[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: "Time Honored" Config and Converter

To: ossec-dev@xxxxxxxxxxxxxxxx
Subject: [ossec-dev] Re: "Time Honored" Config and Converter
From: "Daniel Cid" <dcid@xxxxxxxxx>
Date: Tue, 22 Aug 2006 21:54:29 -0300
Content-disposition: inline
Content-transfer-encoding: 7bit


Hi Charlie,

Was this e-mail in the list? I am clearly lost with all these messages
in there :)

*Btw, whenever you have a new feature or find a bug, can you also
submit it to the
bugzilla? It is going to be easier in the future to keep track of
everything in there
and also to allow more people to help (like a todo list).

Regarding the key/value configuration, it is not a bad idea, specially
for unix guys
who hate XML (like me). You can post it in the wiki and we can also add that to
the contrib directory (so anyone can use). However, for every change in this
config, the user will need to re-generate the XML (or the init script
can do that).

*I think Meir will like it.. :)

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 8/22/06, gentuxx <gentuxx@xxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thought I would run this by you guys before sending it out to the user
list, and/or putting anything in the wiki.

One recent user mentioned using XML for the config file vs the "time
honored tradition" of "key=value".  So I wrote a "traditional"
ossec.conf and a simple perl converter.  I would especially like some
comments on how to handle the active-response stuff, since I don't have
it enabled on my systems.  Meanwhile, I just dump what Daniel has in the
example from the source.

TIA

- -Charlie
- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239  D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE65CjTPA54hjTSp4RAlWtAJ0TYCRGpnlEB6a/URRCxCf8qvVPOwCfUcrE
n6b6S087FevOKQ4lzigqR0I=
=ap5A
-----END PGP SIGNATURE-----


#!/usr/bin/perl -w

use strict;
use Getopt::Std;

my (%opts, %config);
getopts('f:', \%opts);

if ($opts{'f'}) {
        open CONF, $opts{'f'} or die "Couldn't open input config file: $! \n";
        while (<CONF>) {
                next if (/^(#|\s+|\n)$/);
                chomp;
                s/(\s+|\t+)//g;
                my ($key, $value) = split(/\=/);
                if ($key =~ /monitor_file|rules_include/) {
                        push @{$config{$key}}, $value;
                } else {
                        $config{$key} = $value;
                }
        }
        close CONF;
} else {
        die "No input file specified.\n";
}

# Write the xml file.  Easiest way is just to be deliberate.  Not the most elegant solution, but it should work.
$config{'white_list_ips'} =~ s/\"//g;
$config{'directories_check_all'} =~ s!\"!!g;
$config{'ignore'} =~ s!\"!!g;
my @whitelisted = split(/\,/, $config{'white_list_ips'});
my @ignored = split(/\,/, $config{'ignore'});

print <<END;

<!-- OSSEC example config -->

<ossec_config>
  <global>
    <email_notification>$config{'email_notify'}</email_notification>
    <email_to>$config{'email_addr'}</email_to>
    <smtp_server>$config{'smtp_server'}</smtp_server>
    <email_from>$config{'email_from'}</email_from>
END

foreach my $wip ( sort( @whitelisted ) ) {
        print "    <white_list>$wip</white_list>\n";
}

print "  </global>\n\n";
print "  <rules>\n";

foreach my $rulesfile ( sort( @{$config{'rules_include'}} ) ) {
        print "    <include>$rulesfile</include>\n";
}

print <<END;
  </rules>

  <syscheck>
    <!-- Frequency that syscheck is executed -- default every 2 hours -->
    <frequency>$config{'frequency'}</frequency>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">$config{'directories_check_all'}</directories>

    <!-- Files/directories to ignore -->
END

foreach my $ignored ( @ignored ) {
        print "    <ignore>$ignored</ignore>\n";
}

print <<END;
  </syscheck>

  <rootcheck>
    <rootkit_files>$config{'rootkit_files'}</rootkit_files>
    <rootkit_trojans>$config{'rootkit_trojans'}</rootkit_trojans>
  </rootcheck>

END

if ( exists($config{'remote'}) ) {
        print "  <remote>\n";
        if ((exists($config{'connection_type'})) && ($config{'connection_type'} eq 'secure')) {
                print "    <connection>secure</connection>\n";
        }
        print "  </remote>\n";
}

print <<END;

  <alerts>
    <log_alert_level>$config{'log_alert_level'}</log_alert_level>
    <email_alert_level>$config{'email_alert_level'}</email_alert_level>
  </alerts>

END

if ( exists($config{'active_response'}) ) {             # should always be true
        if ($config{'active_response'} eq 'disabled') {
                print "  <active-response>\n    <disabled>yes</diabled>\n  </active-response>\n\n";
        } else {
                # Could use some comments/insight here, since I don't use the active response features.
                print <<END;
  <command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>disable-account</name>
    <executable>disable-account.sh</executable>
    <expect>user</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>


  <!-- Active Response Config -->
  <active-response>
    <!-- This response is going to execute the host-deny
       - command for every event that fires a rule with
       - level (severity) >= 6.
       - The IP is going to be blocked for  600 seconds.
      -->
    <command>host-deny</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

  <!-- Files to monitor (localfiles) -->

END
        }
}

foreach my $file ( sort( @{$config{'monitor_file'}} ) ) {
        my ($fileloc, $fformat) = split(/\,/, $file);
        print "  <localfile>\n";
        print "    <log_format>$fformat</log_format>\n";
        print "    <location>$fileloc</location>\n";
        print "  </localfile>\n";
}

print "</ossec_config>\n";


# Global settings
email_notify = yes
email_addr = gentuxx@xxxxxxxxx
smtp_server = localhost
email_from = ossecm@gentoo
whitelist_ips = "127.0.0.1,192.168.0.100,192.168.0.200"
remote = yes
connection_type = secure
active_response = disabled
log_alert_level = 1
email_alert_level = 5
# use "/path/to/file,logformat"
monitor_file = "/var/log/messages,syslog"
monitor_file = "/var/log/secure,syslog"
monitor_file = "/var/log/xferlog,syslog"
monitor_file = "/var/log/maillog,syslog"
monitor_file = "/var/log/snort/alert,snort-full"
monitor_file = "/var/log/apache2/error_log,apache"
monitor_file = "/var/log/apache2/access_log,apache"

# Files/directories to ignore
ignore = "/etc/mtab,/etc/mnttab,/etc/hosts.deny,/etc/mail/statistics,/etc/random-seed,/etc/adjtime,/etc/utmpx,/etc/wtmpx"

# Directories to check  (perform all possible verifications)
directories_check_all = "/etc,/usr/bin,/usr/sbin,/bin,/sbin"
# There are subcategories of check to do.  Add those as individual
# variables.
directories_check_ =

# Syscheck settings
# Frequency that syscheck is executed - default every 2 hours
frequency = 7200

# Rootcheck settings
rootkit_files_db = /var/ossec/etc/shared/rootkit_files.txt
rootkit_trojans_db = /var/ossec/etc/shared/rootkit_trojans.txt

# Rules
rules_include = rules_config.xml
rules_include = pam_rules.xml
rules_include = sshd_rules.xml
rules_include = telnetd_rules.xml
rules_include = syslog_rules.xml
rules_include = pix_rules.xml
rules_include = named_rules.xml
rules_include = smbd_rules.xml
rules_include = vsftpd_rules.xml
rules_include = pure-ftpd_rules.xml
rules_include = proftpd_rules.xml
rules_include = hordeimp_rules.xml
rules_include = web_rules.xml
rules_include = apache_rules.xml
rules_include = ids_rules.xml
rules_include = squid_rules.xml
rules_include = firewall_rules.xml
rules_include = netscreenfw_rules.xml
rules_include = postfix_rules.xml
rules_include = sendmail_rules.xml
rules_include = imapd_rules.xml
rules_include = spamd_rules.xml
rules_include = msauth_rules.xml
#rules_include = policy_rules.xml
rules_include = attack_rules.xml
rules_include = user_defined.xml

Follow-Ups:
- [ossec-dev] "Time Honored" Config and Converter
  - From: gentuxx

References:
- [ossec-dev] "Time Honored" Config and Converter
  - From: gentuxx

Prev by Date: [ossec-dev] "Time Honored" Config and Converter
Next by Date: [ossec-dev] "Time Honored" Config and Converter
Previous by thread: [ossec-dev] "Time Honored" Config and Converter
Next by thread: [ossec-dev] "Time Honored" Config and Converter
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.