|
| 1 | +#!/usr/bin/env python3 |
| 2 | +from cortexutils.responder import Responder |
| 3 | +import requests |
| 4 | + |
| 5 | +class Wazuh(Responder): |
| 6 | + def __init__(self): |
| 7 | + Responder.__init__(self) |
| 8 | + self.wazuh_manager = self.get_param('config.wazuh_manager', None, 'https://localhost:55000') |
| 9 | + self.wazuh_user = self.get_param('config.wazuh_user', None, 'Username missing!') |
| 10 | + self.wazuh_password = self.get_param('config.wazuh_password', None, 'Password missing!') |
| 11 | + self.wazuh_agent_id = self.get_param('data.case.customFields.wazuh_agent_id.string', None, "Agent ID Missing!") |
| 12 | + self.wazuh_alert_id = self.get_param('data.case.customFields.wazuh_alert_id.string', None, " Missing!") |
| 13 | + self.wazuh_rule_id = self.get_param('data.case.customFields.wazuh_rule_id.string', None, "Agent ID Missing!") |
| 14 | + self.observable = self.get_param('data.data', None, "Data is empty") |
| 15 | + self.observable_type = self.get_param('data.dataType', None, "Data type is empty") |
| 16 | + |
| 17 | + def run(self): |
| 18 | + Responder.run(self) |
| 19 | + auth = (self.wazuh_user, self.wazuh_password) |
| 20 | + headers = {'Content-Type': 'application/json'} |
| 21 | + # Check observable to ensure valid IP address |
| 22 | + if self.observable_type == "ip": |
| 23 | + try: |
| 24 | + ipaddress.ip_address(self.observable) |
| 25 | + except ValueError: |
| 26 | + self.error({'message': "Not a valid IPv4/IPv6 address!"}) |
| 27 | + else: |
| 28 | + self.error({'message': "Not a valid IPv4/IPv6 address!"}) |
| 29 | + payload = '{"command":"firewall-drop.sh", "arguments": ["-", "' + self.observable + '", "' + self.wazuh_alert_id + '", "' + self.wazuh_rule_id + '", "' + self.wazuh_agent_id + '", "var/log/test.log"], "custom": "True"}' |
| 30 | + r = requests.put(self.wazuh_manager + '/active-response/' + self.wazuh_agent_id, headers=headers, data=payload, verify=False, auth=auth) |
| 31 | + if r.status_code == 200: |
| 32 | + self.report({'message': "Added DROP rule for " + self.observable }) |
| 33 | + else: |
| 34 | + self.error(r.status_code) |
| 35 | + |
| 36 | + def operations(self, raw): |
| 37 | + return [self.build_operation('AddTagToCase', tag='Wazuh: Blocked IP')] |
| 38 | + |
| 39 | +if __name__ == '__main__': |
| 40 | + Wazuh().run() |
0 commit comments