This integration allow to send alert in Telegram from Wazuh Server.
To send Wazuh alerts to a Telegram chat, we need to create a bot first. To do this we have to send a couple of messages to @BotFather. After starting the bot with the /start command, we have to send the /newbot command to start creating the bot, and we will choose the name of the bot, ex. Wazuh.
Once the bot is ready, we can write the script that will send the Wazuh alerts. First, we need the Chat ID, this is the identifier of the conversation we are having with the bot.
Before you find this ID, send your bot a small "hello" message so that a chat can be created between you or add the bot to Telegram group and add @my_id_bot into chat to get CHAT_ID .
https://api.telegram.org/bot<YOUR-BOT-TOKEN>/getUpdatesYou will get a similar result to this one:
{"ok":true,"result":[{"update_id":421416869,"message":{"message_id":2,"from":{"id":12345678,"is_bot":false,"first_name":"xxxxxx","last_name":"xxxxxx","username":"xxxxxx" ,"language_code":"en"},With the token given by BotFather and Chat ID we just got, we have all the necessary information for the script.
To solve this problem it is important to understand two things:
- Local configuration:
/var/ossec/etc/ossec.conf- where the Wazuh configuration located. - Integration location:
/var/ossec/integrations/- where your integrations are located.
To keep things simple, after you create an integration, you should let the local configuration know that this custom integration exists by referencing it.
The first thing to do will be installing the requests package using pip3 to send requests to the Telegram servers:
$ pip3 install requestsThe python script will look like custom-telegram. Copy it and paste to /var/ossec/integrations/custom-telegram.
$ nano /var/ossec/integrations/custom-telegramLet's take a look at it step by step.
- First, the
#!/usr/bin/env python3is used to indicate that the script should be executed using Python version 3.x. UTF-8encoding is set to handle characters in the code.- The necessary modules are imported:
sys,json, and, if available,requests. - The
CHAT_IDvariable is defined, which represents the chat identifier from Telegram. - The
create_messagefunction is created, which generates a message based on the input data. - Read configuration parameters from command line arguments: path to the file with alert data and address for sending notifications.
- Reading an alert from a file and converting it from JSON to a Python object.
- Generating a message using the
create_messagefunction. - Sending a request with the generated message to a specified address using the
requestsmodule. - Output debugging information to a file.
The integration name must start with
custom-, otherwise Wazuh won't understand what you want it to do.
After writing previous Python script, we have to copy it to the machine where the Wazuh manager is installed, in this folder: /var/ossec/integrations/. Now, let’s give the script the corresponding permissions and user:
$ chmod 750 /var/ossec/integrations/custom-telegram
$ chown root:wazuh /var/ossec/integrations/custom-telegramAfter doing this, the last step will be to add the integration configuration in the ossec.conf file (with <YOUR-BOT-TOKEN> being your token given by BotFather) and the Telegram integration will be ready:
$ nano /var/ossec/etc/ossec.conf
...
<!--Telegram-->
<integration>
<name>custom-telegram</name>
<level>5</level>
<hook_url>https://api.telegram.org/bot<YOUR-BOT-TOKEN>/sendMessage</hook_url>
<alert_format>json</alert_format>
</integration>
...After this, restart the Wazuh manager and the integration will be working.
$ systemctl restart wazuh-manager.serviceYou’ll receive messages like this.
Agent: AGENT_NAME (001) - Level 10: High amount of POST requests in a small period of time (likely bot).
DESCRIPTION - - [01/Feb/2024:19:00:00 +0100] "POST /check.php?11111.111111 HTTP/2.0" 200 24 "DESCRIPTION" "Mozilla/5.0 (X11; Linux x8664) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
Groups: web, appsec, attack
Rule: 31533