* Using latest 0.1.8 wazuh-client-rs craate which fixes issue with

ordering: (#17) * Improved unmarshaling for indexer responses * Other minor changes.
2025-12-25 22:17:44 -06:00 · 2025-12-05 15:52:19 -08:00
parent 8a6bd9e3c6
commit 005e5f89a4
6 changed files with 54 additions and 13 deletions
--- a/src/tools/alerts.rs
+++ b/src/tools/alerts.rs
@@ -79,10 +79,48 @@ impl AlertTools {
                            .and_then(|l| l.as_u64())
                            .unwrap_or(0);

-                        let formatted_text = format!(
+                        // Extract source IP from data.srcip (common for SSH, network alerts)
+                        let src_ip = source.get("data")
+                            .and_then(|d| d.get("srcip"))
+                            .and_then(|ip| ip.as_str())
+                            .or_else(|| source.get("data")
+                                .and_then(|d| d.get("src_ip"))
+                                .and_then(|ip| ip.as_str()))
+                            .unwrap_or("");
+
+                        // Extract destination IP if available
+                        let dst_ip = source.get("data")
+                            .and_then(|d| d.get("dstip"))
+                            .and_then(|ip| ip.as_str())
+                            .or_else(|| source.get("data")
+                                .and_then(|d| d.get("dst_ip"))
+                                .and_then(|ip| ip.as_str()))
+                            .unwrap_or("");
+
+                        // Extract source user if available
+                        let src_user = source.get("data")
+                            .and_then(|d| d.get("srcuser"))
+                            .and_then(|u| u.as_str())
+                            .or_else(|| source.get("data")
+                                .and_then(|d| d.get("dstuser"))
+                                .and_then(|u| u.as_str()))
+                            .unwrap_or("");
+
+                        // Build formatted text with optional fields
+                        let mut formatted_text = format!(
                            "Alert ID: {}\nTime: {}\nAgent: {}\nLevel: {}\nDescription: {}",
                            id, timestamp, agent_name, rule_level, description
                        );
+
+                        if !src_ip.is_empty() {
+                            formatted_text.push_str(&format!("\nSource IP: {}", src_ip));
+                        }
+                        if !dst_ip.is_empty() {
+                            formatted_text.push_str(&format!("\nDestination IP: {}", dst_ip));
+                        }
+                        if !src_user.is_empty() {
+                            formatted_text.push_str(&format!("\nUser: {}", src_user));
+                        }
                        Content::text(formatted_text)
                    })
                    .collect();
--- a/src/tools/vulnerabilities.rs
+++ b/src/tools/vulnerabilities.rs
@@ -101,7 +101,7 @@ impl VulnerabilityTools {
                params
                    .severity
                    .as_deref()
-                    .and_then(VulnerabilitySeverity::from_str),
+                    .and_then(VulnerabilitySeverity::parse),
            )
            .await;