7 # Written by: Charlie Heselton (gentuxx@gmail.com)
11 # Description: OSSEC-HIDS uses XML for it's configuration
12 # and rules files. This script allows a user to use a
13 # more traditional "key = value" format and convert it
14 # to the XML required by OSSEC.
22 getopts('f:', \%opts);
26 # open the "traditional" file and parse the contents.
27 open CONF, $opts{'f'} or die "Couldn't open input config file ($opts{'f'}): $! \n";
30 # skip commented or blank lines
34 # strip out any double quotes
36 # strip out spaces or tabs
39 #print STDERR "DEBUG: \$\_ ===> $_\n";
40 if (/^\s*(\S+)\s*\=\s*\"?([^=]+)\"?/) {
41 $key = $1; $value = $2;
43 die "Config error! Found an extra equals sign (=) in line $current_line\. Input file not converted!\n";
45 # the keys below will be repeated, but if the value is assigned initially,
46 # then the script fails when unwrapping the hash.
47 # key/value pairs that shouldn't be repeated throw a config error if they are repeated.
48 if ($key =~ /monitor_file|rules_include|active_response_command/) {
49 push @{$config{$key}}, $value;
51 if (exists($config{$key})) { die "$key has already been specified in the config file and can only be used once. Input file not converted!\n"; }
52 $config{$key} = $value;
57 die "No input file specified.\n";
61 # strip out any double-quotes
62 # this is handled for all the rest of the key/value pairs when the input file is initially parsed
63 foreach my $key ( qw/ active_response_command / ) { foreach ( @{$config{$key}} ) { s!\"!!g; } }
64 # separate the "complex" options into arrays
65 my @whitelisted = split(/\,/, $config{'whitelist_ips'});
66 my @ignored = split(/\,/, $config{'ignore'});
68 # Write the xml file. Easiest way is just to be deliberate. Not the most elegant solution, but it should work.
71 <!-- OSSEC example config -->
75 <email_notification>$config{'email_notify'}</email_notification>
76 <email_to>$config{'email_addr'}</email_to>
77 <smtp_server>$config{'smtp_server'}</smtp_server>
78 <email_from>$config{'email_from'}</email_from>
81 foreach my $wip ( sort( @whitelisted ) ) {
82 print " <white_list>$wip</white_list>\n";
85 print " </global>\n\n";
88 foreach my $rulesfile ( sort( @{$config{'rules_include'}} ) ) {
89 print " <include>$rulesfile</include>\n";
96 <!-- Frequency that syscheck is executed -- default every 2 hours -->
97 <frequency>$config{'frequency'}</frequency>
99 <!-- Directories to check (perform all possible verifications) -->
100 <directories check_all="yes">$config{'directories_check_all'}</directories>
102 <!-- Files/directories to ignore -->
105 foreach my $ignored ( @ignored ) {
106 print " <ignore>$ignored</ignore>\n";
113 <rootkit_files>$config{'rootkit_files_db'}</rootkit_files>
114 <rootkit_trojans>$config{'rootkit_trojans_db'}</rootkit_trojans>
119 if ( exists($config{'remote'}) ) {
121 if ((exists($config{'connection_type'})) && ($config{'connection_type'} eq 'secure')) {
122 print " <connection>$config{'connection_type'}</connection>\n";
124 print " </remote>\n";
130 <log_alert_level>$config{'log_alert_level'}</log_alert_level>
131 <email_alert_level>$config{'email_alert_level'}</email_alert_level>
136 if ( exists($config{'active_response'}) ) { # should always be true
137 if ($config{'active_response'} eq 'disabled') {
138 print " <active-response>\n <disabled>yes</disabled>\n </active-response>\n\n";
140 # Could use some comments/insight here, since I don't use the active response features.
141 foreach my $cmd ( sort(@{$config{'active-response-command'}}) ) {
142 my ( $name, $exe, $expect, $timeout ) = split(/\,/, $cmd);
146 <executable>$exe</executable>
147 <expect>$expect</expect>
148 <timeout_allowed>$timeout</timeout_allowed>
156 <!-- Active Response Config -->
158 <!-- This response is going to execute the host-deny
159 - command for every event that fires a rule with
160 - level (severity) >= 6.
161 - The IP is going to be blocked for 600 seconds.
163 <command>host-deny</command>
164 <location>local</location>
166 <timeout>600</timeout>
170 <!-- Firewall Drop response. Block the IP for
171 - 600 seconds on the firewall (iptables,
174 <command>firewall-drop</command>
175 <location>local</location>
177 <timeout>600</timeout>
180 <!-- Files to monitor (localfiles) -->
186 foreach my $file ( sort( @{$config{'monitor_file'}} ) ) {
187 my ($fileloc, $fformat) = split(/\,/, $file);
188 print " <localfile>\n";
189 print " <log_format>$fformat</log_format>\n";
190 print " <location>$fileloc</location>\n";
191 print " </localfile>\n";
194 print "</ossec_config>\n";