etc/ossec.conf

   1 <!-- OSSEC example config -->
   2
   3 <ossec_config>
   4   <global>
   5     <email_notification>yes</email_notification>
   6     <email_to>daniel.cid@xxx.com</email_to>
   7     <smtp_server>smtp.xxx.com.</smtp_server>
   8     <email_from>ossecm@ossec.xxx.com.</email_from>
   9     <picviz_output>no</picviz_output>
  10   </global>
  11
  12   <rules>
  13     <include>rules_config.xml</include>
  14     <include>sshd_rules.xml</include>
  15     <include>syslog_rules.xml</include>
  16     <include>pix_rules.xml</include>
  17     <include>named_rules.xml</include>
  18     <include>pure-ftpd_rules.xml</include>
  19     <include>proftpd_rules.xml</include>
  20     <include>web_rules.xml</include>
  21     <include>web_appsec_rules.xml</include>
  22     <include>apache_rules.xml</include>
  23     <include>ids_rules.xml</include>
  24     <include>squid_rules.xml</include>
  25     <include>firewall_rules.xml</include>
  26     <include>postfix_rules.xml</include>
  27     <include>sendmail_rules.xml</include>
  28     <include>spamd_rules.xml</include>
  29     <include>msauth_rules.xml</include>
  30     <include>attack_rules.xml</include>
  31   </rules>
  32
  33   <syscheck>
  34     <!-- Frequency that syscheck is executed -- default every 2 hours -->
  35     <frequency>7200</frequency>
  36
  37     <!-- Directories to check  (perform all possible verifications) -->
  38     <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  39     <directories check_all="yes">/bin,/sbin</directories>
  40
  41     <!-- Files/directories to ignore -->
  42     <ignore>/etc/mtab</ignore>
  43     <ignore>/etc/hosts.deny</ignore>
  44     <ignore>/etc/mail/statistics</ignore>
  45     <ignore>/etc/random-seed</ignore>
  46     <ignore>/etc/adjtime</ignore>
  47     <ignore>/etc/httpd/logs</ignore>
  48   </syscheck>
  49
  50   <rootcheck>
  51     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
  52     <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  53   </rootcheck>
  54
  55   <global>
  56     <white_list>127.0.0.1</white_list>
  57     <white_list>192.168.2.1</white_list>
  58     <white_list>192.168.2.190</white_list>
  59     <white_list>192.168.2.32</white_list>
  60     <white_list>192.168.2.10</white_list>
  61   </global>
  62
  63   <remote>
  64     <connection>secure</connection>
  65   </remote>
  66
  67   <alerts>
  68     <log_alert_level>1</log_alert_level>
  69     <email_alert_level>7</email_alert_level>
  70   </alerts>
  71
  72   <command>
  73     <name>host-deny</name>
  74     <executable>host-deny.sh</executable>
  75     <expect>srcip</expect>
  76     <timeout_allowed>yes</timeout_allowed>
  77   </command>
  78
  79   <command>
  80     <name>firewall-drop</name>
  81     <executable>firewall-drop.sh</executable>
  82     <expect>srcip</expect>
  83     <timeout_allowed>yes</timeout_allowed>
  84   </command>
  85
  86   <command>
  87     <name>disable-account</name>
  88     <executable>disable-account.sh</executable>
  89     <expect>user</expect>
  90     <timeout_allowed>yes</timeout_allowed>
  91   </command>
  92
  93
  94   <!-- Active Response Config -->
  95   <active-response>
  96     <!-- This response is going to execute the host-deny
  97        - command for every event that fires a rule with
  98        - level (severity) >= 6.
  99        - The IP is going to be blocked for  600 seconds.
 100       -->
 101     <command>host-deny</command>
 102     <location>local</location>
 103     <level>6</level>
 104     <timeout>600</timeout>
 105   </active-response>
 106
 107   <active-response>
 108     <!-- Firewall Drop response. Block the IP for
 109        - 600 seconds on the firewall (iptables,
 110        - ipfilter, etc).
 111       -->
 112     <command>firewall-drop</command>
 113     <location>local</location>
 114     <level>6</level>
 115     <timeout>600</timeout>
 116   </active-response>
 117
 118   <!-- Files to monitor (localfiles) -->
 119
 120   <localfile>
 121     <log_format>syslog</log_format>
 122     <location>/var/log/messages</location>
 123   </localfile>
 124
 125   <localfile>
 126     <log_format>syslog</log_format>
 127     <location>/var/log/authlog</location>
 128   </localfile>
 129
 130   <localfile>
 131     <log_format>syslog</log_format>
 132     <location>/var/log/secure</location>
 133   </localfile>
 134
 135   <localfile>
 136     <log_format>syslog</log_format>
 137     <location>/var/log/xferlog</location>
 138   </localfile>
 139
 140   <localfile>
 141     <log_format>syslog</log_format>
 142     <location>/var/log/maillog</location>
 143   </localfile>
 144
 145   <localfile>
 146     <log_format>apache</log_format>
 147     <location>/var/www/logs/access_log</location>
 148   </localfile>
 149
 150   <localfile>
 151     <log_format>apache</log_format>
 152     <location>/var/www/logs/error_log</location>
 153   </localfile>
 154 </ossec_config>