 07:41:51 CDT 2018 /var/ossec/integrations/slack /tmp/slack-1524832911--324606132.alert  https://myinstance.service-now.com/api/now/table/em_event
Fri Apr 27 07:43:03 CDT 2018 /var/ossec/integrations/slack /tmp/slack-1524832983--1607778626.alert  https://myinstance.service-now.com/api/now/table/em_event
Fri Apr 27 07:56:47 CDT 2018 /var/ossec/integrations/slack /tmp/slack-1524833807-209446882.alert  https://myinstance.service-now.com/api/now/table/em_event

I will now start with creating a new file, instead of using slack. My biggest concern is that the name of the file (not being pagerduty or slack) was not working. Maybe this is because I am on Wazuh 2.1.1

Either way, thanks again for your response and I will respond with my changes and output.

Thanks!

Dan

Dan Tembe

unread,

May 9, 2018, 11:25:34 AM5/9/18

to Wazuh mailing list

Hello Alberto,

I wanted to post my findings on this topic as I have this working (for my purpose), so I wanted to close off with my workaround/solution.

For some reason I was never able to get any integrations work if the file was not named "slack" or "pagerduty". I upgraded to Wazuh 3.x (latest) and it added another integration for "virustotal" but that beyond these 3 file names, I could not get the integrator service to start.I wonder if this is because of in the source code (integrator.c ) there is a limitation on what files Integrator module can start up. I see there is an option to use "custom-" as the file name, but I did not spend time testing that.

Since time was short, I just used the slack integration and made necessary changes to the file and was able to use curl to pass JSON to ServiceNOW event management. The solution is working rock solid and is great. It is fully integrated. Only caveat is that it passes the 4 variables from the OSSEC/WAZUH alert only which are defined in the integration.c code starting from line 260. Again, just my thought.

All the code is posted here - https://github.com/dtembe/OSSEC_WAZ_2SNOWEM

I have posted the final code to my github - https://github.com/dtembe/OSSEC_WAZ_2SNOWEM/blob/master/slack

I also am tinkering with running a python script tailing the alerts.json. This is working great except I have yet to add in the log rotate part so the script needs to be restarted at 12:01 AM. The complete script, as it works is here - https://github.com/dtembe/OSSEC_WAZ_2SNOWEM/blob/master/ossec2snowem.py

With the python script, I am able to tail the alerts.json file and map all the necessary fields from the alert, including mapping the exact PCI_DSS rule name into a specific JSON MAP. This is working much better than the slack solution. I am looking at various snippets of code to add here so the script can handle log rotate. I am running it from systemd as a service so it starts when the system is started. Some polishing left to be done but I think I will move python script as my eventual integration method.

Hopefully this helps the next person in their quest to integrate Wazuh or OSSEC with ServiceNow Event Management module.

Thanks again for your earlier response.

Best Regards,
Dan

Reply all

Reply to author

Forward

0 new messages