Week 3: BitNinja Alerts on Slack or Discord with Custom NodeJS Webhook

This third week, we will be digging into the advanced area or deepwater, where we will be setting up our own NodeJS webhook. The best thing about it, you can really customize it and the data received nearly instantly. You may clone the GitHub repository and use it for your own, but note that this has limited support by me and I also rather recommend to extend it to your needs.

Server Requirements

• Server (VPS or Dedicated both works fine)
• 1GB RAM
• 1 Core CPU
• 500 MB Disk Space

Please note that the above requirements for a very few alerts, in case there is more incidents and alerts incoming, this will be more resource-heavy.

Software/Package Stack

• NodeJS
• Express
• Dotenv
• Slack and/or Discord API

Setting up the Workspace

1. Download NodeJS via website or install it via CLI.

sudo apt update && sudo apt install nodejs npm git        

2. Git clone "ninjahook"

git clone https://github.com/sqpp/ninjahook        

3. Install the required packages

npm install        

4. Copy the .env.example to .env and edit using

cp .env.example .env && nano .env        

Since we don't want people to bug or make requests to our API randomly, we will create an environment variable with our own API key, plus of course the Discord and Slack API keys that we will be using to send the messages in.

APP_NAME=Ninjahook
WEBHOOK_KEY=
DISCORD_CH=
SLACK_CH=alerts
PORT=8012
DISCORD_TOKEN=
SLACK_TOKEN=        

Additionally, you can generate any key such as a 12 format random hash, etc, but make sure it's secure and only you and BitNinja Alerts Page has it. Also make sure the port you set here is open in your firewall on the server, as BitNinja will need to send POST requests to it.

You can use Strong Random Password Generator for this, but make sure to uncheck the symbols.

IMPORTANT

In case you don't want to use both of these communication channels, leave the environment variable empty. Additionally the support for the "WHM" will only work if the ServerName from BitNinja matches with the HostName of the server.

Discord.js Setup

Let's head over to Discord Developers page and create a New Application.

Once you receive the Token, make sure to copy it and add it to the .env file after DISCORD_TOKEN=

1. Fill out your basic information and choose an avatar, name, etc for the bot.
2. Choose the OAUTH2 from the left side and then the URL Generator.
3. From the Scopes, check the "bot" option.
4. Once the new Bot Permissions appearing, check "Send Messages" below the Text Permissions.

1. Once the URL generated, copy it and paste it in your browser, then log in and choose your Discord server.
2. Once it joined, you might want to add it to a private channel, so right click on the private and under Permissions, add the bot.
3. Once again right click on the private channel and "Copy Channel ID", add this in the .env file next to DISCORD_CH=

Slack Setup

1. Go to Slack's App Manager
2. Click on the "Create New App" in the right top corner.
3. Choose from Scratch.
4. Enter the Bot's name and choose the Slack Workspace from the list.
5. From the left sidebar choose "OAuth & Permissions"
6. Below the scopes, choose "chat:write" and "channels:join"

1. Install the app (Bot) from the top of the page to your workspace.
2. Copy the Token and add it to the .env file after SLACK_TOKEN=
3. Make sure to add the Slack Channel in your .env file as well, you DO NOT need to add the hashtag before.

BitNinja setup

1. Visit?BitNinja Alerts
2. Add your webhook URLs such as

https://<ip-address/domain>:8012/malware-alert?key=<your-api-key
https://<ip-address/domain>:8012/waf-alert?key=<your-api-key>
https://<ip-address/domain>:8012/dos-alert?key=<your-api-key>>        

(Optional) You can of course use domains as well for prettier webhook URLs.

Start the Webhook Service

npm run start        

Once the service is up and events being triggered, you will see the notifications with the matching AlertIDs in the logs.

Alerts

Discord

Slack

[2023-05-05T08:53:05.578Z] Discord Notification | 641fb9b4893a80002a48100
[2023-05-05T08:53:06.489Z] Slack Notification | 641fb9b4893a80002a4810011