Ossec 配置文件

# /var/ossec/etc/ossec.conf

 

配置邮件通知

<global>
  <email_notification>yes</email_notification>    #是否接收邮件通知
  <email_to>info@163.com</email_to>               #收件人地址
  <smtp_server>smtp.163.com.</smtp_server>        #发邮件smtp地址
  <email_from>send@163.com</email_from>           #发件人地址
</global>

 

加载自定义规则 

<rules>
    <include>test_rules_config.xml</include>   #加载test_rules_config规则
</rules>

 

文件目录检测

<syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>79200</frequency>                         #检测时间
  
    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>    #检测目录
<directories check_all="yes">/opt/web/upload</directories>
  
    <!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>                               #忽略检测目录
</syscheck>

 

注: check_all=”yes”   检测以下所有类型

检测类型有:

check_sum=“yes”            #MD5和 SHA1
check_sha1sum =“yes”       #SHA1
check_md5sum=“yes”         #MD5
check_size =“yes”          #文件大小
check_owner =“yes”         #文件所有者
check_group=“yes”          #文件组
check_pem=“yes”            #文件权限
restrict=“string”          #文件字符串,文件内容中包含文件名的字符串限制检查
type="sregex"              #支持正则
realtime="yes"             #启用实时监控
report_changes="yes"       #发送文件变化比较报告

 

 

入侵检测

<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>          #后门,蠕虫,嗅探检测
  <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>  #木马检测
  <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
</rootcheck>

 

白名单 

<global><white_list>127.0.0.1</white_list>

<white_list>8.8.8.8</white_list>

<white_list>10.10.51.50</white_list> #白名单地址,ossec不会白名单地址进行主动响应

</global>


允许远程日志分析


<remote>

  <connection>syslog</connection>          #系统日志

</remote>
<remote>
  <connection>secure</connection>         #安全日志
</remote>

 

记录日志/邮件通知

<alerts>
  <log_alert_level>1</log_alert_level>         #记录等级大于1的报警日志
  <email_alert_level>7</email_alert_level>     #等级大于7,邮件通知
</alerts>

注:ossec 等级分为0-15,0等级最低,15最高。

 

定义脚本命令

<command>  <name>firewall-drop</name>         #名称
  <executable>firewall-drop.sh</executable>   #脚本名称
  <expect>srcip</expect>                      #脚本参数
  <timeout_allowed>yes</timeout_allowed>      #是否允许超时
</command>


主动响应

 

<active-response>   

   <command>firewall-drop</command>      #命令名称与上面定义脚本名称相匹配

   <location>local</location>            #在本地执行
   <level>6</level>                      #等级
   <timeout>600</timeout>                #超时时间
 </active-response>

 

日志监控

<localfile>
  <log_format>syslog</log_format>             #日志格式
  <location>/var/log/messages</location>      #日志路径
</localfile>