projects / ossec-hids.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Imported Upstream version 2.7
[ossec-hids.git] / etc / ossec-local.conf
1 <!-- OSSEC example config -->
2
3 <ossec_config>
4   <global>
5     <email_notification>yes</email_notification>
6     <email_to>daniel.cid@xxx.com</email_to>
7     <smtp_server>smtp.xxx.com.</smtp_server>
8     <email_from>ossecm@ossec.xxx.com.</email_from>
9   </global>
10
11   <rules>
12     <include>rules_config.xml</include>
13     <include>pam_rules.xml</include>
14     <include>sshd_rules.xml</include>
15     <include>telnetd_rules.xml</include>
16     <include>syslog_rules.xml</include>
17     <include>arpwatch_rules.xml</include>
18     <include>symantec-av_rules.xml</include>
19     <include>symantec-ws_rules.xml</include>
20     <include>pix_rules.xml</include>
21     <include>named_rules.xml</include>
22     <include>smbd_rules.xml</include>
23     <include>vsftpd_rules.xml</include>
24     <include>pure-ftpd_rules.xml</include>
25     <include>proftpd_rules.xml</include>
26     <include>ms_ftpd_rules.xml</include>
27     <include>ftpd_rules.xml</include>
28     <include>hordeimp_rules.xml</include>
29     <include>roundcube_rules.xml</include>
30     <include>wordpress_rules.xml</include>
31     <include>cimserver_rules.xml</include>
32     <include>vpopmail_rules.xml</include>
33     <include>vmpop3d_rules.xml</include>
34     <include>courier_rules.xml</include>
35     <include>web_rules.xml</include>
36     <include>web_appsec_rules.xml</include>
37     <include>apache_rules.xml</include>
38     <include>nginx_rules.xml</include>
39     <include>php_rules.xml</include>
40     <include>mysql_rules.xml</include>
41     <include>postgresql_rules.xml</include>
42     <include>ids_rules.xml</include>
43     <include>squid_rules.xml</include>
44     <include>firewall_rules.xml</include>
45     <include>cisco-ios_rules.xml</include>
46     <include>netscreenfw_rules.xml</include>
47     <include>sonicwall_rules.xml</include>
48     <include>postfix_rules.xml</include>
49     <include>sendmail_rules.xml</include>
50     <include>imapd_rules.xml</include>
51     <include>mailscanner_rules.xml</include>
52     <include>dovecot_rules.xml</include>
53     <include>ms-exchange_rules.xml</include>
54     <include>racoon_rules.xml</include>
55     <include>vpn_concentrator_rules.xml</include>
56     <include>spamd_rules.xml</include>
57     <include>msauth_rules.xml</include>
58     <include>mcafee_av_rules.xml</include>
59     <include>trend-osce_rules.xml</include>
60     <include>ms-se_rules.xml</include>
61     <!-- <include>policy_rules.xml</include> -->
62     <include>zeus_rules.xml</include>
63     <include>solaris_bsm_rules.xml</include>
64     <include>vmware_rules.xml</include>
65     <include>ms_dhcp_rules.xml</include>
66     <include>asterisk_rules.xml</include>
67     <include>ossec_rules.xml</include>
68     <include>attack_rules.xml</include>
69     <include>local_rules.xml</include>
70   </rules>
71
72   <syscheck>
73     <!-- Frequency that syscheck is executed -- default every 20 hours -->
74     <frequency>17200</frequency>
75     
76     <!-- Directories to check  (perform all possible verifications) -->
77     <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
78     <directories check_all="yes">/bin,/sbin</directories>
79
80     <!-- Files/directories to ignore -->
81     <ignore>/etc/mtab</ignore>
82     <ignore>/etc/hosts.deny</ignore>
83     <ignore>/etc/mail/statistics</ignore>
84     <ignore>/etc/random-seed</ignore>
85     <ignore>/etc/adjtime</ignore>
86     <ignore>/etc/httpd/logs</ignore>
87   </syscheck>
88
89   <rootcheck>
90     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
91     <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
92   </rootcheck>
93
94   <global>
95     <white_list>127.0.0.1</white_list>
96     <white_list>192.168.2.1</white_list>
97     <white_list>192.168.2.190</white_list>
98     <white_list>192.168.2.32</white_list>
99     <white_list>192.168.2.10</white_list>
100   </global>
101
102   <alerts>
103     <log_alert_level>1</log_alert_level>
104     <email_alert_level>7</email_alert_level>
105   </alerts>
106
107   <command>
108     <name>host-deny</name>
109     <executable>host-deny.sh</executable>
110     <expect>srcip</expect>
111     <timeout_allowed>yes</timeout_allowed>
112   </command>  
113
114   <command>
115     <name>firewall-drop</name>
116     <executable>firewall-drop.sh</executable>
117     <expect>srcip</expect>
118     <timeout_allowed>yes</timeout_allowed>
119   </command>  
120
121   <command>
122     <name>disable-account</name>
123     <executable>disable-account.sh</executable>
124     <expect>user</expect>
125     <timeout_allowed>yes</timeout_allowed>
126   </command>  
127
128
129   <!-- Active Response Config -->
130   <active-response>
131     <!-- This response is going to execute the host-deny
132        - command for every event that fires a rule with
133        - level (severity) >= 6.
134        - The IP is going to be blocked for  600 seconds.
135       -->
136     <command>host-deny</command>
137     <location>local</location>
138     <level>6</level>
139     <timeout>600</timeout>
140   </active-response>
141
142   <active-response>
143     <!-- Firewall Drop response. Block the IP for
144        - 600 seconds on the firewall (iptables,
145        - ipfilter, etc).
146       -->
147     <command>firewall-drop</command>
148     <location>local</location>
149     <level>6</level>
150     <timeout>600</timeout>    
151   </active-response>  
152
153   <!-- Files to monitor (localfiles) -->
154
155   <localfile>
156     <log_format>syslog</log_format>
157     <location>/var/log/messages</location>
158   </localfile>
159
160   <localfile>
161     <log_format>syslog</log_format>
162     <location>/var/log/authlog</location>
163   </localfile>
164
165   <localfile>
166     <log_format>syslog</log_format>
167     <location>/var/log/secure</location>
168   </localfile>
169
170   <localfile>
171     <log_format>syslog</log_format>
172     <location>/var/log/xferlog</location>
173   </localfile>
174
175   <localfile>
176     <log_format>syslog</log_format>
177     <location>/var/log/maillog</location>
178   </localfile>
179
180   <localfile>
181     <log_format>apache</log_format>
182     <location>/var/www/logs/access_log</location>
183   </localfile>
184
185   <localfile>
186     <log_format>apache</log_format>
187     <location>/var/www/logs/error_log</location>
188   </localfile>
189 </ossec_config>
ossec-hids