Custom integration with NTFY almost working, but not quite

[Jamie Navarro]

I've got a simple Python script:

#!/usr/bin/env python

import json

import requests

ajsonmsgraw = '{"timestamp":"2023-05-12T12:41:38.619+0000","rule":{"level":3,"description":"SG - Unrecognized/new MAC Address,  18:b4:30:be:9b:1e, on network!","id":"100016","firedtimes":2,"mail":false,"groups":["SG"]},"agent":{"id":"000","name":"ubuntusrvwazuhtest1"},"manager":{"name":"ubuntusrvwazuhtest1"},"id":"1683895298.31439836","full_log":"05/12/2023 12:41:37 sgdhcp Unrecognized MAC Address, 18:b4:30:be:9b:1e, connected to network. Added to MAC address list file.","decoder":{"name":"SGNewDHCPIP"},"data":{"themacaddy":"18:b4:30:be:9b:1e"},"location":"/var/ossec/logs/SGWazuhMACAddressListAR.log"}'

ajsonmsgformatted = json.loads(ajsonmsgraw)

alert_msg = ajsonmsgformatted['rule']['description']

alertforntfy = "Wazuh alert @ SG: " + alert_msg

requests.post("https://ntfy.sh/jn123876", data=alertforntfy.encode(encoding='utf-8'))

Here's the pertinent snippet of my ossec.conf file:

<integration>

<name>custom-sgntfyintegration.py</name>

<rule_id>100010</rule_id>

<alert_format>json</alert_format>

</integration>

However, it doesn't seem to be running when rule #100010 generates an alert. My Python script works fine, because when I run it by itself:

python3 custom-sgntfyintegration.py

It runs fine, so it doesn't seem to be an issue with the code in my Python script.

I ran the following command:

cat /var/ossec/logs/ossec.log | grep custom

And this came up:

2023/05/15 17:04:39 wazuh-integratord: ERROR: Couldn't execute command (integrations /tmp/custom-sgntfyintegration.py-1684170279--1048392.alert > /dev/null 2>&1). Check file and permissions.

Here's  the contents and permissions of: /var/ossec/integrations :

root@ubuntusrvwazuhtest1:/var/ossec/integrations# ls -l
total 48
-rwxr-x--- 1 root wazuh 1062 May 15 09:01 custom-sgntfyintegration.py
-rwxr-x--- 1 root wazuh  502 May 15 07:34 dorktemp.py
-rwxr-x--- 1 root wazuh 4325 Mar 28 01:05 pagerduty
-rwxr-x--- 1 root wazuh 1045 Mar 28 01:05 shuffle
-rwxr-x--- 1 root wazuh 4472 Mar 28 01:05 shuffle.py
-rwxr-x--- 1 root wazuh 1045 Mar 28 01:05 slack
-rwxr-x--- 1 root wazuh 3809 Mar 28 01:05 slack.py
-rwxr-x--- 1 root wazuh 1045 Mar 28 01:05 virustotal
-rwxr-x--- 1 root wazuh 6564 Mar 28 01:05 virustotal.py

(I also attached a screenshot of this)

So I'm not sure why it's not working - am I missing something here?

Thank you,

Jamie

[Openime Oniagbi]

Hi,

Thank you for using Wazuh.

Your configuration looks excellent to me. I suggest you change the first line in the Python script to #!/var/ossec/framework/python/bin/python3
Restart your manager afterward and let me know if that helps.

Regards.

[Jamie Navarro]

Hi Openime,

That was it - it's working now!

Thank you so much! May I ask why this change fixed it? The example Python scripts (and Wazuh documentation) shows that line being the way I originally had it.

Thank you,

Jamie

[Openime Oniagbi]

Hi Jamie,

Glad to hear it is working now.

The line specifies what Python interpreter Wazuh uses to run the file. Newer versions of Wazuh contain a link to the Python3 interpreter. Seeing as you ran the file with python3, my guess was that was the interpreter installed on your system.

Regards.

[Jamie Navarro]

OK, thank you for your help Openime! Have a great day and week!

[Openime Oniagbi]

You too Jamie!

[Meo Yes]

hey i want to connect wazuh with shuffle to detect command and control attack anyone can help me ? i started with creation of shuffle webhook then i blocked do you guys have any documentation or help thank you

[Jamie Navarro]

You should create your own, separate thread.