[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Re: Problem trying out ossec
From: Tim Lavoie <tim () fractaldragon ! net>
Date: 2006-12-21 15:55:36
Message-ID: 87slf92qh3.fsf () fractaldragon ! net
[Download RAW message or body]
>>>>> "DBC" == Daniel Cid <daniel.cid@gmail.com> writes:
DBC> Hi Tim, Can you show us your ossec config and your ossec
DBC> log*? It looks like that you have a configuration error and
DBC> ossec is not handling it very well.
DBC> *The files we need are: /var/ossec/etc/ossec.conf and
DBC> /var/ossec/logs/ossec.log
Hi Daniel,
The log file is empty, zero bytes. The config is basically straight
from the install script, other than the email config. In any case,
I've pasted it below.
Thanks,
Tim
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>tim@fractaldragon.net</email_to>
<smtp_server>mail.fractaldragon.net.</smtp_server>
<email_from>ossecm@fractaldragon.net</email_from>
</global>
<rules>
<include>rules_config.xml</include>
<include>pam_rules.xml</include>
<include>sshd_rules.xml</include>
<include>telnetd_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
<include>pix_rules.xml</include>
<include>named_rules.xml</include>
<include>smbd_rules.xml</include>
<include>vsftpd_rules.xml</include>
<include>pure-ftpd_rules.xml</include>
<include>proftpd_rules.xml</include>
<include>ms_ftpd_rules.xml</include>
<include>hordeimp_rules.xml</include>
<include>vpopmail_rules.xml</include>
<include>web_rules.xml</include>
<include>apache_rules.xml</include>
<include>ids_rules.xml</include>
<include>squid_rules.xml</include>
<include>firewall_rules.xml</include>
<include>netscreenfw_rules.xml</include>
<include>postfix_rules.xml</include>
<include>sendmail_rules.xml</include>
<include>imapd_rules.xml</include>
<include>mailscanner_rules.xml</include>
<include>ms-exchange_rules.xml</include>
<include>racoon_rules.xml</include>
<include>spamd_rules.xml</include>
<include>msauth_rules.xml</include>
<!-- <include>policy_rules.xml</include> -->
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
<include>ossec_rules.xml</include>
</rules>
<syscheck>
<!-- Frequency that syscheck is executed - default every 2 hours -->
<frequency>14400</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<!-- Windows files to ignore -->
<ignore>C:\WINDOWS/System32/LogFiles</ignore>
<ignore>C:\WINDOWS/Debug</ignore>
<ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
<ignore>C:\WINDOWS/iis6.log</ignore>
<ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
<ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
<ignore>C:\WINDOWS/Prefetch</ignore>
<ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
<ignore>C:\WINDOWS/SoftwareDistribution</ignore>
<ignore>C:\WINDOWS/Temp</ignore>
<ignore>C:\WINDOWS/system32/config</ignore>
<ignore>C:\WINDOWS/system32/spool</ignore>
<ignore>C:\WINDOWS/system32/CatRoot</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<global>
<white_list>127.0.0.1</white_list>
<white_list>209.51.143.76</white_list>
<white_list>209.51.128.19</white_list>
<white_list>209.51.128.20</white_list>
<white_list>nameserver</white_list>
<white_list>142.161.2.155</white_list>
<white_list>142.161.130.155</white_list>
<white_list>65.254.53.9</white_list>
<white_list>70.85.76.188</white_list>
</global>
<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.info</location>
</localfile>
<localfile>
<log_format>snort-full</log_format>
<location>/var/log/snort/alert</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache/access.log</location>
</localfile>
</ossec_config>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic