Página Inicial Explorar Ajuda
Entrar
tum
/
soc
Observar 1
Favorito 0
Fork 0
Código Problemas 0 Pull Requests 0 Commits 15 Versões 0 Wiki

Nenhuma Descrição

Árvore: 0de071e7c9
Branches Tags
soc
/
scripts
/
README.md

README.md 6.0KB
Histórico Cru

Test Event Scripts

Send Wazuh test events

Use this to inject synthetic SOC events via syslog UDP into Wazuh manager.

scripts/send-wazuh-test-events.sh [scenario] [count] [delay_seconds]

Optional flag:

  • --forever (ignore count and run continuously until Ctrl+C)

Scenarios:

  • ioc_dns
  • ioc_ips
  • vpn_outside_th
  • windows_auth_fail
  • all

Examples:

scripts/send-wazuh-test-events.sh all
scripts/send-wazuh-test-events.sh vpn_outside_th 5 0.2
WAZUH_SYSLOG_HOST=127.0.0.1 WAZUH_SYSLOG_PORT=514 scripts/send-wazuh-test-events.sh ioc_ips
scripts/send-wazuh-test-events.sh all 1 2 --forever

Environment overrides:

  • WAZUH_SYSLOG_HOST (default 127.0.0.1)
  • WAZUH_SYSLOG_PORT (default 514)
  • WAZUH_TEST_SRC_IP
  • WAZUH_TEST_DOMAIN
  • WAZUH_TEST_USER

Transport notes:

  • Uses nc if available.
  • Falls back to Bash UDP redirection (/dev/udp/host/port) when nc is unavailable.

Send Cisco device test events

Use this to inject Cisco-style syslog events (ASA/IOS) into Wazuh manager.

scripts/send-wazuh-cisco-test-events.sh [scenario] [count] [delay_seconds]

Optional flag:

  • --forever (ignore count and run continuously until Ctrl+C)

Scenarios:

  • asa_acl_deny
  • asa_vpn_auth_fail
  • ios_login_fail
  • ios_config_change
  • all

Examples:

scripts/send-wazuh-cisco-test-events.sh all
scripts/send-wazuh-cisco-test-events.sh asa_acl_deny 5 0.2
CISCO_DEVICE_HOST=edge-fw-01 scripts/send-wazuh-cisco-test-events.sh ios_login_fail
scripts/send-wazuh-cisco-test-events.sh all 1 2 --forever

Environment overrides:

  • WAZUH_SYSLOG_HOST (default 127.0.0.1)
  • WAZUH_SYSLOG_PORT (default 514)
  • CISCO_DEVICE_HOST
  • CISCO_SRC_IP
  • CISCO_DST_IP
  • CISCO_VPN_USER
  • CISCO_ADMIN_USER

Send FortiGate firewall test events

Use this to inject FortiGate-style syslog events (models 501E, 80F, 60F, 40F) into Wazuh manager.

scripts/send-wazuh-fortigate-test-events.sh [model] [count] [delay_seconds]

Optional flag:

  • --forever (ignore count and run continuously until Ctrl+C)

Models:

  • 501E
  • 80F
  • 60F
  • 40F
  • all

Examples:

scripts/send-wazuh-fortigate-test-events.sh all
scripts/send-wazuh-fortigate-test-events.sh 80F 5 0.2
WAZUH_SYSLOG_HOST=127.0.0.1 WAZUH_SYSLOG_PORT=514 scripts/send-wazuh-fortigate-test-events.sh 60F
scripts/send-wazuh-fortigate-test-events.sh all 1 2 --forever

Environment overrides:

  • WAZUH_SYSLOG_HOST (default 127.0.0.1)
  • WAZUH_SYSLOG_PORT (default 514)
  • FGT_SRC_IP
  • FGT_DST_IP
  • FGT_DOMAIN
  • FGT_USER

Run continuous FortiGate simulation

Use this to generate ongoing FortiGate-like traffic and security events for Wazuh testing.

scripts/send-wazuh-fortigate-continuous.sh [profile] [models] [base_delay_seconds]

Profiles:

  • normal (mostly allowed traffic, occasional admin/vpn/webfilter)
  • incident (higher IPS/webfilter/vpn anomalies)
  • mixed (balanced baseline + anomalies)

Models:

  • 501E
  • 80F
  • 60F
  • 40F
  • all

Examples:

scripts/send-wazuh-fortigate-continuous.sh mixed all 0.8
scripts/send-wazuh-fortigate-continuous.sh incident 80F 0.3
SIM_MAX_EVENTS=200 scripts/send-wazuh-fortigate-continuous.sh normal 501E 1.0

Environment overrides:

  • WAZUH_SYSLOG_HOST (default 127.0.0.1)
  • WAZUH_SYSLOG_PORT (default 514)
  • SIM_MAX_EVENTS (default 0, which means run forever)
  • SIM_SRC_PREFIX (default 10.10.20)
  • SIM_VPN_USER
  • SIM_ADMIN_USER

Simulate all required logs from proposal

Use this to generate synthetic logs for all use cases listed in: Security Detection & Threat Intelligence Enhancement Proposal-2.md Appendix A (A1-A4).

scripts/send-wazuh-proposal-required-events.sh [selector] [count] [delay_seconds]

Optional flag:

  • --forever (ignore count and run continuously until Ctrl+C)

Selectors:

  • all (all Appendix A use cases)
  • a1, a2, a3, a4 (by section)
  • specific use case id, e.g. A2-01, A3-05, A4-24

Examples:

scripts/send-wazuh-proposal-required-events.sh all 1
scripts/send-wazuh-proposal-required-events.sh a3 3 0.5
scripts/send-wazuh-proposal-required-events.sh A3-05 1
DRY_RUN=1 scripts/send-wazuh-proposal-required-events.sh all 1
scripts/send-wazuh-proposal-required-events.sh a2 1 2 --forever

Environment overrides:

  • WAZUH_SYSLOG_HOST (default 127.0.0.1)
  • WAZUH_SYSLOG_PORT (default 514)
  • EVENT_DELAY (default 0.05)
  • DRY_RUN (default 0, set 1 to print only)
  • FGT_DEVNAME, FGT_DEVID
  • WIN_HOST, DNS_HOST
  • SIM_VPN_USER

Simulate endpoint client-agent logs (Windows / macOS / Linux)

Use this to inject realistic endpoint telemetry for client agents into Wazuh.

scripts/send-wazuh-endpoint-agent-test-events.sh [platform] [scenario] [count] [delay_seconds]

Optional flag:

  • --forever (ignore count and run continuously until Ctrl+C)

Platforms:

  • windows
  • mac
  • linux
  • all

Scenarios:

  • auth
  • process
  • persistence
  • privilege
  • malware
  • all

Examples:

scripts/send-wazuh-endpoint-agent-test-events.sh all all 1 0.2
scripts/send-wazuh-endpoint-agent-test-events.sh windows process 10 0.1
DRY_RUN=1 scripts/send-wazuh-endpoint-agent-test-events.sh linux all 1 0
scripts/send-wazuh-endpoint-agent-test-events.sh all auth 1 2 --forever

Environment overrides:

  • WAZUH_SYSLOG_HOST (default 127.0.0.1)
  • WAZUH_SYSLOG_PORT (default 514)
  • DRY_RUN (default 0)
  • WIN_HOST, MAC_HOST, LINUX_HOST
  • SIM_USER

Shuffle sample workflow helpers

Sample playbook design for Shuffle:

  • shuffle-workflows/sample-ioc-playbook.md

Sample execution payload:

  • scripts/events/shuffle-sample-execution.json

Trigger an existing Shuffle workflow from CLI:

scripts/trigger-shuffle-workflow.sh <workflow_id> [ioc_type] [ioc_value]

Create MVP workflows in Shuffle (from proposal mapping):

SHUFFLE_API_KEY=<your_key> scripts/create-shuffle-mvp-workflows.sh

This creates:

  • MVP - IOC Enrichment and Case Routing
  • MVP - VPN Geo Anomaly Triage