etc/ossec-local.conf

   1 <!-- OSSEC example config -->
   2
   3 <ossec_config>
   4   <global>
   5     <email_notification>yes</email_notification>
   6     <email_to>daniel.cid@xxx.com</email_to>
   7     <smtp_server>smtp.xxx.com.</smtp_server>
   8     <email_from>ossecm@ossec.xxx.com.</email_from>
   9   </global>
  10
  11   <rules>
  12     <include>rules_config.xml</include>
  13     <include>sshd_rules.xml</include>
  14     <include>syslog_rules.xml</include>
  15     <include>pix_rules.xml</include>
  16     <include>named_rules.xml</include>
  17     <include>pure-ftpd_rules.xml</include>
  18     <include>proftpd_rules.xml</include>
  19     <include>web_rules.xml</include>
  20     <include>apache_rules.xml</include>
  21     <include>ids_rules.xml</include>
  22     <include>squid_rules.xml</include>
  23     <include>firewall_rules.xml</include>
  24     <include>postfix_rules.xml</include>
  25     <include>sendmail_rules.xml</include>
  26     <include>spamd_rules.xml</include>
  27     <include>msauth_rules.xml</include>
  28     <include>attack_rules.xml</include>
  29   </rules>
  30
  31   <syscheck>
  32     <!-- Frequency that syscheck is executed -- default every 2 hours -->
  33     <frequency>7200</frequency>
  34
  35     <!-- Directories to check  (perform all possible verifications) -->
  36     <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  37     <directories check_all="yes">/bin,/sbin</directories>
  38
  39     <!-- Files/directories to ignore -->
  40     <ignore>/etc/mtab</ignore>
  41     <ignore>/etc/hosts.deny</ignore>
  42     <ignore>/etc/mail/statistics</ignore>
  43     <ignore>/etc/random-seed</ignore>
  44     <ignore>/etc/adjtime</ignore>
  45     <ignore>/etc/httpd/logs</ignore>
  46   </syscheck>
  47
  48   <rootcheck>
  49     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
  50     <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  51   </rootcheck>
  52
  53   <global>
  54     <white_list>127.0.0.1</white_list>
  55     <white_list>192.168.2.1</white_list>
  56     <white_list>192.168.2.190</white_list>
  57     <white_list>192.168.2.32</white_list>
  58     <white_list>192.168.2.10</white_list>
  59   </global>
  60
  61   <alerts>
  62     <log_alert_level>1</log_alert_level>
  63     <email_alert_level>7</email_alert_level>
  64   </alerts>
  65
  66   <command>
  67     <name>host-deny</name>
  68     <executable>host-deny.sh</executable>
  69     <expect>srcip</expect>
  70     <timeout_allowed>yes</timeout_allowed>
  71   </command>
  72
  73   <command>
  74     <name>firewall-drop</name>
  75     <executable>firewall-drop.sh</executable>
  76     <expect>srcip</expect>
  77     <timeout_allowed>yes</timeout_allowed>
  78   </command>
  79
  80   <command>
  81     <name>disable-account</name>
  82     <executable>disable-account.sh</executable>
  83     <expect>user</expect>
  84     <timeout_allowed>yes</timeout_allowed>
  85   </command>
  86
  87
  88   <!-- Active Response Config -->
  89   <active-response>
  90     <!-- This response is going to execute the host-deny
  91        - command for every event that fires a rule with
  92        - level (severity) >= 6.
  93        - The IP is going to be blocked for  600 seconds.
  94       -->
  95     <command>host-deny</command>
  96     <location>local</location>
  97     <level>6</level>
  98     <timeout>600</timeout>
  99   </active-response>
 100
 101   <active-response>
 102     <!-- Firewall Drop response. Block the IP for
 103        - 600 seconds on the firewall (iptables,
 104        - ipfilter, etc).
 105       -->
 106     <command>firewall-drop</command>
 107     <location>local</location>
 108     <level>6</level>
 109     <timeout>600</timeout>
 110   </active-response>
 111
 112   <!-- Files to monitor (localfiles) -->
 113
 114   <localfile>
 115     <log_format>syslog</log_format>
 116     <location>/var/log/messages</location>
 117   </localfile>
 118
 119   <localfile>
 120     <log_format>syslog</log_format>
 121     <location>/var/log/authlog</location>
 122   </localfile>
 123
 124   <localfile>
 125     <log_format>syslog</log_format>
 126     <location>/var/log/secure</location>
 127   </localfile>
 128
 129   <localfile>
 130     <log_format>syslog</log_format>
 131     <location>/var/log/xferlog</location>
 132   </localfile>
 133
 134   <localfile>
 135     <log_format>syslog</log_format>
 136     <location>/var/log/maillog</location>
 137   </localfile>
 138
 139   <localfile>
 140     <log_format>apache</log_format>
 141     <location>/var/www/logs/access_log</location>
 142   </localfile>
 143
 144   <localfile>
 145     <log_format>apache</log_format>
 146     <location>/var/www/logs/error_log</location>
 147   </localfile>
 148 </ossec_config>