manually inserting event into active response script
84 views
Skip to first unread message
Rudi Klein
Apr 30, 2024, 10:46:06 AM4/30/24
to Wazuh | Mailing List
Hi,
I'm working on python code that enables an active response (py/bsh) script to send detailed messages to Discord and/or ntfy.sh. It's working great but adapting the example active response script (custom-ar.py) and debugging it was a headache.
When the custom-ar.py is triggered, it runs in the background and uses STDIN to read the event data. When running the script manually, it will prompt for input: obviously it needs the event data from STDIN. I've tried several ways to paste event data at the prompt, but to no avail.
It would be so much easier if I could run the script manually in an IDE and provide the event data somehow. I'm just not sure how to format the event data. I've tried several methods like structured JSON, serialized JSON and JSON as a string, but nothing worked.
Any hints or tips on how to resolve this issue?
Thanks,
Rudi
Luis Enrique Chico Capistrano
May 1, 2024, 11:53:51 AM5/1/24
to Wazuh | Mailing List
Hello Rudi,
Thanks for using Wazuh.
Here are a couple of ideas:
Just to confirm, you would like to call the custom-ar.py script with the JSON argument, Could you give an example?
Best, Luis
Thanks for using Wazuh.
Here are a couple of ideas:
- Have you tried hardcoding the input and passing the JSON file inside custom-ar.py?
- To debug, Are you enabling logall in the ossec.conf file on the manager and check that the message you are sending is what you expect.
Just to confirm, you would like to call the custom-ar.py script with the JSON argument, Could you give an example?
Best, Luis
Rudi Klein
Jun 2, 2024, 9:27:19 AM6/2/24
to Wazuh | Mailing List
My deepest apologies. I was sure I already replied, but I didn't, or something went wrong.
This question has been resolved by dissecting custom-ar.py and building two implementations of an active response interface in Golang and Python: wazuh-notify.
Wazuh-notify takes an event and sends a notification to Slack, Discord or ntfy.sh, including summarized event information or the complete event.
Additionally, the Python implementation makes it possible to take the example (JSON) event from the Wazuh documentation and use it for testing.
Rather than processing a live event, it will use the example event. The example event can be adapted to test different scenarios.
If anybody is interested, the unsupported package is available freely through Github: https://github.com/KleinProjects/wazuh-notify.
Regards,
Rudi
Reply all
Reply to author
Forward
0 new messages