This post explains how to set up SMS notifications in order to receive specific alerts using AWS SNS. For this purpose, we will configure one of the key modules of Wazuh: the integrator module.

What is the Integrator module?

Integrator is a module which easily connects Wazuh with external software. Examples of this are the current integrations with Virustotal, Slack, PagerDuty or Jira. In this post, we describe how to create an integration with AWS SNS.

What is AWS SNS?

AWS SNS (Simple Notification Service) is an Amazon service that allows the user to create topics and subscribe other users to these topics, so they receive a notification via email, SMS or HTTPS:

Sns diagram

Publishers send data to the topics of their choice. Meanwhile, the subscriber receives messages from the topics to which he is subscribed.

How it works

The following diagram shows how the SMS notification is generated:

Wazuh workflow SNS

When the manager receives a new event from an agent, if the alert level is greater than the indicated for the Integration module, the module sends the alert to the script.

Then, the script parses the data received in order to shorten the description and remove the sensitive data from the topic ARN.

  # Extract issue fields
  alert_level = alert_json['rule']['level']
  description = alert_json['rule']['description']
  rule_id = alert_json['rule']['id']
  agent_id = alert_json['agent']['id']

  # Simplify parameters
  # Description: Shorted to 100 chars due to the max size of an SMS is 160 chars.
  # ARN: Removed sensitive information.
  description = (description[:100] + '...') if len(description) > 100 else description
  arn_name = arn.rsplit(':', 1)[-1]

Once the data is in its final form, the message is created, and then it’s sent to the SNS topic.

  # Message body creation
  message = """
  Agent ID: {}
  Level: {}
  Description: {}
  """.format(agent_id, alert_level, description)

  # Publish message to topic
  try: 
    logging.info("Sending alert ({}) to SNS topic: '{}'.".format(rule_id, arn_name))
    send_alert_to_sns(region, arn, message)
  except Exception as e:
    logging.error("Cannot send message to the topic: '{}'".format(e))
    exit(1)

Also, the script logs all the errors/successes to /var/ossec/logs/sns.log.

Getting it ready

First of all, it’s necessary to create a new SNS topic and subscribe a new phone number to it:

  1. Go to SNS console.
  2. Create a new topic
     

     
  3. Create a new subscription
     

     
  4. Now, log into your Wazuh manager instance via SSH and create a configuration file which contains the SNS ARN and region:
     
                   $ vi /var/ossec/etc/sns.conf
                   $ chmod 440 /var/ossec/etc/sns.conf
                   $ chown root:ossec /var/ossec/etc/sns.conf
                 
                  [SNSCONFIG]
                  topic_arn=arn:aws:sns:us-east-1:xxxxxxxxxxx:sms-alerts-service
                  region=us-east-1
                 
  5.  

  6. Then, add the integratord block inside /var/ossec/etc/ossec.conf.
     
                    <integration>
                       <name>custom-sns-integration</name>
                       <alert_format>json</alert_format>
                       <level>10</level>
                    </integration>
                 

     
    Also, it’s possible to filter alerts through its rule_id or group.

     

  7. Download the custom script, change file permissions and group.
     
                   $ curl "https://wazuh.com/resources/blog/sending-wazuh-alerts-via-sms/custom-sns-integration.py" -o /var/ossec/integrations/custom-sns-integration
                   $ chmod 750 /var/ossec/integrations/custom-sns-integration
                   $ chown root:ossec /var/ossec/integrations/custom-sns-integration
                
  8.  

  9. Finally, restart the manager.
     
    a) For Systemd:

                   $ systemctl restart wazuh-manager
                

     
    b) For SysV Init:

                   $ service wazuh-manager restart
                

Generating a sample alert

Once everything has been created, it’s time to test it.

Here it’s possible to check an alert generated by an SSH brute force attack in /var/ossec/logs/alerts/alerts.json:

     {  
       "timestamp":"2019-06-07T09:09:11.319+0000",
       "rule":{  
         "level":10,
         "description":"sshd: brute force trying to get access to the system.",
         "id":"5712",
         "frequency":8,
         "firedtimes":1,
         "mail":false,
       ...
       },
       "agent":{  
         "id":"001",
         "name":"agent",
         "ip":"192.168.0.121"
       },
       "manager":{  
         "name":"wazuh-manager-master-0"
       },
       "id":"1559898551.245183",
       "cluster":{  
         "name":"wazuh",
         "node":"wazuh-manager-master"
       },
       "full_log":"Jun  7 11:09:10 agent sshd[5577]: Failed password for invalid user evil_user from 192.168.0.112 port 55777 ssh2",
       ...
     }

Also, the sns.logs file shows that a new alert has been sent:

   $ cat /var/ossec/logs/sns.log

     2019-06-07 09:09:12,763 wazuh-manager-master-0 root INFO: Sending alert (5712) to SNS topic: 'sms-alerts-service'.

The SNS console shows that an SMS has been successfully sent:

Finally, this is the alert received via SMS:

Conclusion

Integrator is a powerful component that can connect Wazuh with a wide variety of tools. In this case, we showed how with a minimal configuration, Wazuh alerts are forwarded to our smartphone.