etc/ossec.conf

   1 <!-- OSSEC example config -->
   2
   3 <ossec_config>
   4   <global>
   5     <email_notification>yes</email_notification>
   6     <email_to>daniel.cid@xxx.com</email_to>
   7     <smtp_server>smtp.xxx.com.</smtp_server>
   8     <email_from>ossecm@ossec.xxx.com.</email_from>
   9     <picviz_output>no</picviz_output>
  10   </global>
  11
  12   <rules>
  13     <include>rules_config.xml</include>
  14     <include>sshd_rules.xml</include>
  15     <include>syslog_rules.xml</include>
  16     <include>pix_rules.xml</include>
  17     <include>named_rules.xml</include>
  18     <include>pure-ftpd_rules.xml</include>
  19     <include>proftpd_rules.xml</include>
  20     <include>web_rules.xml</include>
  21     <include>apache_rules.xml</include>
  22     <include>ids_rules.xml</include>
  23     <include>squid_rules.xml</include>
  24     <include>firewall_rules.xml</include>
  25     <include>postfix_rules.xml</include>
  26     <include>sendmail_rules.xml</include>
  27     <include>spamd_rules.xml</include>
  28     <include>msauth_rules.xml</include>
  29     <include>attack_rules.xml</include>
  30   </rules>
  31
  32   <syscheck>
  33     <!-- Frequency that syscheck is executed -- default every 2 hours -->
  34     <frequency>7200</frequency>
  35
  36     <!-- Directories to check  (perform all possible verifications) -->
  37     <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  38     <directories check_all="yes">/bin,/sbin</directories>
  39
  40     <!-- Files/directories to ignore -->
  41     <ignore>/etc/mtab</ignore>
  42     <ignore>/etc/hosts.deny</ignore>
  43     <ignore>/etc/mail/statistics</ignore>
  44     <ignore>/etc/random-seed</ignore>
  45     <ignore>/etc/adjtime</ignore>
  46     <ignore>/etc/httpd/logs</ignore>
  47   </syscheck>
  48
  49   <rootcheck>
  50     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
  51     <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  52   </rootcheck>
  53
  54   <global>
  55     <white_list>127.0.0.1</white_list>
  56     <white_list>192.168.2.1</white_list>
  57     <white_list>192.168.2.190</white_list>
  58     <white_list>192.168.2.32</white_list>
  59     <white_list>192.168.2.10</white_list>
  60   </global>
  61
  62   <remote>
  63     <connection>secure</connection>
  64   </remote>
  65
  66   <alerts>
  67     <log_alert_level>1</log_alert_level>
  68     <email_alert_level>7</email_alert_level>
  69   </alerts>
  70
  71   <command>
  72     <name>host-deny</name>
  73     <executable>host-deny.sh</executable>
  74     <expect>srcip</expect>
  75     <timeout_allowed>yes</timeout_allowed>
  76   </command>
  77
  78   <command>
  79     <name>firewall-drop</name>
  80     <executable>firewall-drop.sh</executable>
  81     <expect>srcip</expect>
  82     <timeout_allowed>yes</timeout_allowed>
  83   </command>
  84
  85   <command>
  86     <name>disable-account</name>
  87     <executable>disable-account.sh</executable>
  88     <expect>user</expect>
  89     <timeout_allowed>yes</timeout_allowed>
  90   </command>
  91
  92
  93   <!-- Active Response Config -->
  94   <active-response>
  95     <!-- This response is going to execute the host-deny
  96        - command for every event that fires a rule with
  97        - level (severity) >= 6.
  98        - The IP is going to be blocked for  600 seconds.
  99       -->
 100     <command>host-deny</command>
 101     <location>local</location>
 102     <level>6</level>
 103     <timeout>600</timeout>
 104   </active-response>
 105
 106   <active-response>
 107     <!-- Firewall Drop response. Block the IP for
 108        - 600 seconds on the firewall (iptables,
 109        - ipfilter, etc).
 110       -->
 111     <command>firewall-drop</command>
 112     <location>local</location>
 113     <level>6</level>
 114     <timeout>600</timeout>
 115   </active-response>
 116
 117   <!-- Files to monitor (localfiles) -->
 118
 119   <localfile>
 120     <log_format>syslog</log_format>
 121     <location>/var/log/messages</location>
 122   </localfile>
 123
 124   <localfile>
 125     <log_format>syslog</log_format>
 126     <location>/var/log/authlog</location>
 127   </localfile>
 128
 129   <localfile>
 130     <log_format>syslog</log_format>
 131     <location>/var/log/secure</location>
 132   </localfile>
 133
 134   <localfile>
 135     <log_format>syslog</log_format>
 136     <location>/var/log/xferlog</location>
 137   </localfile>
 138
 139   <localfile>
 140     <log_format>syslog</log_format>
 141     <location>/var/log/maillog</location>
 142   </localfile>
 143
 144   <localfile>
 145     <log_format>apache</log_format>
 146     <location>/var/www/logs/access_log</location>
 147   </localfile>
 148
 149   <localfile>
 150     <log_format>apache</log_format>
 151     <location>/var/www/logs/error_log</location>
 152   </localfile>
 153 </ossec_config>