Manual ->General configuration options
The OSSEC HIDS configuration is mostly done inside the ossec.conf file (by default at /var/ossec/etc/ossec.conf).
This file must always start with the root element of ossec_config, followed by one of the following configuration sections:
- global – default options used everywhere in the system.
- email_alerts – granular e-mail alerting options.
- rules – list of rules files to be included.
- syscheck – configuration related to the syscheck – integrity check.
- rootcheck – configuration related to the rootcheck – rootkit detection.
- alerts – e-mail and log alerting options.
- localfile – options related to the log files to be monitored.
- remote – configuration related to remote connections.
- client – agent related options.
- database_output – Database output options.
- command – active-response configuration.
Some of these options should only be used by the “agent” installation and some should only
be used on the “server” or “local” installations. The list bellow shows each installation type and their options:
- server: global, email_alerts, rules, syscheck, rootcheck, alerts, localfile, remote, command and active-response.
- local: global, email_alerts, rules, syscheck, rootcheck, alerts, localfile, command and active-response.
- agent: client, syscheck, rootcheck and localfile.
Global options (“server” and “local” installations):
Inside the “global” element, you can have the following options (example at global_example):
| Option | Default value | Allowed values | Description |
|---|---|---|---|
| email_notification | no | yes or no | Enable or disable e-mail alerting. |
| email_to | none | Any valid e-mail address | E-mail recipient of the alerts. |
| email_from | none | Any valid e-mail address | E-mail “source” of the alerts. |
| smtp_server | none | Any valid hostname or IP address | SMTP server. |
| email_maxperhour | 12 | Any number from 1 to 9999 | Specifies the maximum number of e-mails to be sent per hour. It will store the extra ones and send them together if this number is reached. |
| stats | 8 | Any level (from 0 to 16) | Alerting level for the events generated by the statistical analysis. |
| logall | no | yes or no | States if we should store all the events received. |
| memory_size | 1024 | Any size (from 16 to 5096) | Sets the memory size for the event correlation. |
| white_list | none | Any IP address or network | List of IP addresses that should never be blocked by the active response (one per element). |
| host_information | 8 | Any level (from 0 to 16) | Alerting level for the events generated by the host change monitor. |
| prelude_output | no | yes or no | Enables or disables prelude output. |
Granular E-mail alerting options (“server” and “local” installations):
Inside the “email_alerts” element, you can have the following options (multiple examples at the wiki entry for Granular Emails):
| Option | Default value | Allowed values | Description |
|---|---|---|---|
| email_to | none | Any valid e-mail address | E-mail recipient of the alerts. |
| level | none | Any level (severity) | Minimum alerting level to forward the e-mails. |
| group | none | Any group (category) | The alert that must match this group to be forwarded. |
| event_location | none | Any agent name, ip address or log file | The alert must match this event location to be forwarded. |
| format | full | Full or SMS | Specifies the format of the e-mail (full for normal e-mails or sms for reduced). |
| do_not_delay | not set | Set or not set | Option to send the e-mail right away (no delay). |
| do_not_group | not set | set or not set | Option to do not group this e-mail (send by itself). |
Rules options (“server” and “local” installations):
Inside the “rules” element, you can have the following options (example at rules_example.xml):
| Option | Default value | Allowed values | Description |
|---|---|---|---|
| include | syslog_rules.xml | Any filename with rules in the XML format | Add rules files to be read by the analysis server. They must be inside ‘/var/ossec/rules’ and be one entry per element. |
Rootcheck options(“server”, “local” and “agent” installations):
More information about rootcheck here.
Inside the “rootcheck” element, you can have the following options (example at rootcheck_example.xml):
| Option | Default value | Allowed values | Description |
|---|---|---|---|
| rootkit_files | /etc/shared/rootkit_files.txt | A file with the rootkit files signatures | You should change this file if you want rootcheck to read the signatures from somewhere else. |
| rootkit_trojans | /etc/shared/rootkit_trojans.txt | A file with the trojans signatures | You should change this file if you want rootcheck to read the signatures from somewhere else. |
| scanall | no | yes or no | Tells rootcheck to scan the whole system (may lead to some false positives). |
| frequency | 36000 (10 hours) | Time (in seconds) | Frequency that the rootcheck is going to be executed (in seconds). |
| disabled | no | yes or no | Disables the execution of rootcheck. |
Alerts options (“server” and “local” installations):
Inside the “alerts” element, you can have the following options (example at alerts_example.xml):
| Option | Default value | Allowed values | Description |
|---|---|---|---|
| email_alert_level | 7 | Any level (from 1 to 16) | Minimum alert level to send e-mail notifications. |
| log_alert_level | 1 | Any level (from 1 to 16) | Minimum alert level to store the log messages. |
Remote options (“server” installation only):
Inside the “remote” element, you can have the following options (example at remote_example.xml):
| Option | Default value | Allowed values | Description |
|---|---|---|---|
| connection | secure | syslog or secure | Specify the type of connection being enabled: secure or using syslog. |
| port | 1514 for secure or 514 for syslog | Any port number (from 1 to 65535) | Specifies the port to listen for events. |
| allowed-ips | none | Any IP address or network | List of IP addresses that are allowed to send syslog messages to the server (one per element). |
| denied-ips | none | Any IP address or network | List of IP addresses that are not allowed to send syslog messages to the server(one per element). |
| local_ip | none | Any internal ip address | Local ip address to listen for connections. |
Client options (“agent” installation only):
Inside the “client” element, you can have the following options (example at client_example.xml):
| Option | Default value | Allowed values | Description |
|---|---|---|---|
| server-ip | none | Any Valid IP address | Specify the IP address of the analysis server. |
| server-hostname | none | Any Valid hostname | Specify the hostname of the analysis server. |
| port | 1514 | Any port number (from 1 to 65535) | Specifies the port to send the events (must be the same to the one used by the analysis server). |
Database Output options (server/local installations only):
Inside the “database_output” element, you can have the following options (example at database_example.xml):
| Option | Default value | Allowed values | Description |
|---|---|---|---|
| hostname | none | any valid IP address | IP Address of the database server. |
| username | none | Any Valid username | Username to access the database. |
| password | none | Any password | Password to access the database. |
| database | none | Database name | Database name to store the alerts. |
| type | none | mysql or postgresql | Type of the database (Mysql or PostgreSQL). |
4 – Log analysis, intrusion detection and correlation rules
The analysis rules are generated in a XML file, where you can dynamically specify what to do with each event received.
| Option | Allowed values | Description |
|---|---|---|
| level | Any number (0 to 16) | Attribute. Specifies the level of the rule. Alerts and responses use this value. |
| id | Any number (100 to 99999) | Attribute. Specifies the ID of the rule. |
| accuracy | 0 or 1 | Attribute. Specifies if the rule is accurate or not (0 is not, 1 is yes). |
| maxsize | Any number (1 to 99999) | Attribute. Specifies the maximum size of the event. |
| frequency | Any number (1 to 999) | Attribute. Specifies the number of times the rule must have matched before firing it. |
| timeframe | Any number (1 to 9999) | Attribute. The timeframe used for the frequency. |
| ignore | Any number (1 to 9999) | Attribute. The time to ignore this rule after firing it (to avoid floods). |
| match | Any Pattern | Any string to match against the event (log). |
| regex | Any regex | Any regex to match against the event(log). |
| decoded_as | Any string | Any pre-matched string (see decoders) |
| category | Any category | The decoded category to match (ids, syslog, firewall, web-log, squid or windows). |
| srcip | Any srcip | Any IP address (decoded as the source ip). Use “!” to negate it. |
| dstip | Any dstip | Any IP address (decoded as the dst ip). Use “!” to negate it. |
| srcport | Any srcport | Any Source port (match format). |
| dstport | Any dstport | Any Destination port (match format). |
| user | Any username | Any username (decoded as the username). |
| program_name | Any program_name | Program name is decoded from syslog process name. |
| hostname | Any hostname | Any hostname (decoded as the syslog hostname). |
| time | Any time range (hh:mm-hh:mm) | Time that the event was generated. |
| weekday | Any week day (sunday, monday, weekends, etc) | Week day that the event was generated. |
| id | Any ID | Any ID (decoded as the ID). |
| url | Any url | Any URL (decoded as the URL). |
| if_sid | Any rule id | Matches if the ID has matched. |
| if_group | Any group | Matches if the group has matched before. |
| if_level | Any level | Matches if the level has matched before. |
| if_matched_sid | Any rule id | Matches if the ID has matched. |
| if_matched_group | Any group | Matches if the group has matched before. |
| if_matched_level | Any level | Matches if the level has matched before. |
| same_source_ip | none | Used together with frequency. Specifies that the source ip must be the same. |
| same_source_port | none | Used together with frequency. Specifies that the source port must be the same. |
| same_location | none | Used together with frequency. Specifies that the location must be the same. |
| description | Any string | Rule description. |
| info | Any string | Extra information about the rule. |
| cve | Any cve | CVE related to the rule. |
| options | alert_by_email, no_email_alert, no_log | Additional rule options (to do not e-mail/log) |