[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] "Time Honored" Config and Converter

To: ossec-dev@xxxxxxxxx
Subject: [ossec-dev] "Time Honored" Config and Converter
From: gentuxx <gentuxx@xxxxxxxxx>
Date: Tue, 22 Aug 2006 16:17:55 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thought I would run this by you guys before sending it out to the user
list, and/or putting anything in the wiki.

One recent user mentioned using XML for the config file vs the "time
honored tradition" of "key=value".  So I wrote a "traditional"
ossec.conf and a simple perl converter.  I would especially like some
comments on how to handle the active-response stuff, since I don't have
it enabled on my systems.  Meanwhile, I just dump what Daniel has in the
example from the source.

TIA

- -Charlie
- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239  D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE65CjTPA54hjTSp4RAlWtAJ0TYCRGpnlEB6a/URRCxCf8qvVPOwCfUcrE
n6b6S087FevOKQ4lzigqR0I=
=ap5A
-----END PGP SIGNATURE-----

#!/usr/bin/perl -w

use strict;
use Getopt::Std;

my (%opts, %config);
getopts('f:', \%opts);

if ($opts{'f'}) {
	open CONF, $opts{'f'} or die "Couldn't open input config file: $! \n";
	while (<CONF>) {
		next if (/^(#|\s+|\n)$/);
		chomp;
		s/(\s+|\t+)//g;
		my ($key, $value) = split(/\=/);
		if ($key =~ /monitor_file|rules_include/) {
			push @{$config{$key}}, $value;
		} else {
			$config{$key} = $value;
		}
	}
	close CONF;
} else {
	die "No input file specified.\n";
}

# Write the xml file.  Easiest way is just to be deliberate.  Not the most elegant solution, but it should work.
$config{'white_list_ips'} =~ s/\"//g;
$config{'directories_check_all'} =~ s!\"!!g;
$config{'ignore'} =~ s!\"!!g;
my @whitelisted = split(/\,/, $config{'white_list_ips'});
my @ignored = split(/\,/, $config{'ignore'});

print <<END;

<!-- OSSEC example config -->

<ossec_config>
  <global>
    <email_notification>$config{'email_notify'}</email_notification>
    <email_to>$config{'email_addr'}</email_to>
    <smtp_server>$config{'smtp_server'}</smtp_server>
    <email_from>$config{'email_from'}</email_from>
END

foreach my $wip ( sort( @whitelisted ) ) {
	print "    <white_list>$wip</white_list>\n";
}

print "  </global>\n\n";
print "  <rules>\n";

foreach my $rulesfile ( sort( @{$config{'rules_include'}} ) ) {
	print "    <include>$rulesfile</include>\n";
}

print <<END;
  </rules>  

  <syscheck>
    <!-- Frequency that syscheck is executed -- default every 2 hours -->
    <frequency>$config{'frequency'}</frequency>
    
    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">$config{'directories_check_all'}</directories>

    <!-- Files/directories to ignore -->
END

foreach my $ignored ( @ignored ) {
	print "    <ignore>$ignored</ignore>\n";
}

print <<END;
  </syscheck>

  <rootcheck>
    <rootkit_files>$config{'rootkit_files'}</rootkit_files>
    <rootkit_trojans>$config{'rootkit_trojans'}</rootkit_trojans>
  </rootcheck>

END

if ( exists($config{'remote'}) ) {
	print "  <remote>\n";
	if ((exists($config{'connection_type'})) && ($config{'connection_type'} eq 'secure')) {
		print "    <connection>secure</connection>\n";
	}
	print "  </remote>\n";
}

print <<END;

  <alerts>
    <log_alert_level>$config{'log_alert_level'}</log_alert_level>
    <email_alert_level>$config{'email_alert_level'}</email_alert_level>
  </alerts>

END

if ( exists($config{'active_response'}) ) {		# should always be true
	if ($config{'active_response'} eq 'disabled') {
		print "  <active-response>\n    <disabled>yes</diabled>\n  </active-response>\n\n";
	} else {
		# Could use some comments/insight here, since I don't use the active response features.
		print <<END;
  <command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>disable-account</name>
    <executable>disable-account.sh</executable>
    <expect>user</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  


  <!-- Active Response Config -->
  <active-response>
    <!-- This response is going to execute the host-deny
       - command for every event that fires a rule with
       - level (severity) >= 6.
       - The IP is going to be blocked for  600 seconds.
      -->
    <command>host-deny</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>    
  </active-response>  

  <!-- Files to monitor (localfiles) -->

END
	}
}

foreach my $file ( sort( @{$config{'monitor_file'}} ) ) {
	my ($fileloc, $fformat) = split(/\,/, $file);
	print "  <localfile>\n";
	print "    <log_format>$fformat</log_format>\n";
	print "    <location>$fileloc</location>\n";
	print "  </localfile>\n";
}

print "</ossec_config>\n";

# Global settings
email_notify = yes
email_addr = gentuxx@xxxxxxxxx
smtp_server = localhost
email_from = ossecm@gentoo
whitelist_ips = "127.0.0.1,192.168.0.100,192.168.0.200"
remote = yes
connection_type = secure
active_response = disabled
log_alert_level = 1
email_alert_level = 5
# use "/path/to/file,logformat"
monitor_file = "/var/log/messages,syslog"
monitor_file = "/var/log/secure,syslog"
monitor_file = "/var/log/xferlog,syslog"
monitor_file = "/var/log/maillog,syslog"
monitor_file = "/var/log/snort/alert,snort-full"
monitor_file = "/var/log/apache2/error_log,apache"
monitor_file = "/var/log/apache2/access_log,apache"

# Files/directories to ignore
ignore = "/etc/mtab,/etc/mnttab,/etc/hosts.deny,/etc/mail/statistics,/etc/random-seed,/etc/adjtime,/etc/utmpx,/etc/wtmpx"

# Directories to check  (perform all possible verifications)
directories_check_all = "/etc,/usr/bin,/usr/sbin,/bin,/sbin"
# There are subcategories of check to do.  Add those as individual
# variables.
directories_check_ = 

# Syscheck settings
# Frequency that syscheck is executed - default every 2 hours 
frequency = 7200

# Rootcheck settings
rootkit_files_db = /var/ossec/etc/shared/rootkit_files.txt
rootkit_trojans_db = /var/ossec/etc/shared/rootkit_trojans.txt

# Rules
rules_include = rules_config.xml
rules_include = pam_rules.xml
rules_include = sshd_rules.xml
rules_include = telnetd_rules.xml
rules_include = syslog_rules.xml
rules_include = pix_rules.xml
rules_include = named_rules.xml
rules_include = smbd_rules.xml
rules_include = vsftpd_rules.xml
rules_include = pure-ftpd_rules.xml
rules_include = proftpd_rules.xml
rules_include = hordeimp_rules.xml
rules_include = web_rules.xml
rules_include = apache_rules.xml
rules_include = ids_rules.xml
rules_include = squid_rules.xml
rules_include = firewall_rules.xml
rules_include = netscreenfw_rules.xml
rules_include = postfix_rules.xml
rules_include = sendmail_rules.xml
rules_include = imapd_rules.xml
rules_include = spamd_rules.xml
rules_include = msauth_rules.xml
#rules_include = policy_rules.xml
rules_include = attack_rules.xml
rules_include = user_defined.xml

Follow-Ups:
- [ossec-dev] Re: "Time Honored" Config and Converter
  - From: Daniel Cid

Prev by Date: [ossec-dev] Re: [ossec-list] Re: gentoo rc-script for ossec
Next by Date: [ossec-dev] Re: "Time Honored" Config and Converter
Previous by thread: [ossec-dev] Re: [ossec-list] Re: gentoo rc-script for ossec
Next by thread: [ossec-dev] Re: "Time Honored" Config and Converter
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.