etc/ossec.conf

   1 <!-- OSSEC example config -->
   2
   3 <ossec_config>
   4   <global>
   5     <email_notification>yes</email_notification>
   6     <email_to>daniel.cid@example.com</email_to>
   7     <smtp_server>localhost</smtp_server>
   8     <email_from>ossecm@ossec.example.com.</email_from>
   9     <!-- <email_reply_to>replyto@ossec.example.com.</email_reply_to> -->
  10   </global>
  11
  12   <rules>
  13     <include>rules_config.xml</include>
  14     <include>sshd_rules.xml</include>
  15     <include>syslog_rules.xml</include>
  16     <include>pix_rules.xml</include>
  17     <include>named_rules.xml</include>
  18     <include>pure-ftpd_rules.xml</include>
  19     <include>proftpd_rules.xml</include>
  20     <include>web_rules.xml</include>
  21     <include>web_appsec_rules.xml</include>
  22     <include>apache_rules.xml</include>
  23     <include>ids_rules.xml</include>
  24     <include>squid_rules.xml</include>
  25     <include>firewall_rules.xml</include>
  26     <include>postfix_rules.xml</include>
  27     <include>sendmail_rules.xml</include>
  28     <include>spamd_rules.xml</include>
  29     <include>msauth_rules.xml</include>
  30     <include>attack_rules.xml</include>
  31     <include>dropbear_rules.xml</include>
  32     <include>sysmon_rules.xml</include>
  33     <include>opensmtpd_rules.xml</include>
  34     <include>openbsd-dhcpd_rules.xml</include>
  35     <include>nsd_rules.xml</include>
  36   </rules>
  37
  38   <syscheck>
  39     <!-- Frequency that syscheck is executed -- default every 2 hours -->
  40     <frequency>7200</frequency>
  41
  42     <!-- Directories to check  (perform all possible verifications) -->
  43     <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  44     <directories check_all="yes">/bin,/sbin,/boot</directories>
  45
  46     <!-- Files/directories to ignore -->
  47     <ignore>/etc/mtab</ignore>
  48     <ignore>/etc/hosts.deny</ignore>
  49     <ignore>/etc/mail/statistics</ignore>
  50     <ignore>/etc/random-seed</ignore>
  51     <ignore>/etc/random.seed</ignore>
  52     <ignore>/etc/adjtime</ignore>
  53     <ignore>/etc/httpd/logs</ignore>
  54
  55     <!-- Check the file, but never compute the diff -->
  56     <nodiff>/etc/ssl/private.key</nodiff>
  57   </syscheck>
  58
  59   <rootcheck>
  60     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
  61     <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  62   </rootcheck>
  63
  64   <global>
  65     <white_list>127.0.0.1</white_list>
  66     <white_list>::1</white_list>
  67     <white_list>192.168.2.1</white_list>
  68     <white_list>192.168.2.190</white_list>
  69     <white_list>192.168.2.32</white_list>
  70     <white_list>192.168.2.10</white_list>
  71   </global>
  72
  73   <remote>
  74     <connection>secure</connection>
  75   </remote>
  76
  77   <alerts>
  78     <log_alert_level>1</log_alert_level>
  79     <email_alert_level>7</email_alert_level>
  80   </alerts>
  81
  82   <command>
  83     <name>host-deny</name>
  84     <executable>host-deny.sh</executable>
  85     <expect>srcip</expect>
  86     <timeout_allowed>yes</timeout_allowed>
  87   </command>
  88
  89   <command>
  90     <name>firewall-drop</name>
  91     <executable>firewall-drop.sh</executable>
  92     <expect>srcip</expect>
  93     <timeout_allowed>yes</timeout_allowed>
  94   </command>
  95
  96   <command>
  97     <name>disable-account</name>
  98     <executable>disable-account.sh</executable>
  99     <expect>user</expect>
 100     <timeout_allowed>yes</timeout_allowed>
 101   </command>
 102
 103
 104   <!-- Active Response Config -->
 105   <active-response>
 106     <!-- This response is going to execute the host-deny
 107        - command for every event that fires a rule with
 108        - level (severity) >= 6.
 109        - The IP is going to be blocked for  600 seconds.
 110       -->
 111     <command>host-deny</command>
 112     <location>local</location>
 113     <level>6</level>
 114     <timeout>600</timeout>
 115   </active-response>
 116
 117   <active-response>
 118     <!-- Firewall Drop response. Block the IP for
 119        - 600 seconds on the firewall (iptables,
 120        - ipfilter, etc).
 121       -->
 122     <command>firewall-drop</command>
 123     <location>local</location>
 124     <level>6</level>
 125     <timeout>600</timeout>
 126   </active-response>
 127
 128   <!-- Files to monitor (localfiles) -->
 129
 130   <localfile>
 131     <log_format>syslog</log_format>
 132     <location>/var/log/messages</location>
 133   </localfile>
 134
 135   <localfile>
 136     <log_format>syslog</log_format>
 137     <location>/var/log/authlog</location>
 138   </localfile>
 139
 140   <localfile>
 141     <log_format>syslog</log_format>
 142     <location>/var/log/secure</location>
 143   </localfile>
 144
 145   <localfile>
 146     <log_format>syslog</log_format>
 147     <location>/var/log/xferlog</location>
 148   </localfile>
 149
 150   <localfile>
 151     <log_format>syslog</log_format>
 152     <location>/var/log/maillog</location>
 153   </localfile>
 154
 155   <localfile>
 156     <log_format>apache</log_format>
 157     <location>/var/www/logs/access_log</location>
 158   </localfile>
 159
 160   <localfile>
 161     <log_format>apache</log_format>
 162     <location>/var/www/logs/error_log</location>
 163   </localfile>
 164 </ossec_config>