AWS SNS integration

This post explains how to set up SMS notifications in order to receive specific alerts using AWS SNS. For this purpose, we will configure one of the key modules of Wazuh: the integrator module.
Integrator is a module which easily connects Wazuh with external software. Examples of this are the current integrations with Virustotal, Slack, PagerDuty or Jira. In this post, we describe how to create an integration with AWS SNS.
AWS SNS (Simple Notification Service) is an Amazon service that allows the user to create topics and subscribe other users to these topics, so they receive a notification via email, SMS or HTTPS:
Publishers send data to the topics of their choice. Meanwhile, the subscriber receives messages from the topics to which he is subscribed.
The following diagram shows how the SMS notification is generated:
When the manager receives a new event from an agent, if the alert level is greater than the indicated for the Integration module, the module sends the alert to the script.
Then, the script parses the data received in order to shorten the description and remove the sensitive data from the topic ARN.
# Extract issue fields alert_level = alert_json['rule']['level'] description = alert_json['rule']['description'] rule_id = alert_json['rule']['id'] agent_id = alert_json['agent']['id'] # Simplify parameters # Description: Shorted to 100 chars due to the max size of an SMS is 160 chars. # ARN: Removed sensitive information. description = (description[:100] + '') if len(description) > 100 else description arn_name = arn.rsplit(':', 1)[-1]
Once the data is in its final form, the message is created, and then it’s sent to the SNS topic.
# Message body creation message = """ Agent ID: {} Level: {} Description: {} """.format(agent_id, alert_level, description) # Publish message to topic try: logging.info("Sending alert ({}) to SNS topic: '{}'.".format(rule_id, arn_name)) send_alert_to_sns(region, arn, message) except Exception as e: logging.error("Cannot send message to the topic: '{}'".format(e)) exit(1)
Also, the script logs all the errors/successes to /var/ossec/logs/sns.log.
First of all, it’s necessary to create a new SNS topic and subscribe a new phone number to it:
vi /var/ossec/etc/sns.conf chmod 440 /var/ossec/etc/sns.conf chown root:ossec /var/ossec/etc/sns.conf
[SNSCONFIG] topic_arn=arn:aws:sns:us-east-1:xxxxxxxxxxx:sms-alerts-service region=us-east-1
<integration> <name>custom-sns-integration</name> <alert_format>json</alert_format> <level>10</level> </integration>
Also, it’s possible to filter alerts through its rule_id or group.
2. Download the custom script, change file permissions and group.
curl "https://wazuh.com/resources/blog/sending-wazuh-alerts-via-sms/custom-sns-integration.py" -o /var/ossec/integrations/custom-sns-integration chmod 750 /var/ossec/integrations/custom-sns-integration chown root:ossec /var/ossec/integrations/custom-sns-integration
systemctl restart wazuh-manager
b) For SysV Init:
service wazuh-manager restart
Once everything has been created, it’s time to test it.
Here it’s possible to check an alert generated by an SSH brute force attack in /var/ossec/logs/alerts/alerts.json:
{ "timestamp":"2019-06-07T09:09:11.319+0000", "rule":{ "level":10, "description":"sshd: brute force trying to get access to the system.", "id":"5712", "frequency":8, "firedtimes":1, "mail":false, }, "agent":{ "id":"001", "name":"agent", "ip":"192.168.0.121" }, "manager":{ "name":"wazuh-manager-master-0" }, "id":"1559898551.245183", "cluster":{ "name":"wazuh", "node":"wazuh-manager-master" }, "full_log":"Jun 7 11:09:10 agent sshd[5577]: Failed password for invalid user evil_user from 192.168.0.112 port 55777 ssh2", }
Also, the sns.logs file shows that a new alert has been sent:
cat /var/ossec/logs/sns.log 2019-06-07 09:09:12,763 wazuh-manager-master-0 root INFO: Sending alert (5712) to SNS topic: 'sms-alerts-service'.
The SNS console shows that an SMS has been successfully sent:
Finally, this is the alert received via SMS:
Integrator is a powerful component that can connect Wazuh with a wide variety of tools. In this case, we showed how with a minimal configuration, Wazuh alerts are forwarded to our smartphone.
If you have any questions about this, don’t hesitate to check out our documentation to learn more about Wazuh or join our community where our team and contributors will help you.