DEV Community: Dolan The latest articles on DEV Community by Dolan (@0xdolan). https://dev.to/0xdolan https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F765234%2F7d10c25c-7194-485c-9372-10405b936778.jpg DEV Community: Dolan https://dev.to/0xdolan en Why Wazuh Missed React2Shell Dolan Sun, 28 Dec 2025 08:36:59 +0000 https://dev.to/0xdolan/why-wazuh-missed-react2shell-59jm https://dev.to/0xdolan/why-wazuh-missed-react2shell-59jm <h2> Introduction </h2> <p>The security community was recently shaken by React2Shell, a critical unauthenticated Remote Code Execution (RCE) vulnerability. It was initially tracked under two CVEs:</p> <ul> <li><p><code>CVE-2025-55182</code> – React</p></li> <li><p><code>CVE-2025-66478</code> – Next.js</p></li> </ul> <p>With a CVSS score of 10.0, this vulnerability impacts Next.js 15/16 (App Router) and any framework relying on React 19’s RSC implementation.</p> <p>Wazuh published a great blog explaining how to detect this vulnerability:</p> <p>πŸ‘‰ <a href="https://wazuh.com/blog/detecting-next-js-cve-2025-66478-rce-vulnerability-with-wazuh/" rel="noopener noreferrer">https://wazuh.com/blog/detecting-next-js-cve-2025-66478-rce-vulnerability-with-wazuh/</a></p> <p>However, after doing deeper research, I found a critical limitation that applies not only to this CVE, but to most modern application stacks.</p> <p>The Detection Gap: Why SIEMs Are Blind to Local Projects<br> Standard vulnerability detectors (including Wazuh’s default modules) excel at finding packages installed via system managers like <code>apt</code> or <code>npm install -g</code>. But modern development happens elsewhere:</p> <p><strong>Node.js:</strong> Most projects install dependencies locally in the project folder.<br> <strong>Python:</strong> Virtual environments (<code>venv</code>, <code>uv</code>) isolate packages from the system.<br> <strong>Docker:</strong> Packages are buried inside container layers <code>(/var/lib/docker/...)</code>.</p> <p>If your SIEM isn't looking at these local paths, you are flying blind.</p> <p>So if a vulnerable version of Next.js or React exists inside a project directory, Wazuh will miss it.</p> <p>I explained this problem earlier here:</p> <p>πŸ‘‰ <a href="https://dev.to/0xdolan/why-you-shouldnt-rely-solely-on-detectors-373g">https://dev.to/0xdolan/why-you-shouldnt-rely-solely-on-detectors-373g</a></p> <p>Wazuh provides several features that help, but none fully solve this problem.</p> <h3> <strong>IT Hygiene / Vulnerability Detection</strong> </h3> <p>πŸ‘‰ <a href="https://documentation.wazuh.com/current/getting-started/use-cases/it-hygiene.html#it-hygiene" rel="noopener noreferrer">https://documentation.wazuh.com/current/getting-started/use-cases/it-hygiene.html#it-hygiene</a></p> <p>πŸ‘‰ <a href="https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/index.html" rel="noopener noreferrer">https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/index.html</a></p> <ul> <li>Detects globally installed packages only</li> </ul> <p>Misses:</p> <ul> <li>Local Node.js projects</li> <li>Python venvs</li> <li>Docker containers</li> </ul> <h3> <strong>File Integrity Monitoring (FIM)</strong> </h3> <p>πŸ‘‰ <a href="https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html" rel="noopener noreferrer">https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html</a></p> <ul> <li>Detects file changes</li> </ul> <p>Does NOT extract:</p> <ul> <li>Package names</li> <li>Versions</li> <li>Vulnerability status</li> </ul> <h3> <strong>Command Monitoring</strong> </h3> <p>πŸ‘‰ <a href="https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/how-it-works.html" rel="noopener noreferrer">https://documentation.wazuh.com/current/user-manual/capabilities/command-monitoring/how-it-works.html</a></p> <ul> <li>Can run scripts from the Wazuh manager</li> <li>High risk</li> <li>If manager is compromised β†’ full agent compromise</li> <li>Not recommended for frequent scans</li> </ul> <p>So I needed a safer and more accurate approach.</p> <h2> The Solution: A Custom Inventory Workflow </h2> <p>We can’t rely on static scanners. Instead, we need a proactive script that:</p> <ol> <li>Crawls the filesystem for <code>package.json</code> files.</li> <li>Extracts version data for specific high-risk libraries (<code>React/Next.js</code>).</li> <li>Logs these to a <code>JSON</code> file.</li> <li>Feeds that file into <code>Wazuh</code> for real-time alerting.</li> </ol> <h2> Step 1: The Inventory Script </h2> <p>We use a Python script designed to be lightweight. Crucially, it <strong>does not</strong> exclude <code>/var/lib/docker</code>, allowing us to find vulnerable libraries inside container images.</p> <blockquote> <p>Save as <code>/usr/local/bin/scan_react2shell.py</code><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env python3</span> import json import os import sys import <span class="nb">time</span> <span class="c"># --- CONFIGURATION ---</span> LOG_FILE <span class="o">=</span> <span class="s2">"/var/log/react2shell_scan.json"</span> SEARCH_PATHS <span class="o">=</span> <span class="o">[</span><span class="s2">"/"</span><span class="o">]</span> <span class="c"># Excludes (Docker paths are NOT excluded so we can scan them)</span> EXCLUDE_DIRS <span class="o">=</span> <span class="o">{</span><span class="s2">"/proc"</span>, <span class="s2">"/sys"</span>, <span class="s2">"/dev"</span>, <span class="s2">"/run"</span>, <span class="s2">"/tmp"</span>, <span class="s2">"/snap"</span>, <span class="s2">"/boot"</span><span class="o">}</span> def scan_system<span class="o">()</span>: print<span class="o">(</span>f<span class="s2">"[*] Starting Inventory Scan on: {SEARCH_PATHS}"</span><span class="o">)</span> <span class="c"># Initialize Log File</span> <span class="k">if </span>not os.path.exists<span class="o">(</span>LOG_FILE<span class="o">)</span>: try: with open<span class="o">(</span>LOG_FILE, <span class="s2">"w"</span><span class="o">)</span> as f: pass print<span class="o">(</span>f<span class="s2">"[*] Created new log file at {LOG_FILE}"</span><span class="o">)</span> except IOError as e: print<span class="o">(</span>f<span class="s2">"[!] Error creating log file: {e}"</span><span class="o">)</span> <span class="k">return </span>count_inspected <span class="o">=</span> 0 <span class="k">for </span>root_dir <span class="k">in </span>SEARCH_PATHS: <span class="k">for </span>dirpath, dirnames, filenames <span class="k">in </span>os.walk<span class="o">(</span>root_dir, <span class="nv">followlinks</span><span class="o">=</span>True<span class="o">)</span>: <span class="c"># Skip excluded directories</span> <span class="k">if </span>any<span class="o">(</span>exclude <span class="k">in </span>dirpath <span class="k">for </span>exclude <span class="k">in </span>EXCLUDE_DIRS<span class="o">)</span>: dirnames[:] <span class="o">=</span> <span class="o">[]</span> <span class="k">continue if</span> <span class="s2">"package.json"</span> <span class="k">in </span>filenames: parent_dir <span class="o">=</span> os.path.basename<span class="o">(</span>dirpath<span class="o">)</span> grandparent_dir <span class="o">=</span> os.path.basename<span class="o">(</span>os.path.dirname<span class="o">(</span>dirpath<span class="o">))</span> pkg_name <span class="o">=</span> None <span class="k">if </span>grandparent_dir <span class="o">==</span> <span class="s2">"node_modules"</span>: <span class="k">if </span>parent_dir <span class="o">==</span> <span class="s2">"react"</span>: pkg_name <span class="o">=</span> <span class="s2">"react"</span> <span class="k">elif </span>parent_dir <span class="o">==</span> <span class="s2">"next"</span>: pkg_name <span class="o">=</span> <span class="s2">"next"</span> <span class="k">if </span>pkg_name: full_path <span class="o">=</span> os.path.join<span class="o">(</span>dirpath, <span class="s2">"package.json"</span><span class="o">)</span> try: with open<span class="o">(</span> full_path, <span class="s2">"r"</span>, <span class="nv">encoding</span><span class="o">=</span><span class="s2">"utf-8"</span>, <span class="nv">errors</span><span class="o">=</span><span class="s2">"ignore"</span> <span class="o">)</span> as f: data <span class="o">=</span> json.load<span class="o">(</span>f<span class="o">)</span> ver <span class="o">=</span> data.get<span class="o">(</span><span class="s2">"version"</span>, <span class="s2">"0.0.0"</span><span class="o">)</span> print<span class="o">(</span>f<span class="s2">"[+] Found {pkg_name} v{ver} at {full_path}"</span><span class="o">)</span> count_inspected +<span class="o">=</span> 1 <span class="c"># --- DOCKER TAGGING LOGIC ---</span> display_path <span class="o">=</span> full_path <span class="k">if</span> <span class="o">(</span> <span class="s2">"/var/lib/docker"</span> <span class="k">in </span>full_path or <span class="s2">"/var/lib/containerd"</span> <span class="k">in </span>full_path <span class="o">)</span>: display_path <span class="o">=</span> f<span class="s2">"[DOCKER] {full_path}"</span> log_entry <span class="o">=</span> <span class="o">{</span> <span class="s2">"timestamp"</span>: time.strftime<span class="o">(</span><span class="s2">"%Y-%m-%dT%H:%M:%S"</span><span class="o">)</span>, <span class="s2">"scan_type"</span>: <span class="s2">"react_inventory"</span>, <span class="s2">"package"</span>: pkg_name, <span class="s2">"version"</span>: ver, <span class="s2">"path"</span>: display_path, <span class="o">}</span> with open<span class="o">(</span>LOG_FILE, <span class="s2">"a"</span><span class="o">)</span> as lf: lf.write<span class="o">(</span>json.dumps<span class="o">(</span>log_entry<span class="o">)</span> + <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span><span class="o">)</span> except Exception as e: pass print<span class="o">(</span>f<span class="s2">"[*] Scan complete. Total Packages Logged: {count_inspected}"</span><span class="o">)</span> <span class="k">if </span>__name__ <span class="o">==</span> <span class="s2">"__main__"</span>: scan_system<span class="o">()</span> </code></pre> </div> <p><em>Note: This script scans for <code>package.json</code> and specifically flags packages like <code>react</code> and <code>next</code> while identifying if they are inside a Docker path.</em></p> <p>Sample Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">{</span><span class="s2">"timestamp"</span>:<span class="s2">"2025-12-11T13:15:07"</span>,<span class="s2">"scan_type"</span>:<span class="s2">"react_inventory"</span>,<span class="s2">"package"</span>:<span class="s2">"react"</span>,<span class="s2">"version"</span>:<span class="s2">"19.2.1"</span>,<span class="s2">"path"</span>:<span class="s2">"[DOCKER]/var/lib/docker/.../node_modules/react/package.json"</span><span class="o">}</span> <span class="o">{</span><span class="s2">"timestamp"</span>:<span class="s2">"2025-12-11T13:15:08"</span>,<span class="s2">"scan_type"</span>:<span class="s2">"react_inventory"</span>,<span class="s2">"package"</span>:<span class="s2">"next"</span>,<span class="s2">"version"</span>:<span class="s2">"15.4.5"</span>,<span class="s2">"path"</span>:<span class="s2">"/home/user/app/node_modules/next/package.json"</span><span class="o">}</span> </code></pre> </div> <h2> Step 2: Wazuh Integration </h2> <p>Once the script generates <code>/var/log/react2shell_scan.json</code>, we need Wazuh to read it.</p> <h2> 1. Configure the Agent: </h2> <p>Add this to the Wazuh agent or via centralized configuration (<code>ossec.conf</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;localfile&gt;</span> <span class="nt">&lt;log_format&gt;</span>json<span class="nt">&lt;/log_format&gt;</span> <span class="nt">&lt;location&gt;</span>/var/log/react2shell_scan.json<span class="nt">&lt;/location&gt;</span> <span class="nt">&lt;/localfile&gt;</span> </code></pre> </div> <h3> Pushing the Configuration Centrally </h3> <p>To avoid manually editing the <code>ossec.conf</code> file on every server, we utilize Wazuh’s Centralized Configuration feature. By modifying the <code>agent.conf</code> file on the Manager, we can instruct all agents to start "watching" our custom inventory log.</p> <p>On the Wazuh Manager:</p> <p>Edit the shared configuration file for the default group:<br> <code>vim /var/ossec/etc/shared/default/agent.conf</code></p> <p>Add the following block inside the tags:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;agent_config&gt;</span> <span class="c">&lt;!-- This tells every agent to monitor the output of our inventory script. Wazuh will collect these JSON logs and send them to the manager for analysis. --&gt;</span> <span class="nt">&lt;localfile&gt;</span> <span class="nt">&lt;log_format&gt;</span>json<span class="nt">&lt;/log_format&gt;</span> <span class="nt">&lt;location&gt;</span>/var/log/react2shell_scan.json<span class="nt">&lt;/location&gt;</span> <span class="nt">&lt;/localfile&gt;</span> <span class="nt">&lt;/agent_config&gt;</span> </code></pre> </div> <p><strong>How it works:</strong></p> <ol> <li> <strong>Synchronization:</strong> Once you save this file on the Manager, it automatically calculates a new <code>MD5 checksum</code>.</li> <li> <strong>Propagation:</strong> The next time your agents check in (heartbeat), they will detect the configuration change, download the updated <code>agent.conf</code> file, and restart their log collector engine.</li> <li> <strong>Visibility:</strong> From this point forward, any time your Python script (run via cron) updates <code>/var/log/react2shell_scan.json</code>, the data is instantly streamed to the Wazuh Manager to be checked against your custom <code>React2Shell</code> rules.</li> </ol> <h2> 2. Create the Detection Rules: </h2> <p>In your Wazuh Manager (<code>/var/ossec/etc/rules/local_rules.xml</code>), add rules to flag specific vulnerable versions based on the Vercel and React security bulletins.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;group</span> <span class="na">name=</span><span class="s">"react_inventory,cve_2025_55182,cve_2025_66478,vulnerability,"</span><span class="nt">&gt;</span> <span class="c">&lt;!-- INVENTORY: Log EVERY React/Next package found--&gt;</span> <span class="nt">&lt;rule</span> <span class="na">id=</span><span class="s">"100500"</span> <span class="na">level=</span><span class="s">"3"</span><span class="nt">&gt;</span> <span class="nt">&lt;decoded_as&gt;</span>json<span class="nt">&lt;/decoded_as&gt;</span> <span class="nt">&lt;field</span> <span class="na">name=</span><span class="s">"scan_type"</span><span class="nt">&gt;</span>react_inventory<span class="nt">&lt;/field&gt;</span> <span class="nt">&lt;description&gt;</span>Inventory: Found $(package) version $(version) at $(path).<span class="nt">&lt;/description&gt;</span> <span class="nt">&lt;/rule&gt;</span> <span class="c">&lt;!-- Detect Vulnerable React.js --&gt;</span> <span class="nt">&lt;rule</span> <span class="na">id=</span><span class="s">"100501"</span> <span class="na">level=</span><span class="s">"15"</span><span class="nt">&gt;</span> <span class="nt">&lt;if_sid&gt;</span>100500<span class="nt">&lt;/if_sid&gt;</span> <span class="nt">&lt;field</span> <span class="na">name=</span><span class="s">"package"</span><span class="nt">&gt;</span>react<span class="nt">&lt;/field&gt;</span> <span class="nt">&lt;field</span> <span class="na">name=</span><span class="s">"version"</span> <span class="na">type=</span><span class="s">"pcre2"</span><span class="nt">&gt;</span> ^19\.0\.0$|^19\.1\.[0-1]$|^19\.2\.0$ <span class="nt">&lt;/field&gt;</span> <span class="nt">&lt;info</span> <span class="na">type=</span><span class="s">"cve"</span><span class="nt">&gt;</span>CVE-2025-55182<span class="nt">&lt;/info&gt;</span> <span class="nt">&lt;info</span> <span class="na">type=</span><span class="s">"link"</span><span class="nt">&gt;</span>https://nvd.nist.gov/vuln/detail/CVE-2025-55182<span class="nt">&lt;/info&gt;</span> <span class="nt">&lt;description&gt;</span>Vulnerable React2Shell detected: React $(version) at $(path)<span class="nt">&lt;/description&gt;</span> <span class="nt">&lt;mitre&gt;&lt;id&gt;</span>T1190<span class="nt">&lt;/id&gt;&lt;/mitre&gt;</span> <span class="nt">&lt;/rule&gt;</span> <span class="c">&lt;!-- Detect Vulnerable Next.js --&gt;</span> <span class="nt">&lt;rule</span> <span class="na">id=</span><span class="s">"100502"</span> <span class="na">level=</span><span class="s">"15"</span><span class="nt">&gt;</span> <span class="nt">&lt;if_sid&gt;</span>100500<span class="nt">&lt;/if_sid&gt;</span> <span class="nt">&lt;field</span> <span class="na">name=</span><span class="s">"package"</span><span class="nt">&gt;</span>next<span class="nt">&lt;/field&gt;</span> <span class="nt">&lt;field</span> <span class="na">name=</span><span class="s">"version"</span> <span class="na">type=</span><span class="s">"pcre2"</span><span class="nt">&gt;</span>^15\.(0\.[0-4]|1\.[0-8]|2\.[0-5]|3\.[0-5]|4\.[0-7]|5\.[0-6])$|^16\.0\.[0-6]$<span class="nt">&lt;/field&gt;</span> <span class="nt">&lt;info</span> <span class="na">type=</span><span class="s">"cve"</span><span class="nt">&gt;</span>CVE-2025-66478<span class="nt">&lt;/info&gt;</span> <span class="nt">&lt;info</span> <span class="na">type=</span><span class="s">"link"</span><span class="nt">&gt;</span>https://nvd.nist.gov/vuln/detail/CVE-2025-66478<span class="nt">&lt;/info&gt;</span> <span class="nt">&lt;description&gt;</span>Vulnerable React2Shell detected: Next.js $(version) at $(path)<span class="nt">&lt;/description&gt;</span> <span class="nt">&lt;mitre&gt;&lt;id&gt;</span>T1190<span class="nt">&lt;/id&gt;&lt;/mitre&gt;</span> <span class="nt">&lt;/rule&gt;</span> <span class="nt">&lt;/group&gt;</span> </code></pre> </div> <h2> Step 3: Deployment via Ansible </h2> <p>How do you get this onto 100 servers? <strong>Don't use Wazuh's "Command Monitoring" for script execution.</strong> Giving a SIEM manager the right to run arbitrary scripts on all agents is a major security risk if the manager is compromised.</p> <p>Instead, use Ansible. Create a playbook to:</p> <ol> <li>Copy the Python script.</li> <li>Set up a Cron job (e.g., daily at 2 AM).</li> <li>Ensure the log file permissions are correct.</li> </ol> <h3> Notifications / Messenger Integration </h3> <p>To receive real-time alerts in your favorite messenger app, you can use these community integrations:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fltt8sxvlpsqo2ps93u29.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fltt8sxvlpsqo2ps93u29.jpg" alt="Wazuh-Telegram-Slack-Teams" width="800" height="800"></a></p> <ul> <li><p>Slack: <a href="https://github.com/0xdolan/wazuh-slack-integration" rel="noopener noreferrer">https://github.com/0xdolan/wazuh-slack-integration</a></p></li> <li><p>Telegram: <a href="https://github.com/0xdolan/wazuh-telegram-integration" rel="noopener noreferrer">https://github.com/0xdolan/wazuh-telegram-integration</a></p></li> <li><p>Microsoft Teams: <a href="https://github.com/0xdolan/wazuh-teams-integration" rel="noopener noreferrer">https://github.com/0xdolan/wazuh-teams-integration</a></p></li> </ul> <h2> Conclusion </h2> <p>By shifting from "System Inventory" to "Application Inventory," we caught a CVSS 10.0 vulnerability that otherwise would have stayed hidden in a local <code>node_modules</code> folder.</p> cybersecurity node nextjs react Why You Shouldn’t Rely Solely on Detectors Dolan Mon, 08 Dec 2025 20:16:28 +0000 https://dev.to/0xdolan/why-you-shouldnt-rely-solely-on-detectors-373g https://dev.to/0xdolan/why-you-shouldnt-rely-solely-on-detectors-373g <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F584i0wos3ze5slqmzzll.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F584i0wos3ze5slqmzzll.png" alt=" " width="800" height="296"></a></p> <p>Recently, vulnerabilities like <strong>CVE-2025-55182</strong> and <strong>CVE-2025-66478</strong> have raised alarms for Next.js and React developers. If you're using Wazuh for vulnerability detection, there’s an important limitation you need to understand: project-local installs of npm packages might <strong>not</strong> be detected by default.</p> <h3> Why Wazuh Might Miss Vulnerable Packages </h3> <p>Wazuh’s vulnerability detection relies heavily on the <strong>Syscollector</strong> module, which scans installed software. Here’s the catch:</p> <ul> <li> <strong>Global npm packages</strong> (<code>npm install -g</code>) are detected automatically. Standard paths include: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/usr/lib/node_modules /usr/local/lib/node_modules </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">C:\Program</span><span class="w"> </span><span class="nx">Files\nodejs\node_modules</span><span class="w"> </span><span class="n">C:\Users\USER\AppData\Roaming\npm\node_modules</span><span class="w"> </span></code></pre> </div> <ul> <li> <strong>Local project installs</strong> (normal <code>node_modules</code> inside your project) <strong>are NOT scanned by default</strong>: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/var/www/project/node_modules /home/user/app/node_modules /app/node_modules </code></pre> </div> <p><a href="https://documentation.wazuh.com/current/user-manual/capabilities/system-inventory/compatibility-matrix.html" rel="noopener noreferrer">According to Wazuh documentation</a>, support for scanning NPM and PyPI packages is limited to default installation paths. The developers have confirmed that scanning arbitrary project folders is <strong>not planned</strong>.</p> <p>This means that if your Next.js or React project has a vulnerable package installed locally, Wazuh may miss it entirely unless you take extra steps.</p> <h3> What You Can Do </h3> <p>Even if Syscollector won’t detect project-local packages, you can leverage <strong>File Integrity Monitoring (FIM)</strong> and <strong>custom log collection</strong> to track changes and spot potential risks:</p> <h4> 1. Monitor Your Project Folder with FIM </h4> <p>Add a custom path in <code>/var/ossec/etc/ossec.conf</code> to monitor your project directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;syscheck&gt;</span> <span class="nt">&lt;directories</span> <span class="na">realtime=</span><span class="s">"yes"</span><span class="nt">&gt;</span>/var/www/myapp<span class="nt">&lt;/directories&gt;</span> <span class="nt">&lt;/syscheck&gt;</span> </code></pre> </div> <p>This allows Wazuh to track:</p> <ul> <li>File creations, deletions, and modifications</li> <li>Changes in <code>node_modules/</code> or config files</li> <li>Suspicious additions or tampering</li> </ul> <p><a href="https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/basic-settings.html" rel="noopener noreferrer">More details in the Wazuh FIM guide</a></p> <h4> 2. Collect Logs from Build or Deployment </h4> <p>You can log your <code>npm install</code> and <code>npm audit</code> outputs and let Wazuh collect them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;localfile&gt;</span> <span class="nt">&lt;location&gt;</span>/var/www/myapp/install_deps.log<span class="nt">&lt;/location&gt;</span> <span class="nt">&lt;log_format&gt;</span>syslog<span class="nt">&lt;/log_format&gt;</span> <span class="nt">&lt;/localfile&gt;</span> <span class="nt">&lt;localfile&gt;</span> <span class="nt">&lt;location&gt;</span>/var/www/myapp/build.log<span class="nt">&lt;/location&gt;</span> <span class="nt">&lt;log_format&gt;</span>syslog<span class="nt">&lt;/log_format&gt;</span> <span class="nt">&lt;/localfile&gt;</span> </code></pre> </div> <ul> <li>Run <code>npm install &gt; install_deps.log</code> in your build pipeline</li> <li>Optionally, run <code>npm audit --json &gt; audit.log</code> and collect it</li> </ul> <p>Then, create <strong>custom decoders and rules</strong> in Wazuh to alert you when known vulnerable packages are installed or modified.</p> <h3> Key Takeaways </h3> <ul> <li> <strong>Don’t rely solely on vulnerability detectors</strong> like Wazuh Syscollector for project-local npm installs.</li> <li>Use <strong>FIM and log collection</strong> to monitor your codebase and dependencies.</li> <li>Regularly run <strong><code>npm audit</code> or third-party scanners</strong> like Snyk, etc. as part of your CI/CD pipeline.</li> <li>Always combine <strong>automated detection</strong> with <strong>good monitoring practices</strong> for robust security coverage.</li> </ul> <p><a href="https://wazuh.com/blog/detecting-next-js-cve-2025-66478-rce-vulnerability-with-wazuh/" rel="noopener noreferrer">For more details on Wazuh CVE detection for Next.js, check out</a></p> <p>By combining these approaches, you ensure that even project-local dependencies don’t slip under the radar, keeping your Next.js and React apps safer.</p> <p><em>Posted with ❀️ by 0xdolan | <a href="https://github.com/0xdolan" rel="noopener noreferrer">GitHub</a></em></p> cybersecurity nextjs react wazuh Watch Out for These Slash-Like Unicode Characters in Phishing Links Dolan Wed, 20 Aug 2025 16:25:11 +0000 https://dev.to/0xdolan/watch-out-for-these-slash-like-unicode-characters-in-phishing-links-3po1 https://dev.to/0xdolan/watch-out-for-these-slash-like-unicode-characters-in-phishing-links-3po1 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyz72x34pwsiwdaef77n8.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyz72x34pwsiwdaef77n8.jpg" alt=" " width="800" height="1422"></a></p> <p>Phishing attacks are getting sneakier, and sometimes all it takes is a <strong>single Unicode character</strong> to fool even a trained eye. One of the newest phishing techniques involves <strong>swapping the regular <code>/</code> (slash)</strong> with a similar-looking Unicode character.</p> <p>Visually? Everything looks normal.<br><br> Under the hood? The link is <strong>not what you think</strong>.</p> <p>Let’s take a look πŸ‘‡</p> <h2> πŸ” Phishing with Unicode: Slash Lookalikes </h2> <p>Attackers exploit Unicode to <strong>mimic legitimate URLs</strong> by swapping out the slash <code>/</code> with <strong>homoglyphs</strong> β€” characters that <em>look</em> the same but are actually different.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Character</th> <th>Unicode</th> <th>Description</th> <th>Hover Link</th> </tr> </thead> <tbody> <tr> <td>/</td> <td>U+002F</td> <td>Solidus (Normal Slash)</td> <td><a href="https://booking.com/" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>βˆ–</td> <td>U+2216</td> <td>Set Minus (Backslash-like)</td> <td><a href="https://booking.com%E2%88%96" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>⁄</td> <td>U+2044</td> <td>Fraction Slash</td> <td><a href="https://booking.com%E2%81%84" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>βˆ•</td> <td>U+2215</td> <td>Division Slash</td> <td><a href="https://booking.com%E2%88%95" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>β§Έ</td> <td>U+29F8</td> <td>Big Solidus</td> <td><a href="https://booking.com%E2%A7%B8" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>/</td> <td>U+FF0F</td> <td>Fullwidth Solidus</td> <td><a href="https://booking.com%EF%BC%8F" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>︐</td> <td>U+FE10</td> <td>Presentation Form for Vertical Comma</td> <td><a href="https://booking.com%EF%B8%90" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>γ€³</td> <td>U+3033</td> <td>Vertical Kana Repeat Mark Upper</td> <td><a href="https://booking.com%E3%80%B3" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>㇓</td> <td>U+31D3</td> <td>CJK Stroke-like Character</td> <td><a href="https://booking.com%E3%87%93" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>γ‚“</td> <td>U+3093</td> <td>Hiragana Letter N (used in phishing)</td> <td><a href="https://booking.com%E3%82%93" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>Χƒ</td> <td>U+05C3</td> <td>Hebrew Punctuation Sof Pasuq</td> <td><a href="https://booking.com%D7%83" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>܁</td> <td>U+0701</td> <td>Syriac Supralinear Full Stop</td> <td><a href="https://booking.com%DC%81" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>ᜡ</td> <td>U+1735</td> <td>Philippine Single Punctuation</td> <td><a href="https://booking.com%E1%9C%B5" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>ፑ</td> <td>U+1361</td> <td>Ethiopic Wordspace</td> <td><a href="https://booking.com%E1%8D%A1" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>β€’</td> <td>U+2022</td> <td>Bullet</td> <td><a href="https://booking.com%E2%80%A2" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>οΌΌ</td> <td>U+FF3C</td> <td>Fullwidth Reverse Solidus (Backslash)</td> <td><a href="https://booking.com%EF%BC%BC" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>α †</td> <td>U+1806</td> <td>Mongolian Todo Soft Hyphen</td> <td><a href="https://booking.com%E1%A0%86" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>⁂</td> <td>U+2042</td> <td>Asterism</td> <td><a href="https://booking.com%E2%81%82" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>βΈ»</td> <td>U+2E3B</td> <td>Two-Em Dash</td> <td><a href="https://booking.com%E2%B8%BB" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>⹝</td> <td>U+2E5D</td> <td>Oblique Hyphen</td> <td><a href="https://booking.com%E2%B9%9D" rel="noopener noreferrer">https://booking.com</a></td> </tr> <tr> <td>…</td> <td>U+2026</td> <td>Ellipsis</td> <td><a href="https://booking.com%E2%80%A6" rel="noopener noreferrer">https://booking.com</a></td> </tr> </tbody> </table></div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1xunqln94ad3bt5ctynb.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1xunqln94ad3bt5ctynb.jpg" alt=" " width="800" height="937"></a></p> <h2> πŸ›‘οΈ Why This Matters </h2> <p>Phishing pages crafted this way can:</p> <ul> <li>Bypass visual inspection</li> <li>Evade some automated filters</li> <li>Trick users into trusting a malicious link</li> </ul> <p>Hovering over links or inspecting the full URL is no longer enough unless you're looking for <strong>non-standard characters</strong>.</p> <h2> More on This </h2> <p>This phishing method has been <strong>spotted in the wild</strong>, including in a campaign targeting <strong>Booking.com customers</strong>:</p> <p>πŸ“° Read the full breakdown here:<br><br> πŸ‘‰ <a href="https://www.bleepingcomputer.com/news/security/bookingcom-phishing-campaign-uses-sneaky-character-to-trick-you/" rel="noopener noreferrer">Booking.com phishing campaign uses sneaky character to trick you</a></p> <p>🎬 Watch the analysis by John Hammond:<br><br> πŸ‘‰ <a href="https://www.youtube.com/watch?v=nxVr4ERhrPQ" rel="noopener noreferrer">YouTube: John Hammond Explains the Unicode Phishing Trick</a></p> <p>Stay sharp and stay safe. Just because a link <em>looks</em> right, doesn’t mean it <em>is</em>.</p> <p>πŸ’¬ Have you seen similar techniques in the wild? Share below!</p> security phishing unicode awareness Wazuh 4.12 Slack Alert Integration Dolan Wed, 06 Aug 2025 05:43:04 +0000 https://dev.to/0xdolan/wazuh-412-slack-alert-integration-3fm9 https://dev.to/0xdolan/wazuh-412-slack-alert-integration-3fm9 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx2ap4qgxitfaou2hdamu.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx2ap4qgxitfaou2hdamu.jpg" alt="Wazuh Slack Integration" width="800" height="800"></a></p> <p>Wazuh is a powerful open-source security platform for threat detection and response. This guide walks you through creating a custom integration script to send Wazuh alerts directly to Slack channels.</p> <blockquote> <p>Note: Wazuh ships with a default <code>slack.py</code> script located at <code>/var/ossec/integrations</code>, but it’s generic and may not meet specific formatting or channel-routing needs. In this guide, we’ll build a tailored solution from scratch.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiaqgutzjlaw3vmucd8kk.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiaqgutzjlaw3vmucd8kk.jpg" alt="Wazuh Slack Alert Sample" width="800" height="1422"></a></p> <h2> πŸ› οΈ Prerequisites </h2> <ul> <li>A Slack workspace with three channels and their webhooks: <ul> <li><code>critical</code></li> <li><code>high</code></li> <li><code>medium</code></li> </ul> </li> <li>Wazuh 4.12 installed</li> <li>Basic knowledge of Linux shell and Python</li> </ul> <h2> πŸ”§ Create a Slack Workspace and Channels </h2> <ul> <li><a href="https://slack.com/help/articles/206845317-Create-a-Slack-workspace" rel="noopener noreferrer">Create a Slack Workspace</a></li> <li><a href="https://slack.com/help/articles/201402297-Create-a-channel" rel="noopener noreferrer">Create a Slack Channel</a></li> <li><a href="https://api.slack.com/messaging/webhooks" rel="noopener noreferrer">Enable Incoming Webhooks</a></li> </ul> <p>Your Slack webhook URL will look like this:</p> <p><code>https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX</code></p> <p>Make sure your webhook URLs are structured like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2nisrjtc452fe1oe8y9s.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2nisrjtc452fe1oe8y9s.jpg" alt="Webhooks" width="672" height="327"></a></p> <h2> πŸ“¦ Step 1: Set up Python Virtual Environment in Wazuh </h2> <p>Create a Python virtual environment inside the Wazuh directory (<code>/var/ossec</code>) to avoid permission issues and package conflicts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> /var/ossec/venv python3 <span class="nt">-m</span> venv /var/ossec/venv <span class="nb">source</span> /var/ossec/venv/bin/activate pip <span class="nb">install </span>requests <span class="c"># or any needed packages</span> </code></pre> </div> <h2> πŸ“ Step 2: Create Slack Integration Script </h2> <p>Name the script with prefix <code>custom-</code>.<br><br> <strong>Location:</strong> <code>/var/ossec/integrations/custom-slack.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/var/ossec/venv/bin/python </span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">re</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">requests</span> <span class="c1"># Slack webhook URLs (Critical, High, Medium) </span><span class="n">WEBHOOK_CRITICAL</span> <span class="o">=</span> <span class="sh">""</span> <span class="c1"># replace with your Critical channel webhook </span><span class="n">WEBHOOK_HIGH</span> <span class="o">=</span> <span class="sh">""</span> <span class="c1"># replace with your High channel webhook </span><span class="n">WEBHOOK_MEDIUM</span> <span class="o">=</span> <span class="sh">""</span> <span class="c1"># replace with your Medium channel webhook </span> <span class="c1"># Excluded Wazuh Rule IDs </span><span class="n">excluded_rules</span><span class="p">:</span> <span class="nb">list</span> <span class="o">=</span> <span class="p">[]</span> <span class="c1"># Example: ["1002", "5715", "18107"] </span> <span class="k">def</span> <span class="nf">escape_markdown</span><span class="p">(</span><span class="n">text</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Escapes characters used by Slack markdown to avoid unintended formatting. Only *, _, `, and ~ are special in Slack and need escaping. </span><span class="sh">"""</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">text</span><span class="p">,</span> <span class="nb">str</span><span class="p">):</span> <span class="n">text</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">text</span><span class="p">)</span> <span class="c1"># Escape only Slack formatting characters: *, _, `, and ~ </span> <span class="k">return</span> <span class="n">re</span><span class="p">.</span><span class="nf">sub</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">([*`_~])</span><span class="sh">"</span><span class="p">,</span> <span class="sa">r</span><span class="sh">"</span><span class="s">\\\1</span><span class="sh">"</span><span class="p">,</span> <span class="n">text</span><span class="p">)</span> <span class="k">def</span> <span class="nf">choose_webhook</span><span class="p">(</span><span class="n">level</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">lvl</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">level</span><span class="p">)</span> <span class="k">except</span> <span class="nb">ValueError</span><span class="p">:</span> <span class="k">return</span> <span class="n">WEBHOOK_MEDIUM</span> <span class="k">if</span> <span class="n">lvl</span> <span class="o">&gt;=</span> <span class="mi">11</span><span class="p">:</span> <span class="k">return</span> <span class="n">WEBHOOK_CRITICAL</span> <span class="k">elif</span> <span class="n">lvl</span> <span class="o">&gt;=</span> <span class="mi">7</span><span class="p">:</span> <span class="k">return</span> <span class="n">WEBHOOK_HIGH</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="n">WEBHOOK_MEDIUM</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">2</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[ERROR] No alert file path provided.</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">alert_file</span> <span class="o">=</span> <span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">alert_file</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">alert</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[ERROR] Failed to read or parse JSON: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">rule_id</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">rule</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">rule_id</span> <span class="ow">in</span> <span class="n">excluded_rules</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[INFO] Skipping excluded rule ID: </span><span class="si">{</span><span class="n">rule_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">,</span> <span class="p">{})</span> <span class="n">srcuser</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">srcuser</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">dstuser</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span> <span class="n">srcip</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">srcip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">)</span> <span class="n">srcport</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">srcport</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">)</span> <span class="n">agent_name</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">agent</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">)</span> <span class="n">alert_level</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">rule</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">level</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">)</span> <span class="n">description</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">rule</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">description</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">No description</span><span class="sh">"</span><span class="p">)</span> <span class="n">full_log</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">full_log</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">No full log available</span><span class="sh">"</span><span class="p">)</span> <span class="n">timestamp_raw</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">dt</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">fromisoformat</span><span class="p">(</span><span class="n">timestamp_raw</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">Z</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">+00:00</span><span class="sh">"</span><span class="p">))</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="n">dt</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">"</span><span class="s">%Y-%m-%d %H:%M:%S</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">ValueError</span><span class="p">:</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="n">timestamp_raw</span> <span class="c1"># Build Slack message with block formatting </span> <span class="n">text</span> <span class="o">=</span> <span class="p">(</span> <span class="sh">"</span><span class="s">*:rotating_light: Wazuh Alert Notification*</span><span class="se">\n\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Time:* `</span><span class="si">{</span><span class="nf">escape_markdown</span><span class="p">(</span><span class="n">timestamp</span><span class="p">)</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Username:* `</span><span class="si">{</span><span class="nf">escape_markdown</span><span class="p">(</span><span class="n">srcuser</span><span class="p">)</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Source IP:* `</span><span class="si">{</span><span class="nf">escape_markdown</span><span class="p">(</span><span class="n">srcip</span><span class="p">)</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Source Port:* `</span><span class="si">{</span><span class="nf">escape_markdown</span><span class="p">(</span><span class="n">srcport</span><span class="p">)</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Agent:* `</span><span class="si">{</span><span class="nf">escape_markdown</span><span class="p">(</span><span class="n">agent_name</span><span class="p">)</span><span class="si">}</span><span class="s">`</span><span class="se">\n\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Rule ID:* `</span><span class="si">{</span><span class="nf">escape_markdown</span><span class="p">(</span><span class="n">rule_id</span><span class="p">)</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Level:* `</span><span class="si">{</span><span class="nf">escape_markdown</span><span class="p">(</span><span class="n">alert_level</span><span class="p">)</span><span class="si">}</span><span class="s">`</span><span class="se">\n\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Description:*</span><span class="se">\n</span><span class="s"> </span><span class="si">{</span><span class="nf">escape_markdown</span><span class="p">(</span><span class="n">description</span><span class="p">)</span><span class="si">}</span><span class="se">\n\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Full Log:*</span><span class="se">\n</span><span class="s"> </span><span class="si">{</span><span class="n">full_log</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">vuln</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">vulnerability</span><span class="sh">"</span><span class="p">,</span> <span class="p">{})</span> <span class="n">cve_id</span> <span class="o">=</span> <span class="n">vuln</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">cve</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">cve_title</span> <span class="o">=</span> <span class="n">vuln</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="k">if</span> <span class="n">cve_id</span><span class="p">:</span> <span class="n">cve_url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">https://cti.wazuh.com/vulnerabilities/cves/</span><span class="si">{</span><span class="n">cve_id</span><span class="si">}</span><span class="sh">"</span> <span class="n">text</span> <span class="o">+=</span> <span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="se">\n\n</span><span class="s">*πŸ›‘οΈ CVE:* `</span><span class="si">{</span><span class="nf">escape_markdown</span><span class="p">(</span><span class="n">cve_id</span><span class="p">)</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Title:* </span><span class="si">{</span><span class="nf">escape_markdown</span><span class="p">(</span><span class="n">cve_title</span><span class="p">)</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">&lt;</span><span class="si">{</span><span class="nf">escape_markdown</span><span class="p">(</span><span class="n">cve_url</span><span class="p">)</span><span class="si">}</span><span class="s">|Details in CTI&gt;</span><span class="sh">"</span> <span class="p">)</span> <span class="n">text</span> <span class="o">+=</span> <span class="sh">"</span><span class="se">\n\n</span><span class="s">────────────────────────</span><span class="se">\n</span><span class="sh">"</span> <span class="n">webhook_url</span> <span class="o">=</span> <span class="nf">choose_webhook</span><span class="p">(</span><span class="n">alert_level</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">text</span><span class="p">}</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">webhook_url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">payload</span><span class="p">)</span> <span class="k">if</span> <span class="n">resp</span><span class="p">.</span><span class="n">status_code</span> <span class="o">!=</span> <span class="mi">200</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[ERROR] Slack response: </span><span class="si">{</span><span class="n">resp</span><span class="p">.</span><span class="n">status_code</span><span class="si">}</span><span class="s"> – </span><span class="si">{</span><span class="n">resp</span><span class="p">.</span><span class="n">text</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">main</span><span class="p">()</span> </code></pre> </div> <h2> πŸ”§ Step 3: Create Shell Wrapper Script </h2> <p>Wazuh calls shell scripts, so create a simple wrapper to call the Python script. It should have the same name of the python file without the <code>.py</code> extension.<br> <strong>Location:</strong> <code>/var/ossec/integrations/custom-slack</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/sh</span> <span class="c"># Set the virtual environment Python binary</span> <span class="nv">CUSTOM_PYTHON</span><span class="o">=</span><span class="s2">"/var/ossec/venv/bin/python3"</span> <span class="nv">SCRIPT_PATH_NAME</span><span class="o">=</span><span class="s2">"</span><span class="nv">$0</span><span class="s2">"</span> <span class="nv">DIR_NAME</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">cd</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">dirname</span> <span class="s2">"</span><span class="k">${</span><span class="nv">SCRIPT_PATH_NAME</span><span class="k">}</span><span class="s2">"</span><span class="si">)</span><span class="s2">"</span><span class="p">;</span> <span class="nb">pwd</span> <span class="nt">-P</span><span class="si">)</span><span class="s2">"</span> <span class="nv">SCRIPT_NAME</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">basename</span> <span class="s2">"</span><span class="k">${</span><span class="nv">SCRIPT_PATH_NAME</span><span class="k">}</span><span class="s2">"</span><span class="si">)</span><span class="s2">"</span> <span class="nv">PYTHON_SCRIPT</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">DIR_NAME</span><span class="k">}</span><span class="s2">/</span><span class="k">${</span><span class="nv">SCRIPT_NAME</span><span class="k">}</span><span class="s2">.py"</span> <span class="c"># Run the integration script using custom Python interpreter</span> <span class="k">${</span><span class="nv">CUSTOM_PYTHON</span><span class="k">}</span> <span class="s2">"</span><span class="k">${</span><span class="nv">PYTHON_SCRIPT</span><span class="k">}</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$@</span><span class="s2">"</span> </code></pre> </div> <p>Make both scripts executable and set proper ownership:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod </span>750 /var/ossec/integrations/custom-slack<span class="k">*</span> <span class="nb">chown </span>root:wazuh /var/ossec/integrations/custom-slack<span class="k">*</span> </code></pre> </div> <h2> Step 4: Configure Integration in <code>ossec.conf</code> </h2> <ul> <li>Ensure that <code>logall_json</code> is enabled by setting it to <code>yes</code> in your <code>ossec.conf</code> file: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;ossec_config&gt;</span> <span class="nt">&lt;global&gt;</span> <span class="nt">&lt;jsonout_output&gt;</span>yes<span class="nt">&lt;/jsonout_output&gt;</span> <span class="nt">&lt;alerts_log&gt;</span>yes<span class="nt">&lt;/alerts_log&gt;</span> <span class="nt">&lt;logall&gt;</span>yes<span class="nt">&lt;/logall&gt;</span> <span class="nt">&lt;logall_json&gt;</span>yes<span class="nt">&lt;/logall_json&gt;</span> <span class="nt">&lt;/global&gt;</span> <span class="nt">&lt;/ossec_config&gt;</span> </code></pre> </div> <ul> <li>Add the integration block in <code>/var/ossec/etc/ossec.conf</code>:</li> <li>The <code>&lt;name&gt;</code> tag value (<code>custom-slack</code>) must exactly match the name of your wrapper script. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;ossec_config&gt;</span> <span class="nt">&lt;integration&gt;</span> <span class="nt">&lt;name&gt;</span>custom-slack<span class="nt">&lt;/name&gt;</span> <span class="nt">&lt;alert_format&gt;</span>json<span class="nt">&lt;/alert_format&gt;</span> <span class="nt">&lt;/integration&gt;</span> <span class="nt">&lt;/ossec_config&gt;</span> </code></pre> </div> <p>Restart Wazuh to apply changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl restart wazuh-manager.service </code></pre> </div> <h2> βœ… Step 6: Test the Integration </h2> <p>Test manually with an alert JSON file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/var/ossec/integrations/custom-slack /var/ossec/logs/alerts/alerts.json </code></pre> </div> <h2> Related Projects </h2> <ul> <li> <a href="https://github.com/0xdolan/wazuh-telegram-integration" rel="noopener noreferrer">Wazuh Telegram Integration</a> – Send Wazuh alerts to Telegram using a similar method.</li> </ul> <h2> πŸš€ Result </h2> <p>You’ll begin receiving real-time Slack alerts for all critical, high, and medium-level events. Each alert is detailed, well-formatted, and clearly marked by severity, helping you respond faster and more effectively.</p> <p>If you found this useful or have questions, feel free to comment. Happy monitoring! πŸ‘¨β€πŸ’»πŸ“±</p> <p><em>Created with ❀️ by 0xdolan | <a href="https://github.com/0xdolan" rel="noopener noreferrer">GitHub</a> | <a href="https://github.com/0xdolan/wazuh-slack-integration/blob/main/README.md" rel="noopener noreferrer">View this guide on GitHub</a></em></p> wazuh slack cybersecurity siem Wazuh 4.12 Telegram Alert Integration (with SSH Login Alerts) Dolan Fri, 01 Aug 2025 06:47:53 +0000 https://dev.to/0xdolan/wazuh-412-telegram-alert-integration-with-ssh-login-alerts-4mbd https://dev.to/0xdolan/wazuh-412-telegram-alert-integration-with-ssh-login-alerts-4mbd <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcxv68ilpvh2vu3fad32q.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcxv68ilpvh2vu3fad32q.jpg" alt="Wazuh Telegram Integration" width="800" height="800"></a></p> <p>Wazuh is a robust open-source security platform, but it doesn't include native support for Telegram alerts. This guide walks you through a simple method to send alerts, like SSH login attempts, to Telegram using a custom integration script.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbf3yux2u21engju4o065.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbf3yux2u21engju4o065.jpg" alt="Wazuh Telegram Alert Sample" width="800" height="999"></a></p> <h2> πŸ› οΈ Prerequisites </h2> <ul> <li>A Telegram bot and your chat ID (<a href="https://core.telegram.org/bots#6-botfather" rel="noopener noreferrer">official guide</a>, or use the quick setup below)</li> <li>Wazuh 4.12 installed</li> <li>Basic Linux shell and Python knowledge</li> </ul> <h1> How to Create a Telegram Bot </h1> <p>Creating a Telegram bot is quick and easy with Telegram’s official <strong>BotFather</strong>:</p> <ol> <li>Open Telegram and search for <strong><a class="mentioned-user" href="https://dev.to/botfather">@botfather</a></strong>.</li> <li>Start a conversation and send <code>/start</code> to begin.</li> <li>Create your bot with the command <code>/newbot</code>.</li> <li>Follow the instructions: <ul> <li>Provide a display name for your bot.</li> <li>Choose a unique username that ends with <code>bot</code> (e.g., <code>WazuhAlertBot</code>).</li> </ul> </li> <li>BotFather will then return your <strong>bot token</strong>, which looks like this: <code>123456789:ABCdefGhIJKlmNoPQRstUVwxyz1234567890</code>.</li> <li>Keep this token safe, it's required to send messages from your bot.</li> </ol> <p>You can now find your bot on Telegram using its username and send it a message to start.</p> <h1> How to Get Your Telegram Chat ID </h1> <p>To send alerts to Telegram, you'll need your <strong>chat ID</strong>. The script below fetches your chat ID by reading the latest message sent to your bot.</p> <h2> Steps </h2> <ol> <li>Replace the <code>bot_token</code> in the script with the token you got from BotFather.</li> <li>Send any message to your bot via Telegram (e.g., "hello").</li> <li>Run the script below using Python.</li> <li>Your chat ID will be printed in the terminal.</li> </ol> <h2> Python Script to Retrieve Chat ID </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="n">bot_token</span> <span class="o">=</span> <span class="sh">""</span> <span class="c1"># Replace with your bot token </span> <span class="k">def</span> <span class="nf">get_chat_id</span><span class="p">():</span> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">https://api.telegram.org/bot</span><span class="si">{</span><span class="n">bot_token</span><span class="si">}</span><span class="s">/getUpdates</span><span class="sh">"</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">if</span> <span class="sh">"</span><span class="s">result</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">data</span> <span class="ow">and</span> <span class="nf">len</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">result</span><span class="sh">"</span><span class="p">])</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> <span class="c1"># Get chat ID from the last message </span> <span class="n">chat_id</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">result</span><span class="sh">"</span><span class="p">][</span><span class="o">-</span><span class="mi">1</span><span class="p">][</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">chat</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">]</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Your Chat ID is: </span><span class="si">{</span><span class="n">chat_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">No messages found. Please send a message to your bot first.</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to get updates: </span><span class="si">{</span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">get_chat_id</span><span class="p">()</span> </code></pre> </div> <h2> πŸ“¦ Step 1: Set up Python Virtual Environment in Wazuh </h2> <p>Create a Python virtual environment inside the Wazuh directory (<code>/var/ossec</code>) to avoid permission issues and package conflicts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> /var/ossec/venv python3 <span class="nt">-m</span> venv /var/ossec/venv <span class="nb">source</span> /var/ossec/venv/bin/activate pip <span class="nb">install </span>requests <span class="c"># or any needed packages</span> </code></pre> </div> <h2> πŸ“ Step 2: Create Telegram Integration Script </h2> <p>Name the script with prefix <code>custom-</code>.<br><br> <strong>Location:</strong> <code>/var/ossec/integrations/custom-telegram.py</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/var/ossec/venv/bin/python </span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">re</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">requests</span> <span class="c1"># Telegram Bot credentials </span><span class="n">bot_token</span> <span class="o">=</span> <span class="sh">""</span> <span class="c1"># Replace with your Telegram bot token </span><span class="n">chat_id</span> <span class="o">=</span> <span class="sh">""</span> <span class="c1"># Replace with your Telegram chat ID </span> <span class="c1"># === Excluded Wazuh Rule IDs === </span><span class="n">excluded_rules</span><span class="p">:</span> <span class="nb">list</span> <span class="o">=</span> <span class="p">[]</span> <span class="c1"># Example: ["1002", "5715", "18107"] </span> <span class="k">def</span> <span class="nf">escape_markdown_v2</span><span class="p">(</span><span class="n">text</span><span class="p">):</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">text</span><span class="p">,</span> <span class="nb">str</span><span class="p">):</span> <span class="n">text</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">text</span><span class="p">)</span> <span class="c1"># Escape special MarkdownV2 characters </span> <span class="n">escape_chars</span> <span class="o">=</span> <span class="sa">r</span><span class="sh">"</span><span class="s">_*[]()~`&gt;#+-=|{}.!</span><span class="sh">"</span> <span class="k">return</span> <span class="n">re</span><span class="p">.</span><span class="nf">sub</span><span class="p">(</span><span class="sa">r</span><span class="sh">"</span><span class="s">([%s])</span><span class="sh">"</span> <span class="o">%</span> <span class="n">re</span><span class="p">.</span><span class="nf">escape</span><span class="p">(</span><span class="n">escape_chars</span><span class="p">),</span> <span class="sa">r</span><span class="sh">"</span><span class="s">\\\1</span><span class="sh">"</span><span class="p">,</span> <span class="n">text</span><span class="p">)</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">2</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[ERROR] No alert file path provided.</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">alert_file</span> <span class="o">=</span> <span class="n">sys</span><span class="p">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">alert_file</span><span class="p">,</span> <span class="sh">"</span><span class="s">r</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">alert</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[ERROR] Failed to read or parse alert JSON file: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">rule_id</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">rule</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">,</span> <span class="bp">None</span><span class="p">)</span> <span class="k">if</span> <span class="n">rule_id</span> <span class="ow">in</span> <span class="n">excluded_rules</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[INFO] Skipping excluded rule ID: </span><span class="si">{</span><span class="n">rule_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># Extract fields </span> <span class="n">data</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">,</span> <span class="p">{})</span> <span class="n">srcuser</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">srcuser</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">dstuser</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span> <span class="n">srcport</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">srcport</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">)</span> <span class="n">srcip</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">srcip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">)</span> <span class="n">agent_name</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">agent</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">)</span> <span class="n">alert_level</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">rule</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">level</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">)</span> <span class="n">rule_id</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">rule</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">)</span> <span class="n">description</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">rule</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">description</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">No description</span><span class="sh">"</span><span class="p">)</span> <span class="n">full_log</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">full_log</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">No full log available</span><span class="sh">"</span><span class="p">)</span> <span class="n">timestamp_raw</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Convert timestamp to human readable format (date and time to seconds) </span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Try parsing ISO8601 format </span> <span class="n">dt</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">fromisoformat</span><span class="p">(</span><span class="n">timestamp_raw</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">Z</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">+00:00</span><span class="sh">"</span><span class="p">))</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="n">dt</span><span class="p">.</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">"</span><span class="s">%Y-%m-%d %H:%M:%S</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="n">timestamp_raw</span> <span class="c1"># fallback if parsing fails </span> <span class="c1"># Build message </span> <span class="n">message</span> <span class="o">=</span> <span class="p">(</span> <span class="sh">"</span><span class="s">*🚨 Wazuh Alert Notification*</span><span class="se">\n\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">πŸ•’ *Time:* `</span><span class="si">{</span><span class="nf">escape_markdown_v2</span><span class="p">(</span><span class="n">timestamp</span><span class="p">)</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">πŸ‘€ *Username:* `</span><span class="si">{</span><span class="nf">escape_markdown_v2</span><span class="p">(</span><span class="n">srcuser</span><span class="p">)</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">🌐 *Source IP:* `</span><span class="si">{</span><span class="nf">escape_markdown_v2</span><span class="p">(</span><span class="n">srcip</span><span class="p">)</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">πŸšͺ *Source Port:* `</span><span class="si">{</span><span class="nf">escape_markdown_v2</span><span class="p">(</span><span class="n">srcport</span><span class="p">)</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">πŸ’» *Agent:* </span><span class="si">{</span><span class="nf">escape_markdown_v2</span><span class="p">(</span><span class="n">agent_name</span><span class="p">)</span><span class="si">}</span><span class="se">\n\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">πŸ†” *Rule ID:* `</span><span class="si">{</span><span class="nf">escape_markdown_v2</span><span class="p">(</span><span class="n">rule_id</span><span class="p">)</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">🧱 *Level:* *</span><span class="si">{</span><span class="nf">escape_markdown_v2</span><span class="p">(</span><span class="n">alert_level</span><span class="p">)</span><span class="si">}</span><span class="s">*</span><span class="se">\n\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">πŸ“„ *Description:*</span><span class="se">\n</span><span class="si">{</span><span class="nf">escape_markdown_v2</span><span class="p">(</span><span class="n">description</span><span class="p">)</span><span class="si">}</span><span class="se">\n\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">πŸ” *Full Log:*</span><span class="se">\n</span><span class="si">{</span><span class="nf">escape_markdown_v2</span><span class="p">(</span><span class="n">full_log</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">vuln</span> <span class="o">=</span> <span class="n">alert</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">vulnerability</span><span class="sh">"</span><span class="p">,</span> <span class="p">{})</span> <span class="n">cve_id</span> <span class="o">=</span> <span class="n">vuln</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">cve</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">cve_title</span> <span class="o">=</span> <span class="n">vuln</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">cve_url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">https://cti.wazuh.com/vulnerabilities/cves/</span><span class="si">{</span><span class="n">cve_id</span><span class="si">}</span><span class="sh">"</span> <span class="k">if</span> <span class="n">cve_id</span> <span class="k">else</span> <span class="sh">""</span> <span class="k">if</span> <span class="n">cve_id</span><span class="p">:</span> <span class="n">message</span> <span class="o">+=</span> <span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="se">\n\n</span><span class="s">*πŸ›‘οΈ CVE:* `</span><span class="si">{</span><span class="nf">escape_markdown_v2</span><span class="p">(</span><span class="n">cve_id</span><span class="p">)</span><span class="si">}</span><span class="s">`</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*πŸ“„ Details:* </span><span class="si">{</span><span class="nf">escape_markdown_v2</span><span class="p">(</span><span class="n">cve_title</span><span class="p">)</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">[πŸ”— View in CTI](</span><span class="si">{</span><span class="nf">escape_markdown_v2</span><span class="p">(</span><span class="n">cve_url</span><span class="p">)</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Send to Telegram </span> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">https://api.telegram.org/bot</span><span class="si">{</span><span class="n">bot_token</span><span class="si">}</span><span class="s">/sendMessage</span><span class="sh">"</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">chat_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">chat_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">message</span><span class="p">,</span> <span class="sh">"</span><span class="s">parse_mode</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">MarkdownV2</span><span class="sh">"</span><span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">payload</span><span class="p">)</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">!=</span> <span class="mi">200</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[ERROR] Telegram response: </span><span class="si">{</span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="si">}</span><span class="s"> - </span><span class="si">{</span><span class="n">response</span><span class="p">.</span><span class="n">text</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">main</span><span class="p">()</span> </code></pre> </div> <h2> πŸ”§ Step 3: Create Shell Wrapper Script </h2> <p>Wazuh calls shell scripts, so create a simple wrapper to call the Python script. It should have the same name of the python file without the <code>.py</code> extension.<br> <strong>Location:</strong> <code>/var/ossec/integrations/custom-telegram</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> /var/ossec/venv/bin/python3 /var/ossec/integrations/custom-telegram.py <span class="s2">"</span><span class="nv">$@</span><span class="s2">"</span> </code></pre> </div> <p>Make both scripts executable and set proper ownership:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod </span>750 /var/ossec/integrations/custom-telegram<span class="k">*</span> <span class="nb">chown </span>root:wazuh /var/ossec/integrations/custom-telegram<span class="k">*</span> </code></pre> </div> <h2> Step 4: Configure Integration in <code>ossec.conf</code> </h2> <ul> <li>Ensure that <code>logall_json</code> is enabled by setting it to <code>yes</code> in your <code>ossec.conf</code> file: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;ossec_config&gt;</span> <span class="nt">&lt;global&gt;</span> <span class="nt">&lt;jsonout_output&gt;</span>yes<span class="nt">&lt;/jsonout_output&gt;</span> <span class="nt">&lt;alerts_log&gt;</span>yes<span class="nt">&lt;/alerts_log&gt;</span> <span class="nt">&lt;logall&gt;</span>yes<span class="nt">&lt;/logall&gt;</span> <span class="nt">&lt;logall_json&gt;</span>yes<span class="nt">&lt;/logall_json&gt;</span> <span class="nt">&lt;/global&gt;</span> <span class="nt">&lt;/ossec_config&gt;</span> </code></pre> </div> <ul> <li>Add the integration block in <code>/var/ossec/etc/ossec.conf</code>:</li> <li>The <code>&lt;name&gt;</code> tag value (<code>custom-telegram</code>) must exactly match the name of your wrapper script. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;ossec_config&gt;</span> <span class="nt">&lt;integration&gt;</span> <span class="nt">&lt;name&gt;</span>custom-telegram<span class="nt">&lt;/name&gt;</span> <span class="nt">&lt;level&gt;</span>7<span class="nt">&lt;/level&gt;</span> <span class="nt">&lt;alert_format&gt;</span>json<span class="nt">&lt;/alert_format&gt;</span> <span class="nt">&lt;/integration&gt;</span> <span class="nt">&lt;/ossec_config&gt;</span> </code></pre> </div> <p>Setting level to <code>7</code> means only alerts with level 7 or higher trigger the Telegram alert.</p> <h2> πŸ”’ Step 5: Elevate SSH Login Rule Level in Wazuh </h2> <p>By default, successful SSH login events (SID <code>5715</code>) have a low alert level and do not trigger integrations. To resolve this, create or update the file <code>/var/ossec/etc/rules/local_rules.xml</code> with the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;group</span> <span class="na">name=</span><span class="s">"local,syslog,sshd,"</span><span class="nt">&gt;</span> <span class="nt">&lt;rule</span> <span class="na">id=</span><span class="s">"100011"</span> <span class="na">level=</span><span class="s">"7"</span> <span class="na">overwrite=</span><span class="s">"yes"</span><span class="nt">&gt;</span> <span class="nt">&lt;if_sid&gt;</span>5715<span class="nt">&lt;/if_sid&gt;</span> <span class="nt">&lt;description&gt;</span>sshd: Successful SSH login with elevated level.<span class="nt">&lt;/description&gt;</span> <span class="nt">&lt;group&gt;</span>authentication_success,pci_dss_10.2.5,<span class="nt">&lt;/group&gt;</span> <span class="nt">&lt;/rule&gt;</span> <span class="nt">&lt;/group&gt;</span> </code></pre> </div> <p>This configuration overrides the level of rule ID 5715 and raises it to level 7, ensuring it triggers and sends alerts to Telegram.</p> <blockquote> <p>πŸ”— <a href="https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#rule" rel="noopener noreferrer">Rules Syntax β€” Wazuh rule definitions and structure</a></p> </blockquote> <p>After making these changes, restart the Wazuh manager to apply them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl restart wazuh-manager </code></pre> </div> <h2> βœ… Step 6: Test the Integration </h2> <p>Test manually with an alert JSON file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/var/ossec/integrations/custom-telegram /var/ossec/logs/alerts/alerts.json </code></pre> </div> <p>Or wait for a real SSH login alert to be sent to Telegram.</p> <h2> Related Projects </h2> <ul> <li> <a href="https://github.com/0xdolan/wazuh-slack-integration" rel="noopener noreferrer">Wazuh Slack Integration</a> – Send Wazuh alerts to Slack using a similar method.</li> </ul> <h2> πŸš€ Result </h2> <p>Receive real-time Telegram alerts for SSH logins and other critical events with detailed, nicely formatted messages, perfect for quick incident response.</p> <p>If you found this useful or have questions, feel free to comment. Happy monitoring! πŸ‘¨β€πŸ’»πŸ“±</p> <p><em>Created with ❀️ by 0xdolan | <a href="https://github.com/0xdolan" rel="noopener noreferrer">GitHub</a> | <a href="https://github.com/0xdolan/wazuh-telegram-integration/blob/main/README.md" rel="noopener noreferrer">View this guide on GitHub</a></em></p> wazuh telegram cybersecurity siem