Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Detection System
Parte Seconda
Installazione
E-mail notification:
ricerca di rootkit.
Installazione
Active response:
risposta ad un evento.
File di configurazione
/var/ossec/etc/ossec.conf:
/var/ossec/etc/internal_options.conf:
<global>
<email_notification>yes</email_notification>
<email_to>root@localhost</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>ossecm@localhost.localdomain</email_from>
<email_maxperhour>70</email_maxperhour>
</global>
ossec.conf: e-mail <email_alerts>
Configurazione e-mail:
# Maild grouping (0=disabled, 1=enabled)
# Groups alerts within the same e-mail.
maild.groupping=1
“Stats”
<global>
<stats>8</stats>
</global>
Ogni variazione significativa del numero di eventi
segnalati in un certo periodo di tempo genera un
alert di livello 8.
Internal_options.conf: “stats”
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
Formati supportati nativamente:
syslog, snort-full, snort-fast, squid, iis, eventlog,
nmapg (greppable nmap formatted logs),
mysql_log, postgresql_log, apache.
ossec.conf: file integrity check
<syscheck>
Opzioni <syscheck>:
<frequency>
<scan_day>*
<scan_time>
<scan_on_start>
<directories>
<ignore>
<auto_ignore>
<alert_new_files>
<windows_registry>
<registry_ignore>
ossec.conf: file integrity check
<syscheck>
Opzioni <rootcheck>:
<disabled>
<frequency>
<rootkit_files>
<rootkit_trojans>
<system_audit>
<windows_audit>
<windows_apps>
<windows_malware>
ossec.conf: rootkit detection
engine and policy enforcement
<rootcheck>
Opzioni <rootcheck>:
<rootkit_files>: application level rootkit signatures
file