配置路径:/opt/ossec/etc/ossec.conf

  1. <ossec_config>
  2.   <global>
  3.     <email_notification>yes</email_notification>
  4.     <email_to>pentest.test@163.com</email_to>
  5.     <smtp_server>127.0.0.1</smtp_server>
  6.     <email_from>ossecm@localhost.localdomain</email_from>
  7.   </global>
  8.   <rules>
  9.     <include>rules_config.xml</include>
  10.     <include>pam_rules.xml</include>
  11.     <include>sshd_rules.xml</include>
  12.     <include>telnetd_rules.xml</include>
  13.     <include>syslog_rules.xml</include>
  14.     <include>arpwatch_rules.xml</include>
  15.     <include>symantec-av_rules.xml</include>
  16.     <include>symantec-ws_rules.xml</include>
  17.     <include>pix_rules.xml</include>
  18.     <include>named_rules.xml</include>
  19.     <include>smbd_rules.xml</include>
  20.     <include>vsftpd_rules.xml</include>
  21.     <include>pure-ftpd_rules.xml</include>
  22.     <include>proftpd_rules.xml</include>
  23.     <include>ms_ftpd_rules.xml</include>
  24.     <include>ftpd_rules.xml</include>
  25.     <include>hordeimp_rules.xml</include>
  26.     <include>roundcube_rules.xml</include>
  27.     <include>wordpress_rules.xml</include>
  28.     <include>cimserver_rules.xml</include>
  29.     <include>vpopmail_rules.xml</include>
  30.     <include>vmpop3d_rules.xml</include>
  31.     <include>courier_rules.xml</include>
  32.     <include>web_rules.xml</include>
  33.     <include>web_appsec_rules.xml</include>
  34.     <include>apache_rules.xml</include>
  35.     <include>nginx_rules.xml</include>
  36.     <include>php_rules.xml</include>
  37.     <include>mysql_rules.xml</include>
  38.     <include>postgresql_rules.xml</include>
  39.     <include>ids_rules.xml</include>
  40.     <include>squid_rules.xml</include>
  41.     <include>firewall_rules.xml</include>
  42.     <include>cisco-ios_rules.xml</include>
  43.     <include>netscreenfw_rules.xml</include>
  44.     <include>sonicwall_rules.xml</include>
  45.     <include>postfix_rules.xml</include>
  46.     <include>sendmail_rules.xml</include>
  47.     <include>imapd_rules.xml</include>
  48.     <include>mailscanner_rules.xml</include>
  49.     <include>dovecot_rules.xml</include>
  50.     <include>ms-exchange_rules.xml</include>
  51.     <include>racoon_rules.xml</include>
  52.     <include>vpn_concentrator_rules.xml</include>
  53.     <include>spamd_rules.xml</include>
  54.     <include>msauth_rules.xml</include>
  55.     <include>mcafee_av_rules.xml</include>
  56.     <include>trend-osce_rules.xml</include>
  57.     <include>ms-se_rules.xml</include>
  58.     <!-- <include>policy_rules.xml</include> -->
  59.     <include>zeus_rules.xml</include>
  60.     <include>solaris_bsm_rules.xml</include>
  61.     <include>vmware_rules.xml</include>
  62.     <include>ms_dhcp_rules.xml</include>
  63.     <include>asterisk_rules.xml</include>
  64.     <include>ossec_rules.xml</include>
  65.     <include>attack_rules.xml</include>
  66.     <include>openbsd_rules.xml</include>
  67.     <include>clam_av_rules.xml</include>
  68.     <include>dropbear_rules.xml</include>
  69.     <include>local_rules.xml</include>
  70.   </rules> 
  71.   <syscheck>
  72.     <!-- Frequency that syscheck is executed - default to every 22 hours -->
  73.     <frequency>79200</frequency>
  74.    
  75.     <!-- Directories to check  (perform all possible verifications) -->
  76.     <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
  77.     <directories check_all="yes">/bin,/sbin</directories>
  78.     <!-- Files/directories to ignore -->
  79.     <ignore>/etc/mtab</ignore>
  80.     <ignore>/etc/mnttab</ignore>
  81.     <ignore>/etc/hosts.deny</ignore>
  82.     <ignore>/etc/mail/statistics</ignore>
  83.     <ignore>/etc/random-seed</ignore>
  84.     <ignore>/etc/adjtime</ignore>
  85.     <ignore>/etc/httpd/logs</ignore>
  86.     <ignore>/etc/utmpx</ignore>
  87.     <ignore>/etc/wtmpx</ignore>
  88.     <ignore>/etc/cups/certs</ignore>
  89.     <ignore>/etc/dumpdates</ignore>
  90.     <ignore>/etc/svc/volatile</ignore>
  91.     <!-- Windows files to ignore -->
  92.     <ignore>C:\WINDOWS/System32/LogFiles</ignore>
  93.     <ignore>C:\WINDOWS/Debug</ignore>
  94.     <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
  95.     <ignore>C:\WINDOWS/iis6.log</ignore>
  96.     <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
  97.     <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
  98.     <ignore>C:\WINDOWS/Prefetch</ignore>
  99.     <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
  100.     <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
  101.     <ignore>C:\WINDOWS/Temp</ignore>
  102.     <ignore>C:\WINDOWS/system32/config</ignore>
  103.     <ignore>C:\WINDOWS/system32/spool</ignore>
  104.     <ignore>C:\WINDOWS/system32/CatRoot</ignore>
  105.   </syscheck>
  106.   <rootcheck>
  107.     <rootkit_files>/opt/ossec/etc/shared/rootkit_files.txt</rootkit_files>
  108.     <rootkit_trojans>/opt/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
  109.     <system_audit>/opt/ossec/etc/shared/system_audit_rcl.txt</system_audit>
  110.     <system_audit>/opt/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
  111.     <system_audit>/opt/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
  112.     <system_audit>/opt/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
  113.   </rootcheck>
  114.   <global>
  115.     <white_list>127.0.0.1</white_list>
  116.     <white_list>^localhost.localdomain$</white_list>
  117.     <white_list>192.168.218.2</white_list>
  118.     <white_list>192.168.218.136</white_list>
  119.   </global>
  120.   <remote>
  121.     <connection>syslog</connection>
  122.     <allowed-ips>192.168.0.0/16</allowed-ips>
  123.   </remote>
  124.   <remote>
  125.     <connection>secure</connection>
  126.   </remote>
  127.   <alerts>
  128.     <log_alert_level>1</log_alert_level>
  129.     <email_alert_level>7</email_alert_level>
  130.   </alerts>
  131.   <command>
  132.     <name>host-deny</name>
  133.     <executable>host-deny.sh</executable>
  134.     <expect>srcip</expect>
  135.     <timeout_allowed>yes</timeout_allowed>
  136.   </command> 
  137.   <command>
  138.     <name>firewall-drop</name>
  139.     <executable>firewall-drop.sh</executable>
  140.     <expect>srcip</expect>
  141.     <timeout_allowed>yes</timeout_allowed>
  142.   </command> 
  143.   <command>
  144.     <name>disable-account</name>
  145.     <executable>disable-account.sh</executable>
  146.     <expect>user</expect>
  147.     <timeout_allowed>yes</timeout_allowed>
  148.   </command> 
  149.   <command>
  150.     <name>restart-ossec</name>
  151.     <executable>restart-ossec.sh</executable>
  152.     <expect></expect>
  153.   </command>
  154.                  
  155.   <command>
  156.     <name>route-null</name>
  157.     <executable>route-null.sh</executable>
  158.     <expect>srcip</expect>
  159.     <timeout_allowed>yes</timeout_allowed>
  160.   </command>
  161.  
  162.   <!-- Active Response Config -->
  163.   <active-response>
  164.     <!-- This response is going to execute the host-deny
  165.        - command for every event that fires a rule with
  166.        - level (severity) >= 6.
  167.        - The IP is going to be blocked for  600 seconds.
  168.       -->
  169.     <command>host-deny</command>
  170.     <location>local</location>
  171.     <level>6</level>
  172.     <timeout>600</timeout>
  173.   </active-response>
  174.   <active-response>
  175.     <!-- Firewall Drop response. Block the IP for
  176.        - 600 seconds on the firewall (iptables,
  177.        - ipfilter, etc).
  178.       -->
  179.     <command>firewall-drop</command>
  180.     <location>local</location>
  181.     <level>6</level>
  182.     <timeout>600</timeout>   
  183.   </active-response> 
  184.   <!-- Files to monitor (localfiles) -->
  185.   <localfile>
  186.     <log_format>syslog</log_format>
  187.     <location>/var/log/messages</location>
  188.   </localfile>
  189.   <localfile>
  190.     <log_format>syslog</log_format>
  191.     <location>/var/log/secure</location>
  192.   </localfile>
  193.   <localfile>
  194.     <log_format>syslog</log_format>
  195.     <location>/var/log/maillog</location>
  196.   </localfile>
  197.   <localfile>
  198.     <log_format>apache</log_format>
  199.     <location>/var/log/httpd/error_log</location>
  200.   </localfile>
  201.   <localfile>
  202.     <log_format>apache</log_format>
  203.     <location>/var/log/httpd/access_log</location>
  204.   </localfile>
  205.   <localfile>
  206.     <log_format>command</log_format>
  207.     <command>df -h</command>
  208.   </localfile>
  209.   <localfile>
  210.     <log_format>full_command</log_format>
  211.     <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
  212.   </localfile>
  213.   <localfile>
  214.     <log_format>full_command</log_format>
  215.     <command>last -n 5</command>
  216.   </localfile>
  217.   <database_output>
  218.     <hostname>192.168.218.136</hostname>
  219.     <username>ossec</username>
  220.     <password>ossec</password>
  221.     <database>ossec</database>
  222.     <type>mysql</type>
  223.   </database_output>
  224. </ossec_config>

OSSEC配置文件ossec.conf中添加mysql服务的更多相关文章

  1. systemctl中添加mysql服务

    由于mysql的版本更新,许多术语有了新含义,所以需要特别指出,mysqld.service 等价于mysqld vim /usr/lib/systemd/system/mysqld.service ...

  2. Windows平台下在服务中添加MySQL

    widows下查看服务 1.桌面计算机-->右键-->管理-->计算机管理(本地)--->服务和应用程序-->服务 2.运行 中输入 services.msc 在服务中添 ...

  3. 添加 MySql 服务、Tomcat服务到windows服务中

    添加 MySql 服务到windows服务中: cmd --> F:\MySql\MySqlServer5.1\bin\mysqld --install 这样用默认的 MySQL 为名称添加一个 ...

  4. VS2015 项目中 添加windows服务

    1. 在项目中添加winows服务 今天刚刚为自己的项目添加了windows服务,以服务的形式运行后台系统,为前端提供接口服务,下面说一下具体怎么为vs项目添加windows服务 2. 添加Windo ...

  5. tomcat的配置文件server.conf中的元素的理解

    tomcat的配置文件server.conf中的元素的理解 tomcat作为一个servlet服务器本身的配置文件是tomcat_home/conf/server.conf,这个配置文件中有很多元素, ...

  6. web项目中添加MySQL驱动

    1.我这里采用yml文件来配置,yml有配置层次清晰,方便操作的好处: 将application.properties后缀改成yml,即配置文件变成application.yml 我的applicat ...

  7. 在linux中启动mysql服务的命令

    用reboot命令重启linux服务器之后会导致mysql服务终止,也就是mysql服务没有启动.必须要重启mysql服务,否则启动jboss时会 报有关数据库mysql方面的错误. 命令如下: 第一 ...

  8. wamp中的mysql服务与原来安装的mysql服务冲突的解决办法

    如果原来机器上已经安装了mysql,在安装wamp之后,打开wamp上的mysql时会打不开,或者会将原来安装的mysql服务关闭.原因是两个mysql共用了3306端口,解决办法是更改其中的一个端口 ...

  9. vs中添加MySql实体集流程

    默认情况下只有下图: 首先需要下载mysql为vs和ef提供的驱动(可以去官网下载对应的版本) 然后打开vs开始添加实体类 首先在NuGet中安装MySql.Data和MySql.Data.Entit ...

随机推荐

  1. MySQL 5.7.11 重置root密码

    .修改/etc/my.conf,添加参数skip-grant-tables .重启mysql service mysqld stop service mysqld start .用root 直接登录 ...

  2. flex 监听网络连接情况

    NativeApplication.nativeApplication.addEventListener(Event.NETWORK_CHANGE, onNetworkChange); private ...

  3. .NET开发之窗体间的传值转化操作

    DOTNET开发之窗体间的传值转化操作 好想把自己最近学到的知识写下来和各位朋友分享,也希望得到大神的指点.今天终于知道自己要写点什么,就是关于WPF开发时简单的界面传值与简单操作. 涉及两个界面:一 ...

  4. Android系统SVC命令教程

    svc命令,位置在/system/bin目录下,用来管理电源控制,无线数据,WIFI # svc svc Available commands: help Show information about ...

  5. VirtualBox虚拟机安装MSDOS和MINIX2.0.0双系统

    1. 在VirtualBox中新建一个MSDOS虚拟机. 2.下载一个MSDOS软盘镜像. 3.启动虚拟机,提示选择安装盘时,选择步骤2下载过来的MSDOS镜像. 4.正常启动进入DOS命令行,用FD ...

  6. iOS7之定制View Controller切换效果

    在iOS5和iOS6前,View Controller的切换主要有4种: 1. Push/Pop,NavigationViewController常干的事儿 2. Tab,TabViewControl ...

  7. 【BZOJ 1007】 [HNOI2008]水平可见直线

    Description 在xoy直角坐标平面上有n条直线L1,L2,...Ln,若在y值为正无穷大处往下看,能见到Li的某个子线段,则称Li为可见的,否则Li为被覆盖的.    例如,对于直线:    ...

  8. 设计模式Builder(建造者)模式

    1.出现原因 在软件系统中,有时候会面临着“一个复杂对象”的创建工作,其通常由各个部分的子对象用一定的算法构成:由于需求的变化,这个复杂的对象的各个部分可能面临着剧烈的变化,但是把他们组合在一起的算法 ...

  9. 团队项目之Sprint计划会议

    一.我们团队在4月15日进行了冲刺计划会议,会议过程大致如下: 1.总结目前的工作进展,再一次确定所做项目的方向: 2.将之前的调查问卷的结果进行统计,做了需求分析,大致了解了用户的想法: 3.根据初 ...

  10. UAP如何根据DeviceFamily显示不同的页面

    背景 微软推出UAP 推荐使用响应式的UI,但是难免遇到一些特殊情况需要使用不同的Page来在不同的设备显示. 微软目前最新的VS2015在10074上安装后能够支持这个功能特性,只是暂时没有文档介绍 ...