├── .github └── workflows │ └── codeql.yml ├── .gitignore ├── .travis.yml ├── BUGS ├── CHANGELOG.md ├── CONFIG ├── CONTRIBUTORS ├── Dockerfile ├── INSTALL ├── LICENSE ├── README.md ├── SECURITY.md ├── SUPPORT.md ├── active-response ├── cloudflare-ban.sh ├── disable-account.sh ├── firewall-drop.sh ├── firewalld-drop.sh ├── firewalls │ ├── ipfw.sh │ ├── ipfw_mac.sh │ ├── npf.sh │ └── pf.sh ├── host-deny.sh ├── ip-customblock.sh ├── nftables-drop.sh ├── ossec-aws-waf.sh ├── ossec-pagerduty.sh ├── ossec-slack.sh ├── ossec-tweeter.sh ├── restart-ossec.sh ├── route-null.sh └── win │ ├── firewall-drop.cmd │ ├── netsh.cmd │ ├── restart-ossec.cmd │ └── route-null.cmd ├── build.sh ├── contrib ├── active-list.pl ├── add_localfile.sh ├── compile_alerts.pl ├── compile_alerts.txt ├── config2xml ├── debian-packages │ ├── Readme.txt │ ├── generate_ossec.sh │ ├── ossec-hids-agent │ │ └── debian │ │ │ ├── changelog │ │ │ ├── compat │ │ │ ├── conffiles │ │ │ ├── control │ │ │ ├── copyright │ │ │ ├── ossec-hids-agent.lintian-overrides │ │ │ ├── patches │ │ │ ├── 01_makefile.patch │ │ │ ├── 02_ossec-agent.conf.patch │ │ │ └── series │ │ │ ├── postinst │ │ │ ├── postrm │ │ │ ├── preinst │ │ │ ├── rules │ │ │ ├── source │ │ │ └── format │ │ │ └── templates │ ├── ossec-hids │ │ └── debian │ │ │ ├── changelog │ │ │ ├── compat │ │ │ ├── conffiles │ │ │ ├── control │ │ │ ├── copyright │ │ │ ├── ossec-hids.lintian-overrides │ │ │ ├── patches │ │ │ ├── 01_makefile.patch │ │ │ ├── 02_ossec-server.conf.patch │ │ │ └── series │ │ │ ├── postinst │ │ │ ├── postrm │ │ │ ├── preinst │ │ │ ├── rules │ │ │ ├── source │ │ │ └── format │ │ │ └── templates │ └── pbuilderrc ├── iis-logs.bat ├── logtesting │ ├── 1 │ │ ├── log │ │ └── res │ ├── 2 │ │ ├── log │ │ └── res │ ├── 3 │ │ ├── log │ │ └── res │ ├── 4 │ │ ├── log │ │ └── res │ ├── 5 │ │ ├── log │ │ └── res │ ├── 6 │ │ ├── log │ │ └── res │ ├── 7 │ │ ├── log │ │ └── res │ ├── 8 │ │ ├── log │ │ └── res │ ├── 9 │ │ ├── log │ │ └── res │ ├── 10 │ │ ├── log │ │ └── res │ ├── 11 │ │ ├── log │ │ └── res │ ├── 12 │ │ ├── log │ │ └── res │ ├── 13 │ │ ├── log │ │ └── res │ ├── 14 │ │ ├── log │ │ └── res │ ├── 15 │ │ ├── log │ │ └── res │ ├── 16 │ │ ├── log │ │ └── res │ ├── 17 │ │ ├── log │ │ └── res │ ├── 18 │ │ ├── log │ │ └── res │ ├── 19 │ │ ├── log │ │ └── res │ ├── 20 │ │ ├── log │ │ └── res │ ├── 21 │ │ ├── log │ │ └── res │ ├── 22 │ │ ├── log │ │ └── res │ ├── 23 │ │ ├── log │ │ └── res │ ├── 24 │ │ ├── log │ │ └── res │ ├── 25 │ │ ├── log │ │ └── res │ ├── 26 │ │ ├── log │ │ └── res │ ├── 27 │ │ ├── log │ │ └── res │ ├── 28 │ │ ├── log │ │ └── res │ ├── 29 │ │ ├── log │ │ └── res │ ├── 30 │ │ ├── log │ │ └── res │ ├── 31 │ │ ├── log │ │ └── res │ ├── 32 │ │ ├── log │ │ └── res │ ├── 33 │ │ ├── log │ │ └── res │ ├── 34 │ │ ├── log │ │ └── res │ ├── 35 │ │ ├── log │ │ └── res │ ├── 36 │ │ ├── log │ │ └── res │ ├── 37 │ │ ├── log │ │ └── res │ ├── 38 │ │ ├── log │ │ └── res │ ├── 39 │ │ ├── log │ │ └── res │ ├── 40 │ │ ├── log │ │ └── res │ ├── 41 │ │ ├── log │ │ └── res │ ├── 42 │ │ ├── log │ │ └── res │ ├── 43 │ │ ├── log │ │ └── res │ ├── 44 │ │ ├── log │ │ └── res │ └── dotests.sh ├── ossec-batch-manager.pl ├── ossec-configure ├── ossec-eps.sh ├── ossec-pcre2-config.pl ├── ossec-testing │ ├── runtests.py │ └── tests │ │ ├── apache.ini │ │ ├── apparmor.ini │ │ ├── asterisk.ini │ │ ├── cimserver.ini │ │ ├── cisco_ios.ini │ │ ├── cpanel.ini │ │ ├── dnsmasq.ini │ │ ├── doas.ini │ │ ├── dovecot.ini │ │ ├── dpkg.ini │ │ ├── dropbear.ini │ │ ├── exim.ini │ │ ├── firewalld.ini │ │ ├── mailscanner.ini │ │ ├── modsecurity.ini │ │ ├── named.ini │ │ ├── netscreen.ini │ │ ├── nginx.ini │ │ ├── openbsd-dhcpd.ini │ │ ├── openbsd-httpd.ini │ │ ├── openbsd.ini │ │ ├── opensmtpd.ini │ │ ├── ossec.ini │ │ ├── pam.ini │ │ ├── postfix.ini │ │ ├── proftpd.ini │ │ ├── rsh.ini │ │ ├── samba.ini │ │ ├── sshd.ini │ │ ├── su.ini │ │ ├── sudo.ini │ │ ├── syslog.ini │ │ ├── sysmon.ini │ │ ├── systemd.ini │ │ ├── unbound.ini │ │ ├── vsftpd.ini │ │ ├── web_appsec.ini │ │ └── web_rules.ini ├── ossec2mysql.conf ├── ossec2mysql.pl ├── ossec2mysql.sql ├── ossec2mysqld.pl ├── ossec2rss.php ├── ossec_report.txt ├── ossec_report_contrib.pl ├── ossec_rules_list.py ├── ossecmysql.pm ├── ossectop.pl ├── rename_agent.sh ├── renumber_agent.sh ├── selinux │ ├── README.md │ ├── ossec_agent.pp.bz2 │ └── ossec_agent │ │ ├── ossec_agent.fc │ │ ├── ossec_agent.if │ │ └── ossec_agent.te ├── snapcraft │ ├── files │ │ └── bin │ │ │ └── wrapper │ └── snap │ │ └── snapcraft.yaml ├── specs │ ├── agent │ │ ├── ossec-hids-agent.spec │ │ └── preloaded-vars.conf │ ├── getattr.pl │ ├── local │ │ ├── ossec-hids-local.spec │ │ └── preloaded-vars.conf │ ├── remove_ossec │ └── server │ │ ├── ossec-hids-server.spec │ │ └── preloaded-vars.conf ├── util.sh ├── version_bump.sh └── zeromq_pubsub.py ├── debian_files └── 3.6.0 │ └── ossec-hids-agent │ └── debian │ ├── changelog │ ├── compat │ ├── conffiles │ ├── control │ ├── copyright │ ├── ossec-hids-agent.lintian-overrides │ ├── patches │ ├── 01_makefile.patch │ ├── 02_ossec-agent.conf.patch │ └── series │ ├── postinst │ ├── postrm │ ├── preinst │ ├── rules │ ├── source │ └── format │ └── templates ├── doc ├── README.config ├── active-response-internal.txt ├── active-response.txt ├── br │ ├── INSTALL.br │ ├── README.config │ ├── TRANSLATION │ ├── active-response-internal.txt │ ├── active-response.txt │ ├── logs.txt │ ├── manager.txt │ ├── rootcheck.txt │ ├── rule_ids.txt │ └── rules.txt ├── images │ ├── fim-test.gif │ └── ssh-attack.gif ├── logs.txt ├── manage_agents.txt ├── manager.txt ├── nmap.txt ├── pl │ ├── INSTALL.pl │ ├── README.config │ ├── TRANSLATION │ ├── active-response-internal.txt │ ├── active-response.txt │ ├── logs.txt │ ├── manager.txt │ ├── rootcheck.txt │ ├── rule_ids.txt │ └── rules.txt ├── rootcheck.txt ├── rule_ids.txt └── rules.txt ├── etc ├── decoder.xml ├── internal_options.conf ├── local_internal_options-win.conf ├── local_internal_options.conf ├── ossec-agent.conf ├── ossec-local.conf ├── ossec-server.conf ├── ossec.conf ├── preloaded-vars.conf.example ├── rules │ ├── apache_rules.xml │ ├── apparmor_rules.xml │ ├── arpwatch_rules.xml │ ├── asterisk_rules.xml │ ├── attack_rules.xml │ ├── cimserver_rules.xml │ ├── cisco-ios_rules.xml │ ├── clam_av_rules.xml │ ├── courier_rules.xml │ ├── dnsmasq_rules.xml │ ├── dovecot_rules.xml │ ├── dropbear_rules.xml │ ├── exim_rules.xml │ ├── firewall_rules.xml │ ├── firewalld_rules.xml │ ├── ftpd_rules.xml │ ├── hordeimp_rules.xml │ ├── ids_rules.xml │ ├── imapd_rules.xml │ ├── kesl_rules.xml │ ├── last_rootlogin_rules.xml │ ├── lighttpd_rules.xml │ ├── linux_usbdetect_rules.xml │ ├── local_rules.xml │ ├── log-entries │ │ ├── 101 │ │ ├── 201 │ │ ├── 202 │ │ ├── 204 │ │ ├── 301 │ │ ├── 401 │ │ ├── 403 │ │ ├── 408 │ │ ├── 409 │ │ ├── 1101 │ │ ├── 1401 │ │ ├── 1402 │ │ ├── 1602 │ │ ├── 1603 │ │ ├── 1607 │ │ ├── 1609 │ │ ├── 1901 │ │ ├── 1902 │ │ ├── 1903 │ │ ├── 1905 │ │ ├── 2501 │ │ ├── 2601 │ │ ├── 1301_1302_1303 │ │ ├── access-control │ │ ├── apache-error.logs │ │ ├── cisco-ios-ids │ │ ├── ciscoios │ │ ├── ftpd │ │ ├── iis6 │ │ ├── imapd │ │ ├── kernel │ │ ├── mail-alerts │ │ ├── mail-errors │ │ ├── ns1 │ │ ├── proftpd │ │ ├── smbd │ │ ├── spamd │ │ ├── sshd │ │ ├── symantecws │ │ ├── telnetd │ │ ├── unkown │ │ ├── vpn.log │ │ ├── vpopmail │ │ ├── worms │ │ └── xferlog │ ├── mailscanner_rules.xml │ ├── mcafee_av_rules.xml │ ├── mhn_cowrie_rules.xml │ ├── mhn_dionaea_rules.xml │ ├── ms-exchange_rules.xml │ ├── ms-se_rules.xml │ ├── ms1016_usbdetect_rules.xml │ ├── ms_dhcp_rules.xml │ ├── ms_firewall_rules.xml │ ├── ms_ftpd_rules.xml │ ├── ms_ipsec_rules.xml │ ├── ms_powershell_rules.xml │ ├── msauth_rules.xml │ ├── mysql_rules.xml │ ├── named_rules.xml │ ├── netscreenfw_rules.xml │ ├── nginx_rules.xml │ ├── nsd_rules.xml │ ├── openbsd-dhcpd_rules.xml │ ├── openbsd_rules.xml │ ├── opensmtpd_rules.xml │ ├── ossec_rules.xml │ ├── owncloud_rules.xml │ ├── pam_rules.xml │ ├── php_rules.xml │ ├── pix_rules.xml │ ├── policy_rules.xml │ ├── postfix_rules.xml │ ├── postgresql_rules.xml │ ├── proftpd_rules.xml │ ├── proxmox-ve_rules.xml │ ├── psad_rules.xml │ ├── pure-ftpd_rules.xml │ ├── racoon_rules.xml │ ├── roundcube_rules.xml │ ├── rules_config.xml │ ├── sendmail_rules.xml │ ├── smbd_rules.xml │ ├── solaris_bsm_rules.xml │ ├── sonicwall_rules.xml │ ├── spamd_rules.xml │ ├── squid_rules.xml │ ├── sshd_rules.xml │ ├── symantec-av_rules.xml │ ├── symantec-ws_rules.xml │ ├── syslog_rules.xml │ ├── sysmon_rules.xml │ ├── systemd_rules.xml │ ├── telnetd_rules.xml │ ├── topleveldomain_rules.xml │ ├── translated │ │ └── pure_ftpd │ │ │ ├── pure-ftpd_rules_da.xml │ │ │ ├── pure-ftpd_rules_de.xml │ │ │ ├── pure-ftpd_rules_en.xml │ │ │ ├── pure-ftpd_rules_es.xml │ │ │ ├── pure-ftpd_rules_fr.xml │ │ │ ├── pure-ftpd_rules_fr_funny.xml │ │ │ ├── pure-ftpd_rules_it.xml │ │ │ ├── pure-ftpd_rules_nl.xml │ │ │ ├── pure-ftpd_rules_no.xml │ │ │ ├── pure-ftpd_rules_pt_br.xml │ │ │ ├── pure-ftpd_rules_ro.xml │ │ │ ├── pure-ftpd_rules_sk.xml │ │ │ ├── pure-ftpd_rules_sv.xml │ │ │ └── pure-ftpd_rules_tr.xml │ ├── trend-osce_rules.xml │ ├── unbound_rules.xml │ ├── vmpop3d_rules.xml │ ├── vmware_rules.xml │ ├── vpn_concentrator_rules.xml │ ├── vpopmail_rules.xml │ ├── vsftpd_rules.xml │ ├── web_appsec_rules.xml │ ├── web_rules.xml │ ├── wordpress_rules.xml │ └── zeus_rules.xml └── templates │ ├── br │ ├── errors │ │ ├── 0x1-location.txt │ │ ├── 0x2-beroot.txt │ │ ├── 0x3-dependencies.txt │ │ ├── 0x4-installtype.txt │ │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ │ ├── 0x101-initial.txt │ │ ├── 0x102-installhelp.txt │ │ ├── 0x103-thanksforusing.txt │ │ ├── 0x104-client.txt │ │ ├── 0x105-noboot.txt │ │ ├── 0x106-logs.txt │ │ ├── 0x107-ar.txt │ │ └── 0x108-ar-enabled.txt │ ├── cn │ ├── errors │ │ ├── 0x1-location.txt │ │ ├── 0x2-beroot.txt │ │ ├── 0x3-dependencies.txt │ │ ├── 0x4-installtype.txt │ │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ │ ├── 0x101-initial.txt │ │ ├── 0x102-installhelp.txt │ │ ├── 0x103-thanksforusing.txt │ │ ├── 0x104-client.txt │ │ ├── 0x105-noboot.txt │ │ ├── 0x106-logs.txt │ │ ├── 0x107-ar.txt │ │ └── 0x108-ar-enabled.txt │ ├── config │ ├── active-response.template │ ├── apache-logs.template │ ├── ar-disable-account.template │ ├── ar-firewall-drop.template │ ├── ar-host-deny.template │ ├── ar-routenull.template │ ├── pgsql-logs.template │ ├── rootcheck.template │ ├── rules.template │ ├── snort-logs.template │ ├── syscheck.template │ └── syslog-logs.template │ ├── de │ ├── errors │ │ ├── 0x1-location.txt │ │ ├── 0x2-beroot.txt │ │ ├── 0x3-dependencies.txt │ │ ├── 0x4-installtype.txt │ │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ │ ├── 0x101-initial.txt │ │ ├── 0x102-installhelp.txt │ │ ├── 0x103-thanksforusing.txt │ │ ├── 0x104-client.txt │ │ ├── 0x105-noboot.txt │ │ ├── 0x106-logs.txt │ │ ├── 0x107-ar.txt │ │ └── 0x108-ar-enabled.txt │ ├── el │ ├── errors │ │ ├── 0x1-location.txt │ │ ├── 0x2-beroot.txt │ │ ├── 0x3-dependencies.txt │ │ ├── 0x4-installtype.txt │ │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ │ ├── 0x101-initial.txt │ │ ├── 0x102-installhelp.txt │ │ ├── 0x103-thanksforusing.txt │ │ ├── 0x104-client.txt │ │ ├── 0x105-noboot.txt │ │ ├── 0x106-logs.txt │ │ ├── 0x107-ar.txt │ │ └── 0x108-ar-enabled.txt │ ├── en │ ├── errors │ │ ├── 0x1-location.txt │ │ ├── 0x2-beroot.txt │ │ ├── 0x3-dependencies.txt │ │ ├── 0x4-installtype.txt │ │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ │ ├── 0x101-initial.txt │ │ ├── 0x102-installhelp.txt │ │ ├── 0x103-thanksforusing.txt │ │ ├── 0x104-client.txt │ │ ├── 0x105-noboot.txt │ │ ├── 0x106-logs.txt │ │ ├── 0x107-ar.txt │ │ └── 0x108-ar-enabled.txt │ ├── es │ ├── errors │ │ ├── 0x1-location.txt │ │ ├── 0x2-beroot.txt │ │ ├── 0x3-dependencies.txt │ │ ├── 0x4-installtype.txt │ │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ │ ├── 0x101-initial.txt │ │ ├── 0x102-installhelp.txt │ │ ├── 0x103-thanksforusing.txt │ │ ├── 0x104-client.txt │ │ ├── 0x105-noboot.txt │ │ ├── 0x106-logs.txt │ │ ├── 0x107-ar.txt │ │ └── 0x108-ar-enabled.txt │ ├── fr │ ├── errors │ │ ├── 0x1-location.txt │ │ ├── 0x2-beroot.txt │ │ ├── 0x3-dependencies.txt │ │ ├── 0x4-installtype.txt │ │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ │ ├── 0x101-initial.txt │ │ ├── 0x102-installhelp.txt │ │ ├── 0x103-thanksforusing.txt │ │ ├── 0x104-client.txt │ │ ├── 0x105-noboot.txt │ │ ├── 0x106-logs.txt │ │ ├── 0x107-ar.txt │ │ └── 0x108-ar-enabled.txt │ ├── hu │ ├── errors │ │ ├── 0x1-location.txt │ │ ├── 0x2-beroot.txt │ │ ├── 0x3-dependencies.txt │ │ ├── 0x4-installtype.txt │ │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ │ ├── 0x101-initial.txt │ │ ├── 0x102-installhelp.txt │ │ ├── 0x103-thanksforusing.txt │ │ ├── 0x104-client.txt │ │ ├── 0x105-noboot.txt │ │ ├── 0x106-logs.txt │ │ ├── 0x107-ar.txt │ │ └── 0x108-ar-enabled.txt │ ├── it │ ├── errors │ │ ├── 0x1-location.txt │ │ ├── 0x2-beroot.txt │ │ ├── 0x3-dependencies.txt │ │ ├── 0x4-installtype.txt │ │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ │ ├── 0x101-initial.txt │ │ ├── 0x102-installhelp.txt │ │ ├── 0x103-thanksforusing.txt │ │ ├── 0x104-client.txt │ │ ├── 0x105-noboot.txt │ │ ├── 0x106-logs.txt │ │ ├── 0x107-ar.txt │ │ └── 0x108-ar-enabled.txt │ ├── jp │ ├── errors │ │ ├── 0x1-location.txt │ │ ├── 0x2-beroot.txt │ │ ├── 0x3-dependencies.txt │ │ ├── 0x4-installtype.txt │ │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ │ ├── 0x101-initial.txt │ │ ├── 0x102-installhelp.txt │ │ ├── 0x103-thanksforusing.txt │ │ ├── 0x104-client.txt │ │ ├── 0x105-noboot.txt │ │ ├── 0x106-logs.txt │ │ ├── 0x107-ar.txt │ │ └── 0x108-ar-enabled.txt │ ├── nl │ ├── errors │ │ ├── 0x1-location.txt │ │ ├── 0x2-beroot.txt │ │ ├── 0x3-dependencies.txt │ │ ├── 0x4-installtype.txt │ │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ │ ├── 0x101-initial.txt │ │ ├── 0x102-installhelp.txt │ │ ├── 0x103-thanksforusing.txt │ │ ├── 0x104-client.txt │ │ ├── 0x105-noboot.txt │ │ ├── 0x106-logs.txt │ │ ├── 0x107-ar.txt │ │ └── 0x108-ar-enabled.txt │ ├── pl │ ├── errors │ │ ├── 0x1-location.txt │ │ ├── 0x2-beroot.txt │ │ ├── 0x3-dependencies.txt │ │ ├── 0x4-installtype.txt │ │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ │ ├── 0x101-initial.txt │ │ ├── 0x102-installhelp.txt │ │ ├── 0x103-thanksforusing.txt │ │ ├── 0x104-client.txt │ │ ├── 0x105-noboot.txt │ │ ├── 0x106-logs.txt │ │ ├── 0x107-ar.txt │ │ └── 0x108-ar-enabled.txt │ ├── ru │ ├── errors │ │ ├── 0x1-location.txt │ │ ├── 0x2-beroot.txt │ │ ├── 0x3-dependencies.txt │ │ ├── 0x4-installtype.txt │ │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ │ ├── 0x101-initial.txt │ │ ├── 0x102-installhelp.txt │ │ ├── 0x103-thanksforusing.txt │ │ ├── 0x104-client.txt │ │ ├── 0x105-noboot.txt │ │ ├── 0x106-logs.txt │ │ ├── 0x107-ar.txt │ │ └── 0x108-ar-enabled.txt │ ├── sr │ ├── errors │ │ ├── 0x1-location.txt │ │ ├── 0x2-beroot.txt │ │ ├── 0x3-dependencies.txt │ │ ├── 0x4-installtype.txt │ │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ │ ├── 0x101-initial.txt │ │ ├── 0x102-installhelp.txt │ │ ├── 0x103-thanksforusing.txt │ │ ├── 0x104-client.txt │ │ ├── 0x105-noboot.txt │ │ ├── 0x106-logs.txt │ │ ├── 0x107-ar.txt │ │ └── 0x108-ar-enabled.txt │ └── tr │ ├── errors │ ├── 0x1-location.txt │ ├── 0x2-beroot.txt │ ├── 0x3-dependencies.txt │ ├── 0x4-installtype.txt │ └── 0x5-build.txt │ ├── language.txt │ ├── messages.txt │ └── messages │ ├── 0x101-initial.txt │ ├── 0x102-installhelp.txt │ ├── 0x103-thanksforusing.txt │ ├── 0x104-client.txt │ ├── 0x105-noboot.txt │ ├── 0x106-logs.txt │ ├── 0x107-ar.txt │ └── 0x108-ar-enabled.txt ├── install.sh └── src ├── LOCATION ├── Makefile ├── VERSION ├── addagent ├── b64.c ├── main.c ├── manage_agents.c ├── manage_agents.h ├── manage_keys.c ├── read_from_user.c └── validate.c ├── agentlessd ├── README ├── agentlessd.c ├── agentlessd.h ├── main.c └── scripts │ ├── main.exp │ ├── register_host.sh │ ├── ssh.exp │ ├── ssh_asa-fwsmconfig_diff │ ├── ssh_foundry_diff │ ├── ssh_generic_diff │ ├── ssh_integrity_check_bsd │ ├── ssh_integrity_check_linux │ ├── ssh_nopass.exp │ ├── ssh_pixconfig_diff │ ├── sshlogin.exp │ └── su.exp ├── analysisd ├── accumulator.c ├── accumulator.h ├── active-response.c ├── active-response.h ├── alerts │ ├── alerts.h │ ├── exec.c │ ├── exec.h │ ├── getloglocation.c │ ├── getloglocation.h │ ├── log.c │ └── log.h ├── analysisd.c ├── analysisd.h ├── cdb │ ├── cdb.c │ ├── cdb.h │ ├── cdb_hash.c │ ├── cdb_make.c │ ├── cdb_make.h │ ├── uint32.h │ ├── uint32_pack.c │ └── uint32_unpack.c ├── cleanevent.c ├── cleanevent.h ├── compiled_rules │ ├── .function_list │ ├── generic_samples.c │ └── register_rule.sh ├── config.c ├── config.h ├── decoders │ ├── decode-xml.c │ ├── decoder.c │ ├── decoder.h │ ├── decoders_list.c │ ├── geoip.c │ ├── hostinfo.c │ ├── plugin_decoders.c │ ├── plugin_decoders.h │ ├── plugins │ │ ├── ossecalert_decoder.c │ │ ├── pf_decoder.c │ │ ├── sonicwall_decoder.c │ │ └── symantecws_decoder.c │ ├── rootcheck.c │ └── syscheck.c ├── dodiff.c ├── dodiff.h ├── eventinfo.c ├── eventinfo.h ├── eventinfo_list.c ├── format │ ├── json_extended.c │ ├── json_extended.h │ ├── to_json.c │ └── to_json.h ├── fts.c ├── fts.h ├── lists.c ├── lists.h ├── lists_list.c ├── lists_make.c ├── lists_make.h ├── makelists.c ├── output │ ├── jsonout.c │ ├── jsonout.h │ ├── prelude.c │ ├── prelude.h │ ├── zeromq.c │ └── zeromq.h ├── rules.c ├── rules.h ├── rules_list.c ├── schemas │ └── md5_ignore_sqlite3.schema ├── stats.c ├── stats.h └── testrule.c ├── client-agent ├── COPYRIGHT ├── VERSION ├── agentd.c ├── agentd.h ├── config.c ├── event-forward.c ├── intcheck_op.c ├── main.c ├── notify.c ├── receiver-win.c ├── receiver.c ├── sendmsg.c └── start_agent.c ├── config ├── active-response.c ├── active-response.h ├── agentlessd-config.c ├── agentlessd-config.h ├── alerts-config.c ├── client-config.c ├── client-config.h ├── config.c ├── config.h ├── csyslogd-config.c ├── csyslogd-config.h ├── dbd-config.c ├── dbd-config.h ├── email-alerts-config.c ├── global-config.c ├── global-config.h ├── localfile-config.c ├── localfile-config.h ├── mail-config.h ├── remote-config.c ├── remote-config.h ├── reports-config.c ├── reports-config.h ├── rootcheck-config.c ├── rootcheck-config.h ├── rules-config.c ├── syscheck-config.c └── syscheck-config.h ├── error_messages └── error_messages.h ├── external ├── cJSON │ ├── LICENSE │ ├── README │ ├── README.md │ ├── cJSON.c │ ├── cJSON.h │ ├── test.c │ └── tests │ │ ├── test1 │ │ ├── test2 │ │ ├── test3 │ │ ├── test4 │ │ └── test5 ├── compat │ ├── aix │ │ └── sys │ │ │ └── queue.h │ ├── imsg-buffer.c │ ├── imsg.c │ ├── imsg.h │ ├── includes.h │ ├── setproctitle.c │ ├── strlcat.c │ └── strlcpy.c ├── lua ├── lua-5.2.3 │ ├── Makefile │ ├── README │ ├── doc │ │ ├── contents.html │ │ ├── logo.gif │ │ ├── lua.1 │ │ ├── lua.css │ │ ├── luac.1 │ │ ├── manual.css │ │ ├── manual.html │ │ ├── osi-certified-72x60.png │ │ └── readme.html │ └── src │ │ ├── Makefile │ │ ├── Makefile.mingw │ │ ├── lapi.c │ │ ├── lapi.h │ │ ├── lauxlib.c │ │ ├── lauxlib.h │ │ ├── lbaselib.c │ │ ├── lbitlib.c │ │ ├── lcode.c │ │ ├── lcode.h │ │ ├── lcorolib.c │ │ ├── lctype.c │ │ ├── lctype.h │ │ ├── ldblib.c │ │ ├── ldebug.c │ │ ├── ldebug.h │ │ ├── ldo.c │ │ ├── ldo.h │ │ ├── ldump.c │ │ ├── lfs.c │ │ ├── lfs.def │ │ ├── lfs.h │ │ ├── lfunc.c │ │ ├── lfunc.h │ │ ├── lgc.c │ │ ├── lgc.h │ │ ├── linit.c │ │ ├── liolib.c │ │ ├── llex.c │ │ ├── llex.h │ │ ├── llimits.h │ │ ├── lmathlib.c │ │ ├── lmem.c │ │ ├── lmem.h │ │ ├── loadlib.c │ │ ├── lobject.c │ │ ├── lobject.h │ │ ├── lopcodes.c │ │ ├── lopcodes.h │ │ ├── loslib.c │ │ ├── lparser.c │ │ ├── lparser.h │ │ ├── lstate.c │ │ ├── lstate.h │ │ ├── lstring.c │ │ ├── lstring.h │ │ ├── lstrlib.c │ │ ├── ltable.c │ │ ├── ltable.h │ │ ├── ltablib.c │ │ ├── ltm.c │ │ ├── ltm.h │ │ ├── lua.c │ │ ├── lua.h │ │ ├── lua.hpp │ │ ├── luac.c │ │ ├── luaconf.h │ │ ├── lualib.h │ │ ├── lundump.c │ │ ├── lundump.h │ │ ├── lvm.c │ │ ├── lvm.h │ │ ├── lzio.c │ │ └── lzio.h └── zlib-1.2.11 │ ├── CMakeLists.txt │ ├── ChangeLog │ ├── FAQ │ ├── INDEX │ ├── Makefile │ ├── Makefile.in │ ├── README │ ├── adler32.c │ ├── amiga │ ├── Makefile.pup │ └── Makefile.sas │ ├── compress.c │ ├── configure │ ├── contrib │ ├── README.contrib │ ├── ada │ │ ├── buffer_demo.adb │ │ ├── mtest.adb │ │ ├── read.adb │ │ ├── readme.txt │ │ ├── test.adb │ │ ├── zlib-streams.adb │ │ ├── zlib-streams.ads │ │ ├── zlib-thin.adb │ │ ├── zlib-thin.ads │ │ ├── zlib.adb │ │ ├── zlib.ads │ │ └── zlib.gpr │ ├── amd64 │ │ └── amd64-match.S │ ├── asm686 │ │ ├── README.686 │ │ └── match.S │ ├── blast │ │ ├── Makefile │ │ ├── README │ │ ├── blast.c │ │ ├── blast.h │ │ ├── test.pk │ │ └── test.txt │ ├── delphi │ │ ├── ZLib.pas │ │ ├── ZLibConst.pas │ │ ├── readme.txt │ │ └── zlibd32.mak │ ├── dotzlib │ │ ├── DotZLib.build │ │ ├── DotZLib.chm │ │ ├── DotZLib.sln │ │ ├── DotZLib │ │ │ ├── AssemblyInfo.cs │ │ │ ├── ChecksumImpl.cs │ │ │ ├── CircularBuffer.cs │ │ │ ├── CodecBase.cs │ │ │ ├── Deflater.cs │ │ │ ├── DotZLib.cs │ │ │ ├── DotZLib.csproj │ │ │ ├── GZipStream.cs │ │ │ ├── Inflater.cs │ │ │ └── UnitTests.cs │ │ ├── LICENSE_1_0.txt │ │ └── readme.txt │ ├── gcc_gvmat64 │ │ └── gvmat64.S │ ├── infback9 │ │ ├── README │ │ ├── infback9.c │ │ ├── infback9.h │ │ ├── inffix9.h │ │ ├── inflate9.h │ │ ├── inftree9.c │ │ └── inftree9.h │ ├── inflate86 │ │ ├── inffas86.c │ │ └── inffast.S │ ├── iostream │ │ ├── test.cpp │ │ ├── zfstream.cpp │ │ └── zfstream.h │ ├── iostream2 │ │ ├── zstream.h │ │ └── zstream_test.cpp │ ├── iostream3 │ │ ├── README │ │ ├── TODO │ │ ├── test.cc │ │ ├── zfstream.cc │ │ └── zfstream.h │ ├── masmx64 │ │ ├── bld_ml64.bat │ │ ├── gvmat64.asm │ │ ├── inffas8664.c │ │ ├── inffasx64.asm │ │ └── readme.txt │ ├── masmx86 │ │ ├── bld_ml32.bat │ │ ├── inffas32.asm │ │ ├── match686.asm │ │ └── readme.txt │ ├── minizip │ │ ├── Makefile │ │ ├── Makefile.am │ │ ├── MiniZip64_Changes.txt │ │ ├── MiniZip64_info.txt │ │ ├── configure.ac │ │ ├── crypt.h │ │ ├── ioapi.c │ │ ├── ioapi.h │ │ ├── iowin32.c │ │ ├── iowin32.h │ │ ├── make_vms.com │ │ ├── miniunz.c │ │ ├── miniunzip.1 │ │ ├── minizip.1 │ │ ├── minizip.c │ │ ├── minizip.pc.in │ │ ├── mztools.c │ │ ├── mztools.h │ │ ├── unzip.c │ │ ├── unzip.h │ │ ├── zip.c │ │ └── zip.h │ ├── pascal │ │ ├── example.pas │ │ ├── readme.txt │ │ ├── zlibd32.mak │ │ └── zlibpas.pas │ ├── puff │ │ ├── Makefile │ │ ├── README │ │ ├── puff.c │ │ ├── puff.h │ │ ├── pufftest.c │ │ └── zeros.raw │ ├── testzlib │ │ ├── testzlib.c │ │ └── testzlib.txt │ ├── untgz │ │ ├── Makefile │ │ ├── Makefile.msc │ │ └── untgz.c │ └── vstudio │ │ ├── readme.txt │ │ ├── vc10 │ │ ├── miniunz.vcxproj │ │ ├── miniunz.vcxproj.filters │ │ ├── minizip.vcxproj │ │ ├── minizip.vcxproj.filters │ │ ├── testzlib.vcxproj │ │ ├── testzlib.vcxproj.filters │ │ ├── testzlibdll.vcxproj │ │ ├── testzlibdll.vcxproj.filters │ │ ├── zlib.rc │ │ ├── zlibstat.vcxproj │ │ ├── zlibstat.vcxproj.filters │ │ ├── zlibvc.def │ │ ├── zlibvc.sln │ │ ├── zlibvc.vcxproj │ │ └── zlibvc.vcxproj.filters │ │ ├── vc11 │ │ ├── miniunz.vcxproj │ │ ├── minizip.vcxproj │ │ ├── testzlib.vcxproj │ │ ├── testzlibdll.vcxproj │ │ ├── zlib.rc │ │ ├── zlibstat.vcxproj │ │ ├── zlibvc.def │ │ ├── zlibvc.sln │ │ └── zlibvc.vcxproj │ │ ├── vc12 │ │ ├── miniunz.vcxproj │ │ ├── minizip.vcxproj │ │ ├── testzlib.vcxproj │ │ ├── testzlibdll.vcxproj │ │ ├── zlib.rc │ │ ├── zlibstat.vcxproj │ │ ├── zlibvc.def │ │ ├── zlibvc.sln │ │ └── zlibvc.vcxproj │ │ ├── vc14 │ │ ├── miniunz.vcxproj │ │ ├── minizip.vcxproj │ │ ├── testzlib.vcxproj │ │ ├── testzlibdll.vcxproj │ │ ├── zlib.rc │ │ ├── zlibstat.vcxproj │ │ ├── zlibvc.def │ │ ├── zlibvc.sln │ │ └── zlibvc.vcxproj │ │ └── vc9 │ │ ├── miniunz.vcproj │ │ ├── minizip.vcproj │ │ ├── testzlib.vcproj │ │ ├── testzlibdll.vcproj │ │ ├── zlib.rc │ │ ├── zlibstat.vcproj │ │ ├── zlibvc.def │ │ ├── zlibvc.sln │ │ └── zlibvc.vcproj │ ├── crc32.c │ ├── crc32.h │ ├── deflate.c │ ├── deflate.h │ ├── doc │ ├── algorithm.txt │ ├── rfc1950.txt │ ├── rfc1951.txt │ ├── rfc1952.txt │ └── txtvsbin.txt │ ├── examples │ ├── README.examples │ ├── enough.c │ ├── fitblk.c │ ├── gun.c │ ├── gzappend.c │ ├── gzjoin.c │ ├── gzlog.c │ ├── gzlog.h │ ├── zlib_how.html │ ├── zpipe.c │ └── zran.c │ ├── gzclose.c │ ├── gzguts.h │ ├── gzlib.c │ ├── gzread.c │ ├── gzwrite.c │ ├── infback.c │ ├── inffast.c │ ├── inffast.h │ ├── inffixed.h │ ├── inflate.c │ ├── inflate.h │ ├── inftrees.c │ ├── inftrees.h │ ├── make_vms.com │ ├── msdos │ ├── Makefile.bor │ ├── Makefile.dj2 │ ├── Makefile.emx │ ├── Makefile.msc │ └── Makefile.tc │ ├── nintendods │ ├── Makefile │ └── README │ ├── old │ ├── Makefile.emx │ ├── Makefile.riscos │ ├── README │ ├── descrip.mms │ ├── os2 │ │ ├── Makefile.os2 │ │ └── zlib.def │ └── visual-basic.txt │ ├── os400 │ ├── README400 │ ├── bndsrc │ ├── make.sh │ └── zlib.inc │ ├── qnx │ └── package.qpg │ ├── test │ ├── example.c │ ├── infcover.c │ └── minigzip.c │ ├── treebuild.xml │ ├── trees.c │ ├── trees.h │ ├── uncompr.c │ ├── watcom │ ├── watcom_f.mak │ └── watcom_l.mak │ ├── win32 │ ├── DLL_FAQ.txt │ ├── Makefile.bor │ ├── Makefile.gcc │ ├── Makefile.msc │ ├── README-WIN32.txt │ ├── VisualC.txt │ ├── zlib.def │ └── zlib1.rc │ ├── zconf.h │ ├── zconf.h.cmakein │ ├── zconf.h.in │ ├── zlib.3 │ ├── zlib.3.pdf │ ├── zlib.h │ ├── zlib.map │ ├── zlib.pc.cmakein │ ├── zlib.pc.in │ ├── zlib2ansi │ ├── zutil.c │ └── zutil.h ├── headers ├── agent_op.h ├── ar.h ├── custom_output_search.h ├── debug_op.h ├── defs.h ├── dirtree_op.h ├── file-queue.h ├── file_op.h ├── fs_op.h ├── hash_op.h ├── help.h ├── list_op.h ├── math_op.h ├── mem_op.h ├── mq_op.h ├── os_err.h ├── privsep_op.h ├── pthreads_op.h ├── randombytes.h ├── rc.h ├── read-agents.h ├── read-alert.h ├── regex_op.h ├── report_op.h ├── rules_op.h ├── sec.h ├── shared.h ├── sig_op.h ├── store_op.h ├── string_op.h ├── validate_op.h └── wait_op.h ├── init ├── adduser.sh ├── darwin-addusers.pl ├── darwin-init.sh ├── functions.sh ├── fw-check.sh ├── init.sh ├── language.sh ├── ossec-client.sh ├── ossec-hids-aix.init ├── ossec-hids-alpine.init ├── ossec-hids-debian.init ├── ossec-hids-gentoo.init ├── ossec-hids-rh.init ├── ossec-hids-solaris.init ├── ossec-hids-suse.init ├── ossec-hids.init ├── ossec-local.sh ├── ossec-server.sh ├── osx105-addusers.sh ├── shared.sh └── update.sh ├── install-shim-aix.ksh ├── logcollector ├── COPYRIGHT ├── VERSION ├── config.c ├── logcollector.c ├── logcollector.h ├── main.c ├── read_audit.c ├── read_command.c ├── read_djb_multilog.c ├── read_fullcommand.c ├── read_journald.c ├── read_mssql_log.c ├── read_multiline.c ├── read_multiline_indented.c ├── read_mysql_log.c ├── read_nmapg.c ├── read_ossecalert.c ├── read_postgresql_log.c ├── read_snortfull.c ├── read_syslog.c ├── read_win_el.c └── read_win_event_channel.c ├── monitord ├── compress_log.c ├── generate_reports.c ├── main.c ├── manage_files.c ├── monitor_agents.c ├── monitord.c ├── monitord.h ├── sendcustomemail.c └── sign_log.c ├── os_auth ├── auth.h ├── check_cert.c ├── check_cert.h ├── main-client.c ├── main-server.c ├── ssl-test.c └── ssl.c ├── os_crypto ├── blowfish │ ├── bf_enc.c │ ├── bf_locl.h │ ├── bf_op.c │ ├── bf_op.h │ ├── bf_pi.h │ ├── bf_skey.c │ ├── blowfish.h │ └── main.c ├── md5 │ ├── main.c │ ├── md5.c │ ├── md5.h │ ├── md5_op.c │ └── md5_op.h ├── md5_sha1 │ ├── main.c │ ├── md5_sha1_op.c │ └── md5_sha1_op.h ├── sha1 │ ├── main.c │ ├── md32_common.h │ ├── sha.h │ ├── sha1_op.c │ ├── sha1_op.h │ └── sha_locl.h └── shared │ ├── keys.c │ └── msgs.c ├── os_csyslogd ├── alert.c ├── config.c ├── csyslogd.c ├── csyslogd.h └── main.c ├── os_dbd ├── README ├── alert.c ├── config.c ├── convert-db-ipv6.sql ├── db_op.c ├── db_op.h ├── dbd.c ├── dbd.h ├── dbd_help.c ├── dbmake.sh ├── main.c ├── mysql.schema ├── postgresql.schema ├── rules.c └── server.c ├── os_execd ├── config.c ├── exec.c ├── execd.c ├── execd.h └── win_execd.c ├── os_maild ├── config.c ├── mail_list.c ├── mail_list.h ├── maild.c ├── maild.h ├── os_maild_client.c ├── sendcustomemail.c └── sendmail.c ├── os_net ├── COPYRIGHT ├── VERSION ├── os_net.c └── os_net.h ├── os_regex ├── COPYRIGHT ├── README ├── VERSION ├── examples │ ├── Makefile │ ├── match.c │ ├── regex.c │ ├── regex_str.c │ ├── run.sh │ ├── tests │ │ ├── false.regex │ │ ├── false.tests │ │ ├── str.regex │ │ ├── true.regex │ │ └── true.tests │ └── validate.pl ├── os_converter.c ├── os_match.c ├── os_match_compile.c ├── os_match_execute.c ├── os_match_free_pattern.c ├── os_pcre2.c ├── os_pcre2_compile.c ├── os_pcre2_execute.c ├── os_pcre2_free_pattern.c ├── os_pcre2_free_substrings.c ├── os_regex.c ├── os_regex.h ├── os_regex_compile.c ├── os_regex_execute.c ├── os_regex_free_pattern.c ├── os_regex_free_substrings.c ├── os_regex_internal.h ├── os_regex_maps.c ├── os_regex_match.c ├── os_regex_startswith.c ├── os_regex_str.c └── os_regex_strbreak.c ├── os_xml ├── COPYRIGHT ├── README ├── VERSION ├── examples │ ├── mem_test.c │ ├── test.c │ └── test.xml ├── os_xml.c ├── os_xml.h ├── os_xml_access.c ├── os_xml_internal.h ├── os_xml_node_access.c ├── os_xml_variables.c └── os_xml_writer.c ├── os_zlib ├── os_zlib.c ├── os_zlib.h └── zlib-test.c ├── remoted ├── COPYRIGHT ├── README ├── VERSION ├── ar-forward.c ├── config.c ├── main.c ├── manager.c ├── remoted.c ├── remoted.h ├── secure.c ├── sendmsg.c ├── syslog.c └── syslogtcp.c ├── reportd └── report.c ├── rootcheck ├── check_open_ports.c ├── check_rc_dev.c ├── check_rc_files.c ├── check_rc_if.c ├── check_rc_pids.c ├── check_rc_policy.c ├── check_rc_ports.c ├── check_rc_readproc.c ├── check_rc_sys.c ├── check_rc_trojans.c ├── common.c ├── common_rcl.c ├── config.c ├── db │ ├── acsc_office2016_rcl.txt │ ├── cis_apache2224_rcl.txt │ ├── cis_debian_linux_rcl.txt │ ├── cis_debianlinux7-8_L1_rcl.txt │ ├── cis_debianlinux7-8_L2_rcl.txt │ ├── cis_mysql5-6_community_rcl.txt │ ├── cis_mysql5-6_enterprise_rcl.txt │ ├── cis_rhel5_linux_rcl.txt │ ├── cis_rhel6_linux_rcl.txt │ ├── cis_rhel7_linux_rcl.txt │ ├── cis_rhel_linux_rcl.txt │ ├── cis_sles11_linux_rcl.txt │ ├── cis_sles12_linux_rcl.txt │ ├── cis_solaris11_rcl.txt │ ├── cis_win10_enterprise_L1_rcl.txt │ ├── cis_win10_enterprise_L2_rcl.txt │ ├── cis_win2012r2_domainL1_rcl.txt │ ├── cis_win2012r2_domainL2_rcl.txt │ ├── cis_win2012r2_memberL1_rcl.txt │ ├── cis_win2012r2_memberL2_rcl.txt │ ├── cis_win2016_domainL1_rcl.txt │ ├── cis_win2016_domainL2_rcl.txt │ ├── cis_win2016_memberL1_rcl.txt │ ├── cis_win2016_memberL2_rcl.txt │ ├── rootkit_files.txt │ ├── rootkit_trojans.txt │ ├── system_audit_pw.txt │ ├── system_audit_rcl.txt │ ├── system_audit_ssh.txt │ ├── win_applications_rcl.txt │ ├── win_audit_rcl.txt │ └── win_malware_rcl.txt ├── os_string.c ├── rootcheck-config.c ├── rootcheck.c ├── rootcheck.conf ├── rootcheck.h ├── run_rk_check.c ├── unix-process.c ├── util │ └── ads_dump.c ├── win-common.c └── win-process.c ├── shared ├── agent_op.c ├── custom_output_search_replace.c ├── debug_op.c ├── dirtree_op.c ├── file-queue.c ├── file_op.c ├── fs_op.c ├── hash_op.c ├── help.c ├── list_op.c ├── math_op.c ├── mem_op.c ├── mq_op.c ├── privsep_op.c ├── pthreads_op.c ├── randombytes.c ├── read-agents.c ├── read-alert.c ├── regex_op.c ├── report_op.c ├── rules_op.c ├── sig_op.c ├── store_op.c ├── string_op.c ├── tests │ ├── Makefile │ ├── hash_test.c │ ├── ip_test.c │ ├── merge_test.c │ ├── prime_test.c │ └── string_test.c ├── validate_op.c └── wait_op.c ├── syscheckd ├── config.c ├── create_db.c ├── run_check.c ├── run_realtime.c ├── seechanges.c ├── syscheck.c ├── syscheck.h └── win-registry.c ├── systemd ├── agent │ ├── ossec-agent.target │ ├── ossec-agentd.service │ ├── ossec-execd.service │ ├── ossec-logcollector.service │ └── ossec-syscheckd.service └── server │ ├── ossec-agentless.service │ ├── ossec-analysisd.service │ ├── ossec-csyslog.service │ ├── ossec-dbd.service │ ├── ossec-execd.service │ ├── ossec-logcollector.service │ ├── ossec-maild.service │ ├── ossec-monitord.service │ ├── ossec-remoted.service │ ├── ossec-server.target │ └── ossec-syscheckd.service ├── tests ├── test_os_crypto.c ├── test_os_net.c ├── test_os_regex.c ├── test_os_xml.c ├── test_os_zlib.c ├── test_shared.c └── valgrind.supp ├── util ├── agent_control.c ├── clear_stats.c ├── list_agents.c ├── ossec-regex-convert.c ├── ossec-regex.c ├── rootcheck_control.c ├── syscheck_control.c ├── syscheck_update.c └── verify-agent-conf.c └── win32 ├── SimpleSC └── SimpleSC.dll ├── add-localfile.c ├── agent_auth.c ├── doc.html ├── favicon.ico ├── help.txt ├── icofile.rc ├── nsProcess ├── nsProcess.dll └── nsProcess.nsh ├── os_win.h ├── ossec-installer.nsi ├── ossec-uninstall.ico ├── ossec.conf ├── read-registry.c ├── setup-iis.c ├── setup-shared.c ├── setup-shared.h ├── setup-syscheck.c ├── setup-win.c ├── ui ├── common.c ├── favicon.ico ├── os_win32ui.c ├── os_win32ui.exe.manifest ├── os_win32ui.h └── win32ui.rc ├── unix2dos.pl ├── vista_sec.txt ├── win_agent.c └── win_service.c /BUGS: -------------------------------------------------------------------------------- 1 | OSSEC v3.8.0 2 | Copyright (C) 2019 Trend Micro Inc. 3 | 4 | 5 | ** Reporting bugs ** 6 | 7 | Please, make sure to include the following information: 8 | 9 | -OSSEC version number. 10 | -Content of /etc/ossec-init.conf 11 | -Content of /var/ossec/etc/ossec.conf 12 | -Content of /var/ossec/logs/ossec.log 13 | -Operating system name/version (uname -a if Unix) 14 | -Any other relevant information. 15 | 16 | 17 | 18 | Github (Public Issue Reporting): 19 | https://github.com/ossec/ossec-hids/issues 20 | 21 | Email (Private Issue Reporting): 22 | If you prefer to contact us privately or if it is a security 23 | issue, send an e-mail to OSSEC Project ( ossec@ossec-hids.org ). 24 | 25 | -------------------------------------------------------------------------------- /CONFIG: -------------------------------------------------------------------------------- 1 | OSSEC v3.8.0 2 | Copyright (C) 2019 Trend Micro Inc. 3 | 4 | 5 | = Information about OSSEC = 6 | 7 | Visit http://ossec.github.io 8 | 9 | 10 | = Recommended Installation = 11 | 12 | See INSTALL 13 | 14 | 15 | == Configuring OSSEC == 16 | 17 | Just follow the steps from the install.sh script. 18 | More information at 19 | https://ossec.github.io/docs/manual/index.html 20 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | ## Supported Versions 4 | 5 | | Version | Supported | 6 | | ------- | ------------------ | 7 | | 4.7.x | :white_check_mark: | 8 | | 3.7.x | :white_check_mark: | 9 | | < 3.7.0 | :x: | 10 | 11 | ## Reporting a Vulnerability 12 | 13 | Please visit the URL for OSSEC security contact: 14 | 15 | https://www.ossec.net/.well-known/security.txt 16 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | Before you submit an issue, please review the project's [Support Options](https://ossec.github.io/about.html#support-options). 2 | -------------------------------------------------------------------------------- /active-response/win/restart-ossec.cmd: -------------------------------------------------------------------------------- 1 | :: Simple script to restart ossec agent. 2 | @ECHO OFF 3 | ECHO. 4 | 5 | 6 | :: Logging it all 7 | FOR /F "TOKENS=1* DELIMS= " %%A IN ('DATE/T') DO SET DATE=%%B 8 | FOR /F "TOKENS=1* DELIMS= " %%A IN ('TIME/T') DO SET TIME=%%A 9 | ECHO %DATE% %TIME% %0 %1 %2 %3 %4 %5 %6 %7 %8 %9 >> active-response/active-responses.log 10 | 11 | 12 | IF "%1"=="add" GOTO ADD 13 | IF "%1"=="delete" GOTO DEL 14 | :ERROR 15 | 16 | ECHO "Invalid argument. %1" 17 | GOTO Exit; 18 | 19 | 20 | :ADD 21 | net stop OssecSvc 22 | net start OssecSvc 23 | 24 | GOTO Exit; 25 | 26 | :DEL 27 | 28 | :Exit 29 | -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e -o pipefail 4 | 5 | scriptpath=$(dirname $0) 6 | $scriptpath/contrib/debian-packages/generate_ossec.sh -d 7 | $scriptpath/contrib/debian-packages/generate_ossec.sh -u 8 | $scriptpath/contrib/debian-packages/generate_ossec.sh -b 9 | -------------------------------------------------------------------------------- /contrib/debian-packages/ossec-hids-agent/debian/compat: -------------------------------------------------------------------------------- 1 | 7 2 | -------------------------------------------------------------------------------- /contrib/debian-packages/ossec-hids-agent/debian/conffiles: -------------------------------------------------------------------------------- 1 | /var/ossec/etc/ossec.conf 2 | -------------------------------------------------------------------------------- /contrib/debian-packages/ossec-hids-agent/debian/ossec-hids-agent.lintian-overrides: -------------------------------------------------------------------------------- 1 | ossec-hids-agent: embedded-library 2 | ossec-hids-agent: embedded-zlib 3 | ossec-hids-agent: possible-gpl-code-linked-with-openssl 4 | ossec-hids-agent: new-package-should-close-itp-bug 5 | ossec-hids-agent: possibly-insecure-handling-of-tmp-files-in-maintainer-script 6 | ossec-hids-agent: non-standard-dir-in-var 7 | ossec-hids-agent: file-in-unusual-dir 8 | ossec-hids-agent: hardening-no-fortify-functions 9 | ossec-hids-agent: hardening-no-relro 10 | -------------------------------------------------------------------------------- /contrib/debian-packages/ossec-hids-agent/debian/patches/series: -------------------------------------------------------------------------------- 1 | 02_ossec-agent.conf.patch 2 | 01_makefile.patch 3 | -------------------------------------------------------------------------------- /contrib/debian-packages/ossec-hids-agent/debian/postrm: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # postrm script for ossec-hids 3 | # Santiago Bassett 4 | # 03/25/2014 5 | 6 | 7 | set -e 8 | 9 | case "$1" in 10 | purge|remove|failed-upgrade|abort-install|abort-upgrade|disappear) 11 | if getent passwd | grep -q "^ossec" 12 | then 13 | deluser ossec 14 | fi 15 | if getent group | grep -q "^ossec" 16 | then 17 | delgroup ossec 18 | fi 19 | rm -f /etc/init.d/ossec 20 | rm -f /etc/ossec-init.conf 21 | update-rc.d -f ossec remove 22 | 23 | ;; 24 | 25 | *) 26 | echo "postrm called with unknown argument \`$1'" >&2 27 | exit 1 28 | 29 | ;; 30 | 31 | esac 32 | 33 | exit 0 34 | -------------------------------------------------------------------------------- /contrib/debian-packages/ossec-hids-agent/debian/source/format: -------------------------------------------------------------------------------- 1 | 3.0 (quilt) 2 | -------------------------------------------------------------------------------- /contrib/debian-packages/ossec-hids-agent/debian/templates: -------------------------------------------------------------------------------- 1 | Template: ossec-hids-agent/server-ip 2 | Type: string 3 | Default: 127.0.0.1 4 | Description: OSSEC server IP address for this agent. This server is also known as Manager and will receive information from the agent. You need to specify the IP address, the hostname is not valid. The agent still needs to be registered and started manually. 5 | -------------------------------------------------------------------------------- /contrib/debian-packages/ossec-hids/debian/compat: -------------------------------------------------------------------------------- 1 | 7 2 | -------------------------------------------------------------------------------- /contrib/debian-packages/ossec-hids/debian/conffiles: -------------------------------------------------------------------------------- 1 | /var/ossec/etc/ossec.conf 2 | -------------------------------------------------------------------------------- /contrib/debian-packages/ossec-hids/debian/control: -------------------------------------------------------------------------------- 1 | Source: ossec-hids 2 | Section: admin 3 | Priority: extra 4 | Maintainer: Santiago Bassett 5 | Build-Depends: debhelper (>= 7.0.50~), libssl-dev, linux-libc-dev 6 | Standards-Version: 3.8.4 7 | Homepage: http://www.ossec.net 8 | 9 | Package: ossec-hids 10 | Architecture: any 11 | Depends: ${shlibs:Depends}, libc6 (>= 2.7), libssl1.0.0, expect, debconf 12 | Conflicts: ossec-hids-agent 13 | Description: OSSEC - Host Based Intrusion Detection System 14 | OSSEC HIDS for log analysis, integrity checking, rootkits detection and 15 | active response. This package includes the server and the agent. 16 | -------------------------------------------------------------------------------- /contrib/debian-packages/ossec-hids/debian/ossec-hids.lintian-overrides: -------------------------------------------------------------------------------- 1 | ossec-hids: embedded-library 2 | ossec-hids: embedded-zlib 3 | ossec-hids: possible-gpl-code-linked-with-openssl 4 | ossec-hids: new-package-should-close-itp-bug 5 | ossec-hids: possibly-insecure-handling-of-tmp-files-in-maintainer-script 6 | ossec-hids: non-standard-dir-in-var 7 | ossec-hids: file-in-unusual-dir 8 | ossec-hids: hardening-no-fortify-functions 9 | ossec-hids: hardening-no-relro 10 | -------------------------------------------------------------------------------- /contrib/debian-packages/ossec-hids/debian/patches/series: -------------------------------------------------------------------------------- 1 | 02_ossec-server.conf.patch 2 | 01_makefile.patch 3 | -------------------------------------------------------------------------------- /contrib/debian-packages/ossec-hids/debian/source/format: -------------------------------------------------------------------------------- 1 | 3.0 (quilt) 2 | -------------------------------------------------------------------------------- /contrib/debian-packages/ossec-hids/debian/templates: -------------------------------------------------------------------------------- 1 | Template: ossec-hids/email_notification 2 | Type: select 3 | Choices: yes, no 4 | Default: no 5 | Description: Enable email notification when an alert is triggered. 6 | 7 | Template: ossec-hids/email_to 8 | Type: string 9 | Default: root@localhost 10 | Description: This is the email address where alerts will be sent to. 11 | 12 | Template: ossec-hids/email_from 13 | Type: string 14 | Default: ossecm@localhost 15 | Description: This is the from email address used to send alerts. 16 | 17 | Template: ossec-hids/smtp_server 18 | Type: string 19 | Default: localhost 20 | Description: SMTP server IP address or hostname. 21 | -------------------------------------------------------------------------------- /contrib/logtesting/1/log: -------------------------------------------------------------------------------- 1 | Nov 2 13:24:34 melancia pam: gdm-password[1600]: pam_unix(gdm-password:session): session closed for user dcid11 2 | -------------------------------------------------------------------------------- /contrib/logtesting/1/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Nov 2 13:24:34 melancia pam: gdm-password[1600]: pam_unix(gdm-password:session): session closed for user dcid11' 3 | hostname: 'melancia' 4 | program_name: 'pam' 5 | log: 'gdm-password[1600]: pam_unix(gdm-password:session): session closed for user dcid11' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | -------------------------------------------------------------------------------- /contrib/logtesting/10/log: -------------------------------------------------------------------------------- 1 | Feb 15 16:08:14 triumph PAM-securetty[741]: Couldn't open /etc/securetty 2 | -------------------------------------------------------------------------------- /contrib/logtesting/10/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Feb 15 16:08:14 triumph PAM-securetty[741]: Couldn't open /etc/securetty' 3 | hostname: 'triumph' 4 | program_name: 'PAM-securetty' 5 | log: 'Couldn't open /etc/securetty' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '1001' 12 | Level: '2' 13 | Description: 'File missing. Root access unrestricted.' 14 | **Alert to be generated. 15 | 16 | 17 | -------------------------------------------------------------------------------- /contrib/logtesting/11/log: -------------------------------------------------------------------------------- 1 | Sep 11 01:40:59 bogus.com su: ericx to root on /dev/ttyu0 2 | -------------------------------------------------------------------------------- /contrib/logtesting/11/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Sep 11 01:40:59 bogus.com su: ericx to root on /dev/ttyu0' 3 | hostname: 'bogus.com' 4 | program_name: 'su' 5 | log: 'ericx to root on /dev/ttyu0' 6 | 7 | **Phase 2: Completed decoding. 8 | decoder: 'su' 9 | srcuser: 'ericx' 10 | dstuser: 'root' 11 | 12 | **Phase 3: Completed filtering (rules). 13 | Rule id: '5305' 14 | Level: '4' 15 | Description: 'First time (su) is executed by user.' 16 | **Alert to be generated. 17 | 18 | 19 | -------------------------------------------------------------------------------- /contrib/logtesting/12/log: -------------------------------------------------------------------------------- 1 | May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root 2 | -------------------------------------------------------------------------------- /contrib/logtesting/12/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'May 4 11:17:42 niban su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '2501' 12 | Level: '5' 13 | Description: 'User authentication failure.' 14 | **Alert to be generated. 15 | 16 | 17 | -------------------------------------------------------------------------------- /contrib/logtesting/13/log: -------------------------------------------------------------------------------- 1 | May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test 2 | -------------------------------------------------------------------------------- /contrib/logtesting/13/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'May 4 11:18:52 niban su(pam_unix)[2307]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=test' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '2501' 12 | Level: '5' 13 | Description: 'User authentication failure.' 14 | **Alert to be generated. 15 | 16 | 17 | -------------------------------------------------------------------------------- /contrib/logtesting/14/log: -------------------------------------------------------------------------------- 1 | Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342) 2 | -------------------------------------------------------------------------------- /contrib/logtesting/14/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342)' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Jun 8 09:01:01 niban su(pam_unix)[1313]: session opened for user root by (uid=1342)' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | -------------------------------------------------------------------------------- /contrib/logtesting/15/log: -------------------------------------------------------------------------------- 1 | Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342) 2 | -------------------------------------------------------------------------------- /contrib/logtesting/15/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342)' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Jun 9 13:32:14 niban su(pam_unix)[1338]: session opened for user root by (uid=1342)' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | -------------------------------------------------------------------------------- /contrib/logtesting/16/log: -------------------------------------------------------------------------------- 1 | Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root 2 | -------------------------------------------------------------------------------- /contrib/logtesting/16/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Jul 5 00:30:21 lili su[2190]: + pts/4 dcid-root' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | -------------------------------------------------------------------------------- /contrib/logtesting/17/log: -------------------------------------------------------------------------------- 1 | Jul 5 12:13:15 lili su[2614]: Authentication failed for root 2 | -------------------------------------------------------------------------------- /contrib/logtesting/17/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Jul 5 12:13:15 lili su[2614]: Authentication failed for root' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Jul 5 12:13:15 lili su[2614]: Authentication failed for root' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '2501' 12 | Level: '5' 13 | Description: 'User authentication failure.' 14 | **Alert to be generated. 15 | 16 | 17 | -------------------------------------------------------------------------------- /contrib/logtesting/18/log: -------------------------------------------------------------------------------- 1 | Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root 2 | -------------------------------------------------------------------------------- /contrib/logtesting/18/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | -------------------------------------------------------------------------------- /contrib/logtesting/19/log: -------------------------------------------------------------------------------- 1 | May 21 10:24:54 niban useradd[6070]: new group: name=test, gid=5006 2 | -------------------------------------------------------------------------------- /contrib/logtesting/19/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'May 21 10:24:54 niban useradd[6070]: new group: name=test, gid=5006' 3 | hostname: 'niban' 4 | program_name: 'useradd' 5 | log: 'new group: name=test, gid=5006' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '5901' 12 | Level: '8' 13 | Description: 'New group added to the system' 14 | **Alert to be generated. 15 | 16 | 17 | -------------------------------------------------------------------------------- /contrib/logtesting/2/log: -------------------------------------------------------------------------------- 1 | Nov 1 14:54:03 melancia runuser: pam_unix(runuser:session): session opened for user root by (uid=0) 2 | -------------------------------------------------------------------------------- /contrib/logtesting/2/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Nov 1 14:54:03 melancia runuser: pam_unix(runuser:session): session opened for user root by (uid=0)' 3 | hostname: 'melancia' 4 | program_name: 'runuser' 5 | log: 'pam_unix(runuser:session): session opened for user root by (uid=0)' 6 | 7 | **Phase 2: Completed decoding. 8 | decoder: 'pam' 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '5501' 12 | Level: '3' 13 | Description: 'Login session opened.' 14 | **Alert to be generated. 15 | 16 | 17 | -------------------------------------------------------------------------------- /contrib/logtesting/20/log: -------------------------------------------------------------------------------- 1 | May 28 10:48:29 niban useradd[32421]: new group: name=logr, gid=12000 2 | -------------------------------------------------------------------------------- /contrib/logtesting/20/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'May 28 10:48:29 niban useradd[32421]: new group: name=logr, gid=12000' 3 | hostname: 'niban' 4 | program_name: 'useradd' 5 | log: 'new group: name=logr, gid=12000' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '5901' 12 | Level: '8' 13 | Description: 'New group added to the system' 14 | **Alert to be generated. 15 | 16 | 17 | -------------------------------------------------------------------------------- /contrib/logtesting/21/log: -------------------------------------------------------------------------------- 1 | Jun 16 09:53:44 niban useradd[5721]: new group: name=test2, gid=12001 2 | -------------------------------------------------------------------------------- /contrib/logtesting/21/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Jun 16 09:53:44 niban useradd[5721]: new group: name=test2, gid=12001' 3 | hostname: 'niban' 4 | program_name: 'useradd' 5 | log: 'new group: name=test2, gid=12001' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '5901' 12 | Level: '8' 13 | Description: 'New group added to the system' 14 | **Alert to be generated. 15 | 16 | 17 | -------------------------------------------------------------------------------- /contrib/logtesting/22/log: -------------------------------------------------------------------------------- 1 | Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002 2 | -------------------------------------------------------------------------------- /contrib/logtesting/22/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Aug 4 15:11:23 niban groupadd[26459]: new group: name=osaudit, gid=12002' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | -------------------------------------------------------------------------------- /contrib/logtesting/23/log: -------------------------------------------------------------------------------- 1 | Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002 2 | -------------------------------------------------------------------------------- /contrib/logtesting/23/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Aug 4 15:14:14 niban groupadd[26477]: new group: name=osaudit, gid=12002' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | -------------------------------------------------------------------------------- /contrib/logtesting/24/log: -------------------------------------------------------------------------------- 1 | Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash 2 | -------------------------------------------------------------------------------- /contrib/logtesting/24/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Apr 5 16:19:49 niban adduser[16188]: new user: name=port4, uid=12006, gid=0, home=/home/port4, shell=/bin/bash' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | -------------------------------------------------------------------------------- /contrib/logtesting/25/log: -------------------------------------------------------------------------------- 1 | Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls 2 | -------------------------------------------------------------------------------- /contrib/logtesting/25/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | -------------------------------------------------------------------------------- /contrib/logtesting/26/log: -------------------------------------------------------------------------------- 1 | Jan 28 20:36:33 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls 2 | -------------------------------------------------------------------------------- /contrib/logtesting/26/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Jan 28 20:36:33 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls' 3 | hostname: 'enigma' 4 | program_name: 'sudo' 5 | log: 'dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls' 6 | 7 | **Phase 2: Completed decoding. 8 | decoder: 'sudo' 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '5404' 12 | Level: '10' 13 | Description: 'Three failed attempts to run sudo' 14 | **Alert to be generated. 15 | 16 | 17 | -------------------------------------------------------------------------------- /contrib/logtesting/27/log: -------------------------------------------------------------------------------- 1 | May 26 19:40:25 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls 2 | -------------------------------------------------------------------------------- /contrib/logtesting/27/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'May 26 19:40:25 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls' 3 | hostname: 'enigma' 4 | program_name: 'sudo' 5 | log: 'dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls' 6 | 7 | **Phase 2: Completed decoding. 8 | decoder: 'sudo' 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '5404' 12 | Level: '10' 13 | Description: 'Three failed attempts to run sudo' 14 | **Alert to be generated. 15 | 16 | 17 | -------------------------------------------------------------------------------- /contrib/logtesting/28/log: -------------------------------------------------------------------------------- 1 | Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls 2 | -------------------------------------------------------------------------------- /contrib/logtesting/28/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | -------------------------------------------------------------------------------- /contrib/logtesting/29/log: -------------------------------------------------------------------------------- 1 | Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1 2 | -------------------------------------------------------------------------------- /contrib/logtesting/29/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | -------------------------------------------------------------------------------- /contrib/logtesting/3/log: -------------------------------------------------------------------------------- 1 | Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4 2 | -------------------------------------------------------------------------------- /contrib/logtesting/3/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4' 3 | hostname: 'localhost' 4 | program_name: 'vsftpd' 5 | log: 'pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4' 6 | 7 | **Phase 2: Completed decoding. 8 | decoder: 'pam' 9 | srcip: '1.2.3.4' 10 | 11 | **Phase 3: Completed filtering (rules). 12 | Rule id: '5503' 13 | Level: '5' 14 | Description: 'User login failed.' 15 | **Alert to be generated. 16 | 17 | 18 | -------------------------------------------------------------------------------- /contrib/logtesting/30/log: -------------------------------------------------------------------------------- 1 | Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin 2 | -------------------------------------------------------------------------------- /contrib/logtesting/30/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | -------------------------------------------------------------------------------- /contrib/logtesting/31/log: -------------------------------------------------------------------------------- 1 | May 26 19:40:41 enigma sudo: dcid : TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure 2 | -------------------------------------------------------------------------------- /contrib/logtesting/32/log: -------------------------------------------------------------------------------- 1 | May 26 20:16:17 lili sudo: dcid : TTY=pts/1 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/vi /etc/sudoers 2 | -------------------------------------------------------------------------------- /contrib/logtesting/33/log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/contrib/logtesting/33/log -------------------------------------------------------------------------------- /contrib/logtesting/33/res: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/contrib/logtesting/33/res -------------------------------------------------------------------------------- /contrib/logtesting/34/log: -------------------------------------------------------------------------------- 1 | May 17 01:01:19 server ftpd[746]: ANONYMOUS FTP LOGIN FROM emaca.here.com 2 | -------------------------------------------------------------------------------- /contrib/logtesting/34/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'May 17 01:01:19 server ftpd[746]: ANONYMOUS FTP LOGIN FROM emaca.here.com' 3 | hostname: 'server' 4 | program_name: 'ftpd' 5 | log: 'ANONYMOUS FTP LOGIN FROM emaca.here.com' 6 | 7 | **Phase 2: Completed decoding. 8 | decoder: 'ftpd' 9 | srcip: 'emaca.here.com' 10 | 11 | **Phase 3: Completed filtering (rules). 12 | Rule id: '11106' 13 | Level: '3' 14 | Description: 'Remote host connected to FTP server.' 15 | **Alert to be generated. 16 | 17 | 18 | -------------------------------------------------------------------------------- /contrib/logtesting/35/log: -------------------------------------------------------------------------------- 1 | May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped 2 | -------------------------------------------------------------------------------- /contrib/logtesting/35/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'May 16 22:46:08 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped' 3 | hostname: 'victim-host' 4 | program_name: 'inetd' 5 | log: '/usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '40107' 12 | Level: '14' 13 | Description: 'Heap overflow in the Solaris cachefsd service.' 14 | Info - CVE: '2002-0033' 15 | **Alert to be generated. 16 | 17 | 18 | -------------------------------------------------------------------------------- /contrib/logtesting/36/log: -------------------------------------------------------------------------------- 1 | May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped 2 | -------------------------------------------------------------------------------- /contrib/logtesting/36/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'May 16 22:46:24 victim-host inetd[600]: /usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped' 3 | hostname: 'victim-host' 4 | program_name: 'inetd' 5 | log: '/usr/lib/fs/cachefs/cachefsd: Segmentation Fault - core dumped' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '40107' 12 | Level: '14' 13 | Description: 'Heap overflow in the Solaris cachefsd service.' 14 | Info - CVE: '2002-0033' 15 | **Alert to be generated. 16 | 17 | 18 | -------------------------------------------------------------------------------- /contrib/logtesting/37/log: -------------------------------------------------------------------------------- 1 | Apr 17 22:20:29 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0 2 | -------------------------------------------------------------------------------- /contrib/logtesting/37/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Apr 17 22:20:29 hostj named[312]: [ID 295310 daemon.notice] security: notice: dropping source port zero packet from [64.211.251.254].0' 3 | hostname: 'hostj' 4 | program_name: 'named' 5 | log: 'security: notice: dropping source port zero packet from [64.211.251.254].0' 6 | 7 | **Phase 2: Completed decoding. 8 | decoder: 'named' 9 | srcip: '64.211.251.254' 10 | 11 | **Phase 3: Completed filtering (rules). 12 | Rule id: '12101' 13 | Level: '12' 14 | Description: 'Invalid DNS packet. Possibility of attack.' 15 | **Alert to be generated. 16 | 17 | 18 | -------------------------------------------------------------------------------- /contrib/logtesting/38/log: -------------------------------------------------------------------------------- 1 | sshd[7386]: error: Bad prime description in line 73 2 | -------------------------------------------------------------------------------- /contrib/logtesting/38/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'sshd[7386]: error: Bad prime description in line 73' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'sshd[7386]: error: Bad prime description in line 73' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '1002' 12 | Level: '2' 13 | Description: 'Unknown problem somewhere in the system.' 14 | **Alert to be generated. 15 | 16 | 17 | -------------------------------------------------------------------------------- /contrib/logtesting/39/log: -------------------------------------------------------------------------------- 1 | Jan 12 20:48:29 elrond sshd[19734]: refused connect from accsys.elink.net.au (203.31.101.11) 2 | -------------------------------------------------------------------------------- /contrib/logtesting/39/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Jan 12 20:48:29 elrond sshd[19734]: refused connect from accsys.elink.net.au (203.31.101.11)' 3 | hostname: 'elrond' 4 | program_name: 'sshd' 5 | log: 'refused connect from accsys.elink.net.au (203.31.101.11)' 6 | 7 | **Phase 2: Completed decoding. 8 | decoder: 'sshd' 9 | srcip: '203.31.101.11' 10 | 11 | **Phase 3: Completed filtering (rules). 12 | Rule id: '2503' 13 | Level: '5' 14 | Description: 'Connection blocked by Tcp Wrappers.' 15 | **Alert to be generated. 16 | 17 | 18 | -------------------------------------------------------------------------------- /contrib/logtesting/4/log: -------------------------------------------------------------------------------- 1 | Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b. 2 | -------------------------------------------------------------------------------- /contrib/logtesting/4/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b.' 3 | hostname: 'hostname' 4 | program_name: 'cimserver' 5 | log: 'PGS17200: Authentication failed for user jones_b.' 6 | 7 | **Phase 2: Completed decoding. 8 | decoder: 'cimserver' 9 | dstuser: 'jones_b' 10 | 11 | **Phase 3: Completed filtering (rules). 12 | Rule id: '9610' 13 | Level: '5' 14 | Description: 'Compaq Insight Manager authentication failure.' 15 | **Alert to be generated. 16 | 17 | 18 | -------------------------------------------------------------------------------- /contrib/logtesting/40/log: -------------------------------------------------------------------------------- 1 | Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2 2 | -------------------------------------------------------------------------------- /contrib/logtesting/40/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '1002' 12 | Level: '2' 13 | Description: 'Unknown problem somewhere in the system.' 14 | **Alert to be generated. 15 | 16 | 17 | -------------------------------------------------------------------------------- /contrib/logtesting/41/log: -------------------------------------------------------------------------------- 1 | Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2 2 | -------------------------------------------------------------------------------- /contrib/logtesting/41/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '1002' 12 | Level: '2' 13 | Description: 'Unknown problem somewhere in the system.' 14 | **Alert to be generated. 15 | 16 | 17 | -------------------------------------------------------------------------------- /contrib/logtesting/42/log: -------------------------------------------------------------------------------- 1 | [Tue Sep 12 10:38:15 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190) 2 | -------------------------------------------------------------------------------- /contrib/logtesting/42/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: '[Tue Sep 12 10:38:15 2006] [error] [client 127.0.0.1] request failed: URI too long (longer than 8190)' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: '[error] [client 127.0.0.1] request failed: URI too long (longer than 8190)' 6 | 7 | **Phase 2: Completed decoding. 8 | decoder: 'apache-errorlog' 9 | srcip: '127.0.0.1' 10 | 11 | **Phase 3: Completed filtering (rules). 12 | Rule id: '30117' 13 | Level: '10' 14 | Description: 'Invalid URI, file name too long.' 15 | **Alert to be generated. 16 | 17 | 18 | -------------------------------------------------------------------------------- /contrib/logtesting/44/log: -------------------------------------------------------------------------------- 1 | Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443] 2 | -------------------------------------------------------------------------------- /contrib/logtesting/44/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443]' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Sep 1 10:29:33 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.12:1234 -> 192.168.100.1:443]' 6 | 7 | **Phase 2: Completed decoding. 8 | No decoder matched. 9 | -------------------------------------------------------------------------------- /contrib/logtesting/5/log: -------------------------------------------------------------------------------- 1 | Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast 2 | -------------------------------------------------------------------------------- /contrib/logtesting/6/log: -------------------------------------------------------------------------------- 1 | Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec 2 | -------------------------------------------------------------------------------- /contrib/logtesting/6/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec' 6 | 7 | **Phase 2: Completed decoding. 8 | decoder: 'vsftpd' 9 | dstuser: 'xx' 10 | status: 'OK UPLOAD' 11 | srcip: '1.2.3.4' 12 | url: '/a.php' 13 | 14 | **Phase 3: Completed filtering (rules). 15 | Rule id: '11404' 16 | Level: '0' 17 | Description: 'FTP server file upload.' 18 | -------------------------------------------------------------------------------- /contrib/logtesting/7/log: -------------------------------------------------------------------------------- 1 | MySQL log: 060516 22:38:46 mysqld ended 2 | -------------------------------------------------------------------------------- /contrib/logtesting/7/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'MySQL log: 060516 22:38:46 mysqld ended' 3 | hostname: 'melancia' 4 | program_name: '(null)' 5 | log: 'MySQL log: 060516 22:38:46 mysqld ended' 6 | 7 | **Phase 2: Completed decoding. 8 | decoder: 'mysql_log' 9 | 10 | **Phase 3: Completed filtering (rules). 11 | Rule id: '50120' 12 | Level: '12' 13 | Description: 'Database shutdown message.' 14 | **Alert to be generated. 15 | 16 | 17 | -------------------------------------------------------------------------------- /contrib/logtesting/8/log: -------------------------------------------------------------------------------- 1 | Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4] 2 | -------------------------------------------------------------------------------- /contrib/logtesting/8/res: -------------------------------------------------------------------------------- 1 | **Phase 1: Completed pre-decoding. 2 | full event: 'Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4]' 3 | hostname: 'gandalf' 4 | program_name: 'pop3d' 5 | log: 'LOGIN FAILED, ip=[::ffff:1.2.3.4]' 6 | 7 | **Phase 2: Completed decoding. 8 | decoder: 'courier' 9 | srcip: '::ffff:1.2.3.4' 10 | 11 | **Phase 3: Completed filtering (rules). 12 | Rule id: '3902' 13 | Level: '5' 14 | Description: 'Courier (imap/pop3) authentication failed.' 15 | **Alert to be generated. 16 | 17 | 18 | -------------------------------------------------------------------------------- /contrib/logtesting/9/log: -------------------------------------------------------------------------------- 1 | type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp" 2 | -------------------------------------------------------------------------------- /contrib/ossec-testing/tests/cimserver.ini: -------------------------------------------------------------------------------- 1 | [rshd: illegal] 2 | log 1 pass = Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b. 3 | log 2 fail = Dec 18 18:06:29 hostname vimserver[18575]: PGS17200: Authentication failed for user domain\jones_b. 4 | 5 | 6 | rule = 9610 7 | alert = 5 8 | decoder = cimserver 9 | 10 | -------------------------------------------------------------------------------- /contrib/ossec-testing/tests/dnsmasq.ini: -------------------------------------------------------------------------------- 1 | [dnsmasq group] 2 | log 1 pass = Jul 17 14:49:57 dnsmasq[15210]: 21745 10.10.10.33/59490 query[A] server.example.com from 10.10.10.33 3 | log 2 pass = Jul 17 14:49:57 dnsmasq[15210]: 21745 10.10.10.33/59490 forwarded server.example.com to 10.20.20.10 4 | log 3 pass = Jul 17 14:49:57 dnsmasq[15210]: 21745 10.10.10.33/59490 reply server.example.com is 5 | 6 | rule = 53551 7 | alert = 0 8 | decoder = dnsmasq 9 | 10 | -------------------------------------------------------------------------------- /contrib/ossec-testing/tests/doas.ini: -------------------------------------------------------------------------------- 1 | [failed command] 2 | log 1 fail = Apr 13 08:49:20 ix doas: failed command for ddp2: ls 3 | 4 | rule = 51554 5 | alert = 5 6 | decoder = doas 7 | 8 | [command run as root] 9 | log 1 fail = Mar 22 07:21:58 ix doas: ddp ran command /bin/ksh as root from /data/ddp/projects/git/sysconf/ossec/rules 10 | 11 | rule = 51556 12 | alert = 2 13 | decoder = doas 14 | 15 | [failed auth] 16 | log 1 fail = Feb 29 14:58:39 ix doas: failed auth for ddp 17 | 18 | rule = 51557 19 | alert = 5 20 | decoder = doas 21 | 22 | [doas command run] 23 | log 1 fail = Aug 13 15:16:40 ix doas: ddp ran command as ddpnfs: ls 24 | 25 | rule = 51555 26 | alert = 1 27 | decoder = doas 28 | 29 | -------------------------------------------------------------------------------- /contrib/ossec-testing/tests/dpkg.ini: -------------------------------------------------------------------------------- 1 | [dpkg log] 2 | log 1 pass = 2018-05-31 12:09:56 upgrade vlc-plugin-visualization:amd64 3.0.2-1+b1 3.0.3-1 3 | log 2 pass = 2018-05-11 09:41:49 conffile /etc/redis/redis.conf keep 4 | 5 | rule = 2900 6 | alert = 0 7 | decoder = windows-date-format 8 | 9 | -------------------------------------------------------------------------------- /contrib/ossec-testing/tests/dropbear.ini: -------------------------------------------------------------------------------- 1 | [already listening] 2 | log 1 pass = Jun 25 14:04:30 10.0.0.1 dropbear[30746]: Failed listening on '7001': Error listening: Address already in use 3 | 4 | rule = 51011 5 | alert = 1 6 | decoder = dropbear 7 | 8 | -------------------------------------------------------------------------------- /contrib/ossec-testing/tests/mailscanner.ini: -------------------------------------------------------------------------------- 1 | [update phishing] 2 | log 1 fail = Feb 14 06:29:39 hostname update.bad.phishing.sites: Phishing bad sites list updated 3 | rule = 3752 4 | alert = 0 5 | decoder = 6 | 7 | -------------------------------------------------------------------------------- /contrib/ossec-testing/tests/openbsd-httpd.ini: -------------------------------------------------------------------------------- 1 | [access] 2 | log 1 pass = wafflelab.online 192.168.18.8 - - [08/Jul/2018:00:29:48 -0400] "GET / HTTP/1.0" 302 0 3 | log 2 pass = wafflelab.online 192.168.18.8 - - [08/Jul/2018:00:32:57 -0400] "GET /nmaplowercheck1531024375 HTTP/1.1" 302 0 4 | rule = 31100 5 | alert = 0 6 | decoder = openbsd-httpd 7 | 8 | [POST] 9 | log 1 pass = www.wafflelab.online 192.168.18.8 - - [08/Jul/2018:00:33:13 -0400] "POST /sdk HTTP/1.1" 404 0 10 | 11 | rule = 31530 12 | alert = 3 13 | decoder = openbsd-httpd 14 | 15 | -------------------------------------------------------------------------------- /contrib/ossec-testing/tests/openbsd.ini: -------------------------------------------------------------------------------- 1 | [sendsyslog drop] 2 | log 1 fail = Oct 16 08:15:07 ix sendsyslog: dropped 2 messages, error 55 3 | 4 | rule = 51558 5 | alert = 4 6 | decoder = 7 | 8 | -------------------------------------------------------------------------------- /contrib/ossec-testing/tests/rsh.ini: -------------------------------------------------------------------------------- 1 | [rshd: illegal] 2 | log 1 pass = Dec 17 10:49:23 hostname rshd[347339]: Connection from 10.217.223.31 on illegal port 3 | log 2 fail = Dec 17 10:49:23 hostname rhsd[347339]: Connection from 10.217.223.31 on illegal port 4 | 5 | rule = 2551 6 | alert = 10 7 | decoder = rshd 8 | 9 | -------------------------------------------------------------------------------- /contrib/ossec-testing/tests/systemd.ini: -------------------------------------------------------------------------------- 1 | [Stale file handle.] 2 | log 3 fail = Jul 19 07:28:02 localhost systemd: Failed to mark scope session-1024.scope as abandoned : Stale file handle 3 | 4 | rule = 40701 5 | alert = 0 6 | decoder = 7 | 8 | -------------------------------------------------------------------------------- /contrib/ossec-testing/tests/vsftpd.ini: -------------------------------------------------------------------------------- 1 | [CONNECT] 2 | log 1 pass = Wed Jul 27 18:32:27 2016 [pid 2] CONNECT: Client "fe80::baac:6fff:fe7d:d2e0" 3 | log 2 pass = Wed Jul 27 18:32:27 2016 [pid 2] CONNECT: Client "10.11.12.13" 4 | 5 | rule = 11401 6 | alert = 3 7 | decoder = vsftpd 8 | 9 | [LOGIN] 10 | log 1 pass = Mon Oct 24 11:32:53 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "10.55.112.101" 11 | log 2 pass = Mon Oct 24 11:32:53 2016 [pid 1] [$ALOC$] FAIL LOGIN: Client "fe80::baac:6fff:fe7d:d2e0" 12 | 13 | rule = 11403 14 | alert = 5 15 | decoder = vsftpd 16 | 17 | -------------------------------------------------------------------------------- /contrib/ossec2mysql.conf: -------------------------------------------------------------------------------- 1 | # PARAMS USED BY OSSEC2BASED 2 | dbhost=localhost 3 | database=ossecbase 4 | debug=5 5 | dbport=3306 6 | dbpasswd=yourpassword 7 | dbuser=youruser 8 | daemonize=0 9 | sensor=centralserver 10 | hids_interface=ossec 11 | resolve=1 12 | -------------------------------------------------------------------------------- /contrib/selinux/README.md: -------------------------------------------------------------------------------- 1 | ## Ossec-agent SELinux module 2 | SELinux module provides additional security protection for ossec application 3 | 4 | ## Installation 5 | 1. Run semodule -i ossec\_agent.pp.bz2 on a running SELinux installation 6 | 2. Run restorecon -R /var/ossec 7 | 3. Restart ossec agent via systemd/init/etc 8 | 4. Check if it get right context ( ps -AZ ) 9 | 10 | You should do chcon manually if your put ossec installation in different place, see .fc file for details 11 | 12 | ## Configuration 13 | Nothing to configure :) 14 | 15 | ## Bug reports & contribution 16 | Contact: ivan.agarkov@gmail.com 17 | 18 | -------------------------------------------------------------------------------- /contrib/selinux/ossec_agent.pp.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/contrib/selinux/ossec_agent.pp.bz2 -------------------------------------------------------------------------------- /contrib/selinux/ossec_agent/ossec_agent.if: -------------------------------------------------------------------------------- 1 | ## 2 | -------------------------------------------------------------------------------- /contrib/specs/remove_ossec: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | rpm -e ossec-hids-server-FC7 4 | rpm -e ossec-hids-local-FC7 5 | rpm -e ossec-hids-agent-FC7 6 | 7 | rm -fr /var/ossec/ 8 | 9 | for A in ossec ossecm ossecr ; do /usr/sbin/userdel -r $A ; done 10 | 11 | /usr/sbin/groupdel ossec 12 | 13 | /sbin/chkconfig ossec off 14 | /sbin/chkconfig --del ossec 15 | 16 | # Remove init.d file 17 | [ -f /etc/init.d/ossec ] && rm /etc/init.d/ossec 18 | 19 | 20 | -------------------------------------------------------------------------------- /contrib/zeromq_pubsub.py: -------------------------------------------------------------------------------- 1 | import zmq 2 | 3 | context = zmq.Context() 4 | s = context.socket(zmq.SUB) 5 | s.connect("tcp://localhost:11999") 6 | s.setsockopt(zmq.SUBSCRIBE, "") 7 | while 1: 8 | d = s.recv() 9 | print d 10 | -------------------------------------------------------------------------------- /debian_files/3.6.0/ossec-hids-agent/debian/changelog: -------------------------------------------------------------------------------- 1 | ossec-hids-agent (3.6.0-1) unstable; urgency=medium 2 | 3 | * support arm64 package 4 | 5 | -- Santiago Bassett Wed, 08 Jan 2020 19:45:23 +0000 6 | 7 | ossec-hids-agent (2.8.2-2) unstable; urgency=low 8 | 9 | * Set ossec user home to /var/ossec/ 10 | * Added linux-libc-dev build dependency to Debian control file 11 | 12 | -- Santiago Bassett Mon, 15 Jun 2015 08:43:10 +0000 13 | 14 | ossec-hids-agent (2.8.2-1) unstable; urgency=low 15 | 16 | * 2.8.2 Initial release. Includes several fixes, and patch for CVE-2015-3222 17 | 18 | -- Santiago Bassett Mon, 15 Jun 2015 08:43:10 +0000 19 | -------------------------------------------------------------------------------- /debian_files/3.6.0/ossec-hids-agent/debian/compat: -------------------------------------------------------------------------------- 1 | 7 2 | -------------------------------------------------------------------------------- /debian_files/3.6.0/ossec-hids-agent/debian/conffiles: -------------------------------------------------------------------------------- 1 | /var/ossec/etc/ossec.conf 2 | -------------------------------------------------------------------------------- /debian_files/3.6.0/ossec-hids-agent/debian/control: -------------------------------------------------------------------------------- 1 | Source: ossec-hids-agent 2 | Section: admin 3 | Priority: extra 4 | Maintainer: Santiago Bassett 5 | Build-Depends: debhelper (>= 7.0.50~), linux-libc-dev, libssl-dev, libevent-dev, libpcre2-dev, zlib1g-dev 6 | Standards-Version: 3.8.4 7 | Homepage: http://www.ossec.net 8 | 9 | Package: ossec-hids-agent 10 | Architecture: any 11 | Depends: ${shlibs:Depends}, debconf, libc6 (>= 2.7) 12 | Conflicts: ossec-hids 13 | Description: OSSEC Agent - Host Based Intrusion Detection System 14 | OSSEC HIDS for log analysis, integrity checking, rootkits detection and 15 | active response. This package includes the server and the agent. 16 | -------------------------------------------------------------------------------- /debian_files/3.6.0/ossec-hids-agent/debian/ossec-hids-agent.lintian-overrides: -------------------------------------------------------------------------------- 1 | ossec-hids-agent: embedded-library 2 | ossec-hids-agent: embedded-zlib 3 | ossec-hids-agent: possible-gpl-code-linked-with-openssl 4 | ossec-hids-agent: new-package-should-close-itp-bug 5 | ossec-hids-agent: possibly-insecure-handling-of-tmp-files-in-maintainer-script 6 | ossec-hids-agent: non-standard-dir-in-var 7 | ossec-hids-agent: file-in-unusual-dir 8 | ossec-hids-agent: hardening-no-fortify-functions 9 | ossec-hids-agent: hardening-no-relro 10 | -------------------------------------------------------------------------------- /debian_files/3.6.0/ossec-hids-agent/debian/patches/series: -------------------------------------------------------------------------------- 1 | 02_ossec-agent.conf.patch 2 | 01_makefile.patch 3 | -------------------------------------------------------------------------------- /debian_files/3.6.0/ossec-hids-agent/debian/postrm: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # postrm script for ossec-hids 3 | # Santiago Bassett 4 | # 03/25/2014 5 | 6 | 7 | set -e 8 | 9 | case "$1" in 10 | purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) 11 | if getent passwd | grep -q "^ossec" 12 | then 13 | deluser ossec 14 | fi 15 | if getent group | grep -q "^ossec" 16 | then 17 | delgroup ossec 18 | fi 19 | rm -f /etc/init.d/ossec 20 | rm -f /etc/ossec-init.conf 21 | update-rc.d -f ossec remove 22 | 23 | ;; 24 | 25 | *) 26 | echo "postrm called with unknown argument \`$1'" >&2 27 | exit 1 28 | 29 | ;; 30 | 31 | esac 32 | 33 | exit 0 34 | -------------------------------------------------------------------------------- /debian_files/3.6.0/ossec-hids-agent/debian/source/format: -------------------------------------------------------------------------------- 1 | 3.0 (quilt) 2 | -------------------------------------------------------------------------------- /debian_files/3.6.0/ossec-hids-agent/debian/templates: -------------------------------------------------------------------------------- 1 | Template: ossec-hids-agent/server-ip 2 | Type: string 3 | Default: 127.0.0.1 4 | Description: OSSEC server IP address for this agent. This server is also known as Manager and will receive information from the agent. You need to specify the IP address, the hostname is not valid. The agent still needs to be registered and started manually. 5 | -------------------------------------------------------------------------------- /doc/README.config: -------------------------------------------------------------------------------- 1 | Configuration options: 2 | 3 | https://www.ossec.net/docs/ 4 | -------------------------------------------------------------------------------- /doc/active-response.txt: -------------------------------------------------------------------------------- 1 | OSSEC HIDS v0.7 2 | Copyright (c) 2004-2006 Daniel B. Cid 3 | 4 | 5 | 6 | http://www.ossec.net/docs/docs/manual/ar/index.html 7 | -------------------------------------------------------------------------------- /doc/br/INSTALL.br: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/doc/br/INSTALL.br -------------------------------------------------------------------------------- /doc/br/README.config: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/doc/br/README.config -------------------------------------------------------------------------------- /doc/br/TRANSLATION: -------------------------------------------------------------------------------- 1 | ** Traduzido por Willian Itiho Amano 2 | ** Translated by Willian Itiho Amano 3 | -------------------------------------------------------------------------------- /doc/br/active-response-internal.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/doc/br/active-response-internal.txt -------------------------------------------------------------------------------- /doc/br/active-response.txt: -------------------------------------------------------------------------------- 1 | OSSEC HIDS v0.7 2 | Copyright (c) 2004-2006 Daniel B. Cid 3 | 4 | 5 | 6 | http://www.ossec.net/docs/docs/manual/ar/index.html 7 | -------------------------------------------------------------------------------- /doc/br/logs.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/doc/br/logs.txt -------------------------------------------------------------------------------- /doc/br/manager.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/doc/br/manager.txt -------------------------------------------------------------------------------- /doc/br/rootcheck.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/doc/br/rootcheck.txt -------------------------------------------------------------------------------- /doc/br/rule_ids.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/doc/br/rule_ids.txt -------------------------------------------------------------------------------- /doc/br/rules.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/doc/br/rules.txt -------------------------------------------------------------------------------- /doc/images/fim-test.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/doc/images/fim-test.gif -------------------------------------------------------------------------------- /doc/images/ssh-attack.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/doc/images/ssh-attack.gif -------------------------------------------------------------------------------- /doc/pl/README.config: -------------------------------------------------------------------------------- 1 | Opcje konfiguracyjne: 2 | 3 | http://www.ossec.net/docs/ 4 | -------------------------------------------------------------------------------- /doc/pl/TRANSLATION: -------------------------------------------------------------------------------- 1 | ** Tłumaczenie Krzysztof Dziankowski 2 | ** Translated by Krzysztof Dziankowski 3 | -------------------------------------------------------------------------------- /doc/pl/active-response.txt: -------------------------------------------------------------------------------- 1 | OSSEC HIDS v0.7 2 | Copyright (c) 2004-2006 Daniel B. Cid 3 | 4 | 5 | 6 | http://www.ossec.net/docs/docs/manual/ar/index.html 7 | -------------------------------------------------------------------------------- /etc/local_internal_options-win.conf: -------------------------------------------------------------------------------- 1 | # local_internal_options.conf 2 | # 3 | # This file should be handled with care. It contains 4 | # run time modifications that can affect the use 5 | # of OSSEC. Only change it if you know what you 6 | # are doing. Look first at ossec.conf 7 | # for most of the things you want to change. 8 | # 9 | # This file will not be overwritten during upgrades 10 | # but will be removed when the agent is un-installed. 11 | -------------------------------------------------------------------------------- /etc/local_internal_options.conf: -------------------------------------------------------------------------------- 1 | # local_internal_options.conf 2 | # 3 | # This file should be handled with care. It contains 4 | # run time modifications that can affect the use 5 | # of OSSEC. Only change it if you know what you 6 | # are doing. Look first at ossec.conf 7 | # for most of the things you want to change. 8 | # 9 | # This file will not be overwritten during upgrades. 10 | -------------------------------------------------------------------------------- /etc/rules/dnsmasq_rules.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | dnsmasq 5 | dnsmasq grouping rule. 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /etc/rules/last_rootlogin_rules.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 535 9 | root|reboot|admin|superuser|administrator|supervisor|toor 10 | sensitive login detected 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /etc/rules/lighttpd_rules.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | lighttpd 4 | fastcgi 5 | FastCGI error message. 6 | 7 | 8 | -------------------------------------------------------------------------------- /etc/rules/log-entries/101: -------------------------------------------------------------------------------- 1 | #unknown system 2 | Feb 15 16:08:14 triumph PAM-securetty[741]: Couldn't open /etc/securetty 3 | Jan 26 21:01:23 test100 PAM-securetty[284]: Couldn't open /etc/securetty 4 | #Red hat 5 | Nov 7 21:01:17 enigma PAM-securetty[975]: Couldn't open /etc/securetty 6 | Apr 19 17:06:03 ecos2 PAM-securetty[1203]: Couldn't open /etc/securetty 7 | -------------------------------------------------------------------------------- /etc/rules/log-entries/1401: -------------------------------------------------------------------------------- 1 | #Red Hat box 2 | Feb 1 14:39:16 nogan sudo: test2 : 3 incorrect password attempts ; TTY=pts/4 ; PWD=/home/test2 ; USER=root ; COMMAND=/bin/ls 3 | #OpenBSD 4 | Jan 28 20:36:33 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls 5 | May 26 19:40:25 enigma sudo: dcid : 3 incorrect password attempts ; TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/bin/ls 6 | 7 | -------------------------------------------------------------------------------- /etc/rules/log-entries/1402: -------------------------------------------------------------------------------- 1 | #Red Hat 2 | Feb 4 10:43:02 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/ls 3 | Feb 4 10:44:00 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/bin/chmod 777 /home/dcid/test1 4 | Feb 4 10:46:37 niban sudo: dcid : TTY=pts/26 ; PWD=/home/dcid/dev/pr/osaudit/osaudit-0.1/src ; USER=root ; COMMAND=/bin/cp -pr ../bin/logreader ../bin/logremote ../bin/logremote-client /var/osaudit/bin 5 | #OpenBSD 6 | May 26 19:40:41 enigma sudo: dcid : TTY=ttyp0 ; PWD=/var/www/htdocs ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure 7 | #Slackware 8 | May 26 20:16:17 lili sudo: dcid : TTY=pts/1 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/vi /etc/sudoers 9 | -------------------------------------------------------------------------------- /etc/rules/log-entries/1602: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/etc/rules/log-entries/1602 -------------------------------------------------------------------------------- /etc/rules/log-entries/1603: -------------------------------------------------------------------------------- 1 | May 17 01:01:19 server ftpd[746]: ANONYMOUS FTP LOGIN FROM emaca.here.com 2 | [192.168.3.236], 1.1.1.F.1.1.C.A.?..k^1.1.^^AF^Df..^A.'.1.^^A.=.1.1.^^HC^B1...1 3 | .^^H.^L...u.1.F^I^^H.=..^N.0..F^D1.F^Gv^HF^L.N^HV^L.^K.1.1.^A.....0bin0sh1..11 4 | -------------------------------------------------------------------------------- /etc/rules/log-entries/1609: -------------------------------------------------------------------------------- 1 | a.out[347] attempt to execute code on stack by uid 555 2 | Nov 12 18:47:01 foo.bar.baz /usr/dt/bin/rpc.ttdbserverd[646]: _Tt_file_system::findBestMountPoint -- max_match_entry is null, aborting... 3 | Nov 12 18:47:01 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped 4 | Nov 12 18:47:02 foo.bar.baz unix: rpc.ttdbserverd[1932] attempt to execute code on stack by uid 0 5 | Nov 12 18:47:02 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped 6 | Nov 12 18:47:03 foo.bar.baz unix: rpc.ttdbserverd[1934] attempt to execute code on stack by uid 0 7 | Nov 12 18:47:03 foo.bar.baz inetd[143]: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped 8 | -------------------------------------------------------------------------------- /etc/rules/log-entries/1902: -------------------------------------------------------------------------------- 1 | Apr 20 09:14:45 hostname named[98]: denied AXFR from [1.2.3.4].1329 for 2 | "xxxxx.com" (not master/slave) 3 | Mar 1 13:52:03 arcane named[15025]: denied AXFR from [205.166.226.38].1421 for "atfantasy.com" (acl) 4 | -------------------------------------------------------------------------------- /etc/rules/log-entries/1903: -------------------------------------------------------------------------------- 1 | Jan 6 13:40:28 drew named[128838]: denied update from [24.64.63.195].41151 for in-addr.arpa 2 | Jan 6 13:40:47 drew named[128838]: denied update from [24.64.63.195].41858 for in-addr.arpa 3 | unapproved update from [132.174.25.169].1848 for 174.132.in-addr.arpa 4 | Dec 31 00:01:31 valhalla named[7885]: client 192.168.1.231#1142: update 'hayaletgemi.edu/IN' denied 5 | -------------------------------------------------------------------------------- /etc/rules/log-entries/1905: -------------------------------------------------------------------------------- 1 | named[8020]: unexpected RCODE (REFUSED) resolving 'inteligentes.cjb.net/AAAA/IN': 200.206.159.96#53 2 | 3 | named[8020]: unexpected RCODE (REFUSED) resolving 'inteligentes.cjb.net/A/IN': 200.206.159.96#53 4 | -------------------------------------------------------------------------------- /etc/rules/log-entries/201: -------------------------------------------------------------------------------- 1 | #Unknown 2 | May 26 12:53:57 atlas kernel: svc: unknown program 100227 (me 100003) 3 | Feb 28 07:46:15 bs11 kernel: svc: unknown program 100227 (me 100003) 4 | Jun 28 09:58:14 poseidon kernel: svc: unknown program 100227 (me 100003) 5 | -------------------------------------------------------------------------------- /etc/rules/log-entries/202: -------------------------------------------------------------------------------- 1 | Mar 30 12:01:25 compute-0-0.local automount[6447]: mount(nfs): nfs: mount failure cares.local:/export/home/jfiske on /home/jfiske 2 | Mar 30 12:01:25 compute-0-0.local automount[6449]: mount(nfs): nfs: mount failure cares.local:/export/home/jfiske on /home/jfiske 3 | Aug 4 12:35:30 localhost automount[7203]: mount(nfs): nfs: mount failure 192.168.1.100:/compile/nfs/107 on /test/107 4 | Jul 2 22:37:52 gkar automount[2344]: mount(nfs): nfs: mount failure sunray:/exp 5 | Aug 4 12:31:56 localhost automount[5252]: mount(nfs): nfs: mount 6 | failure 192.168.1.100:/compile/nfs/16 7 | -------------------------------------------------------------------------------- /etc/rules/log-entries/204: -------------------------------------------------------------------------------- 1 | rpc.mountd: refused mount request from 10.0.0.12 for /home2/files (/): no export entry 2 | Jan 12 08:20:00 gateway rpc.mountd: refused mount request from test.bscnet.com for /mnt (/): no export entry 3 | Jul 5 12:00:53 lili rpc.mountd: refused mount request from enigma for /bin (/): no export entry 4 | Jul 5 12:01:03 lili rpc.mountd: refused mount request from enigma for /etc (/): no export entry 5 | -------------------------------------------------------------------------------- /etc/rules/log-entries/2601: -------------------------------------------------------------------------------- 1 | pptpd[7282]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available 2 | pptpd[7293]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available 3 | pptpd[7510]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available 4 | pptpd[8916]: GRE: read(fd=7,buffer=80567c0,len=8260) from network failed: status = -1 error = Protocol not available 5 | -------------------------------------------------------------------------------- /etc/rules/log-entries/301: -------------------------------------------------------------------------------- 1 | Jan 25 21:05:40 horus xinetd[4479]: Deactivating service ftp due to excessive incoming connections. Restarting in 30 seconds. 2 | Feb 20 14:54:32 localhost xinetd[717]: Deactivating service nsca due to excessive incoming connections. Restarting in 30 seconds. 3 | -------------------------------------------------------------------------------- /etc/rules/log-entries/401: -------------------------------------------------------------------------------- 1 | # freebsd invalid physical login 2 | login: 1 LOGIN FAILURE ON ttyv0 3 | login: 1 LOGIN FAILURE ON ttyv0, root 4 | 5 | # saslauthd 6 | saslauthd[113]: do_auth : auth failure: [user=SERVERWEB\Administrador] [service=smtp] [realm=] [mech=shadow] [reason=Unknown] 7 | 8 | # Strange sshd logs 9 | sshd[7386]: error: Bad prime description in line 73 10 | sshd[8143]: error: Bad prime description in line 73 11 | -------------------------------------------------------------------------------- /etc/rules/log-entries/408: -------------------------------------------------------------------------------- 1 | #Red Hat 2 | Feb 4 16:54:28 niban login[1074]: FAILED LOGIN 1 FROM (null) FOR dcid, Authentication failure 3 | -------------------------------------------------------------------------------- /etc/rules/log-entries/409: -------------------------------------------------------------------------------- 1 | #FreeBSD 2 | Feb 15 14:32:20 freebsd-1 sshd[1374]: Illegal user dcid from 192.168.1.2 3 | Feb 15 16:11:56 freebsd-1 sshd[2690]: Illegal user dcid from 192.168.10.153 4 | Aug 1 15:44:10 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2 5 | Aug 1 15:44:10 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2 6 | Aug 1 15:44:11 enigma sshd[6682]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2 7 | Aug 1 15:44:11 enigma sshd[13752]: Failed password for invalid user ss7 from 65.202.215.2 port 18546 ssh2 8 | -------------------------------------------------------------------------------- /etc/rules/log-entries/iis6: -------------------------------------------------------------------------------- 1 | 2007-01-22 05:00:11 W3SVC1 HOSTNAME 1.1.1.1 POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 2.2.2.2 HTTP/1.1 Windows-Update-Agent - - hostname 200 0 0 1467 841 31 2 | 2007-01-22 05:00:11 W3SVC1 HOSTNAME 1.1.1.1 POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 2.2.2.2 HTTP/1.1 Windows-Update-Agent - - hostname 400 0 0 1467 841 31 3 | 2007-01-23 05:00:11 W3SVC22 xxx.ossec.net 1.2.3.4 GET / - 80 - 192.168.2.33 HTTP/1.1 Windows-Update-Agent - - myhost.name 500 0 0 1467 841 31 4 | 2005-05-21 05:39:27 W3SVC1 hostname123 192.168.0.101 GET /VirtualServerError/VSWebApp.exe view=1 1024 WEBBROWSER\User 192.168.0.101 HTTP/1.0 Mozilla/4.0+(User-Agent) - - xx.nada.com 200 0 0 5 | -------------------------------------------------------------------------------- /etc/rules/log-entries/kernel: -------------------------------------------------------------------------------- 1 | kernel: tcp_parse_options: Illegal window scaling value 200 >14 received. 2 | -------------------------------------------------------------------------------- /etc/rules/log-entries/ns1: -------------------------------------------------------------------------------- 1 | > 1:Nov 30 18:01:53 xx.xx.xx.xx ns204: NetScreen device_id=ns204 2 | > [Root]system-critical-00027: 2nd push has been confirmed. (2005-11-30 3 | > 17:56:44) 4 | > 5 | > 2:Nov 30 18:01:59 xx.xx.xx.xx ns204: NetScreen device_id=ns204 6 | > [Root]system-critical-00027: Configuration Erase sequence accepted, 7 | > unit reset. (2005-11-30 17:56:50) 8 | > 9 | > 3:Nov 30 18:01:59 xx.xx.xx.xx ns204: NetScreen device_id=ns204 10 | > [Root]system-notification-00033: NSM keys were deleted. (2005-11-30 11 | > 17:56:50) 12 | -------------------------------------------------------------------------------- /etc/rules/log-entries/smbd: -------------------------------------------------------------------------------- 1 | smbd[12252]: getpeername failed. Error was Transport endpoint is not connected 2 | smbd[12252]: Denied connection from (0.0.0.0) 3 | smbd[12252]: getpeername failed. Error was Transport endpoint is not connected 4 | smbd[12252]: Connection denied from 0.0.0.0 5 | smbd[12252]: write_socket_data: write failure. Error = Connection reset by peer 6 | smbd[12252]: write_socket: Error writing 5 bytes to socket 5: ERRNO = Connection reset by peer 7 | smbd[12252]: Error writing 5 bytes to client. -1. (Connection reset by peer) 8 | May 31 15:54:18 homesmbsrv smbd[124]: Permission denied-- user not allowed to delete, pause, or resume print job. User name: oahmet. Printer name: prnq1. 9 | 10 | -------------------------------------------------------------------------------- /etc/rules/mhn_dionaea_rules.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | dionaea 10 | Connection to Dionaea Honeypot identified 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /etc/rules/ms1016_usbdetect_rules.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 18104 6 | ^6416$ 7 | A new external device was recognized by the System 8 | windows, 9 | 10 | 11 | -------------------------------------------------------------------------------- /etc/templates/br/errors/0x1-location.txt: -------------------------------------------------------------------------------- 1 | 2 | Erro 0x1. 3 | Este script só pode ser executado a partir do mesmo diretório. 4 | Altere o diretório para onde está este script antes de rodá-lo. 5 | Você deve rodá-lo como "./install.sh" 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/br/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- 1 | 2 | Erro 0x2. 3 | Você necessita ser root para rodar este script. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/br/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- 1 | 2 | Erro 0x3. 3 | Você necessita de um compilador (como gcc ou cc) para continuar 4 | a instalação. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/br/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- 1 | 2 | Erro 0x4. 3 | Modalidade de instalação errada. Deve ser apenas [S]ervidor, [A]gente ou [L]ocal. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/br/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | 2 | Erro 0x5. 3 | Erro na Compilação. Não foi possível finalizar a instalação. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/br/language.txt: -------------------------------------------------------------------------------- 1 | ** Para instalação em português, escolha [br]. 2 | -------------------------------------------------------------------------------- /etc/templates/br/messages/0x101-initial.txt: -------------------------------------------------------------------------------- 1 | 2 | Você está iniciando o processo de instalação do OSSEC HIDS. 3 | Você precisará de um compilador C pré-instalado em seu sistema. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/br/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- 1 | 2 | Obrigado por usar o OSSEC HIDS. 3 | Se você tiver alguma pergunta, sugestão ou encontrar algum 4 | "bug", nos contate através do e-mail contact@ossec.net ou 5 | utilize nossa lista de e-mail: 6 | ( http://www.ossec.net/main/support/ ). 7 | 8 | Maiores informações podem ser encontradas em http://www.ossec.net 9 | 10 | --- Pressione ENTER para continuar --- 11 | 12 | -------------------------------------------------------------------------------- /etc/templates/br/messages/0x104-client.txt: -------------------------------------------------------------------------------- 1 | 2 | - Para se comunicar com o servidor, você primeiro precisa 3 | adicionar este cliente a ele. Quando você tiver terminado, 4 | use a ferramenta 'manage_agents' para importar a chave de 5 | autenticação do servidor. 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/br/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | 2 | - Nenhuma ação foi tomada para que OSSEC HIDS inicie 3 | durrante o 'boot'. Adicione a seguinte linha em seu 4 | script de inicialização: 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/br/messages/0x106-logs.txt: -------------------------------------------------------------------------------- 1 | - Se quiser monitorar qualquer outro arquivo, modifique 2 | o ossec.conf e adicione uma nova entrada para o arquivo. 3 | Qualquer dúvida sobre a configuração, visite http://www.ossec.net/hids/ . 4 | 5 | 6 | --- Pressione ENTER para continuar --- 7 | 8 | -------------------------------------------------------------------------------- /etc/templates/br/messages/0x107-ar.txt: -------------------------------------------------------------------------------- 1 | 2 | 3.4- Respostas automáticas permitem você executar um comando 3 | específico baseado nos eventos recebidos. Você pode 4 | bloquear um endereço de IP ou desabilitar o acesso de 5 | um usuário específico, por exemplo. 6 | Maiores informações: 7 | http://www.ossec.net/docs/docs/manual/ar/index.html 8 | 9 | -------------------------------------------------------------------------------- /etc/templates/br/messages/0x108-ar-enabled.txt: -------------------------------------------------------------------------------- 1 | - Sistema de respostas automáticas habilitado. 2 | 3 | - Por padrão, nós podemos habilitar o 'host-deny' e 4 | o 'firewall-drop'. O primeiro adicionará um host 5 | ao /etc/hosts.deny e o segundo bloqueará o host 6 | no 'iptables' (se linux) ou no ipfilter (se Solaris, 7 | FreeBSD ou NetBSD). 8 | - Eles podem ser usados para parar 'SSHD brute force 9 | scans', portscans e outras formas de ataque. 10 | Você pode também realizar bloqueios baseados nos 11 | alertas do snort, por exemplo. 12 | -------------------------------------------------------------------------------- /etc/templates/cn/errors/0x1-location.txt: -------------------------------------------------------------------------------- 1 | 2 | 错误代码 0x1. 3 | 该脚本只能在安装文件的同目录运行. 4 | 请到脚本所在目录运行它. 5 | 你必须以 ./install.sh 的形式运行他. 6 | -------------------------------------------------------------------------------- /etc/templates/cn/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- 1 | 2 | 错误代码 0x2. 3 | 你必须以 root 的身份运行该脚本. 4 | -------------------------------------------------------------------------------- /etc/templates/cn/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- 1 | 2 | 错误代码 0x3. 3 | 在继续安装之前,您必须安装并配置好编译器(如 gcc 或 cc). 4 | -------------------------------------------------------------------------------- /etc/templates/cn/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- 1 | 2 | 错误代码 0x4. 3 | 错误的安装类型. 安装类型只能是代理端安装(agent), 服务器端安装(server) 4 | 或本地安装(local). 5 | -------------------------------------------------------------------------------- /etc/templates/cn/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x5. 3 | Building error. Unable to finish the installation. 4 | 5 | 错误代码 0x5. 6 | 编译错误. 不能完成安装. 7 | -------------------------------------------------------------------------------- /etc/templates/cn/language.txt: -------------------------------------------------------------------------------- 1 | ** 要使用中文进行安装, 请选择 [cn]. 2 | -------------------------------------------------------------------------------- /etc/templates/cn/messages/0x101-initial.txt: -------------------------------------------------------------------------------- 1 | 2 | 您将开始 OSSEC HIDS 的安装. 3 | 请确认在您的机器上已经正确安装了 C 编译器. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/cn/messages/0x102-installhelp.txt: -------------------------------------------------------------------------------- 1 | 2 | - 您可以有三种安装选项:服务器端安装(server),代理端(agent)或本地安装(local). 3 | 4 | -如果选择'服务器端安装(server)', 您将可以分析所有日志, 5 | 发送e-mail告警及联动,接收远端机器的syslog日志, 6 | 接收代理端发回的日志(代理端发回的日志是经过加密的). 7 | 8 | -如果您选择'代理端安装(agent)', 您将可以读取本机文件(syslog, snort, 9 | apache等)并将它们发送给服务器端(加密过后)进行分析. 10 | 11 | -如果选择'本地安装(local)',除了不能接收远程机器或代理端发回的信息外,你可以 12 | 作服务器(server)安装能做的任何事情. 13 | 14 | - 如果您希望安装一个日志分析服务器,请选择'server'. 15 | 16 | - 如果您已经有一台日志分析服务器并且希望将本机的日志传送给它,请选择'agent'. 17 | (这是web服务器, 数据库服务器等的理想配置方法) 18 | 19 | - 如果您只有一台机器要监控,那么请选择'local'. 20 | 21 | - 要获得更多的信息, 请访问: 22 | http://www.ossec.net/docs/docs/manual/non-technical-overview.html 23 | -------------------------------------------------------------------------------- /etc/templates/cn/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | 感谢使用 OSSEC HIDS. 4 | 如果您有任何疑问,建议或您找到任何bug, 5 | 请通过 contact@ossec.net 或邮件列表 ossec-list@ossec.net 联系我们. 6 | ( http://www.ossec.net/en/mailing_lists.html ). 7 | 8 | 您可以在 http://www.ossec.net 获得更多信息 9 | 10 | --- 请按 ENTER 结束安装 (下面可能有更多信息). --- 11 | -------------------------------------------------------------------------------- /etc/templates/cn/messages/0x104-client.txt: -------------------------------------------------------------------------------- 1 | 2 | - 您必须首先将该代理添加到服务器端以使他们能够相互通信. 3 | 这样做了以后,您可以运行'manage_agents'工具导入 4 | 服务器端产生的认证密匙. 5 | -------------------------------------------------------------------------------- /etc/templates/cn/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | 2 | - 未能配置 OSSEC HIDS 在系统启动时自动允许. 3 | 请将以下行添加到启动脚本. 4 | -------------------------------------------------------------------------------- /etc/templates/cn/messages/0x106-logs.txt: -------------------------------------------------------------------------------- 1 | 2 | -如果你希望监控其他文件, 只需要在配置文件ossec.conf中 3 | 添加新的一项. 4 | 任何关于配置的疑问您都可以在 http://www.ossec.net 找到答案. 5 | 6 | 7 | --- 按 ENTER 以继续 --- 8 | -------------------------------------------------------------------------------- /etc/templates/cn/messages/0x107-ar.txt: -------------------------------------------------------------------------------- 1 | 2 | 3.4- 关联响应允许您在分析已接收事件的基础上执行一个 3 | 已定义的命令. 4 | 例如,你可以阻止某个IP地址的访问或禁止某个用户的访问权限. 5 | 更多的信息,您可以访问: 6 | http://www.ossec.net/docs/docs/manual/ar/index.html 7 | -------------------------------------------------------------------------------- /etc/templates/cn/messages/0x108-ar-enabled.txt: -------------------------------------------------------------------------------- 1 | 2 | - 关联响应已开启 3 | 4 | - 默认情况下, 我们开启了主机拒绝和防火墙拒绝两种响应. 5 | 第一种情况将添加一个主机到 /etc/hosts.deny. 6 | 第二种情况将在iptables(linux)或ipfilter(Solaris, 7 | FreeBSD 或 NetBSD)中拒绝该主机的访问. 8 | - 该功能可以用以阻止 SSHD 暴力攻击, 端口扫描和其他 9 | 一些形式的攻击. 同样你也可以将他们添加到其他地方, 10 | 例如将他们添加为 snort 的事件. 11 | -------------------------------------------------------------------------------- /etc/templates/config/apache-logs.template: -------------------------------------------------------------------------------- 1 | /var/log/apache/error.log 2 | /var/log/apache/error_log 3 | /var/log/apache/access.log 4 | /var/log/apache/access_log 5 | /var/www/logs/access_log 6 | /var/www/logs/error_log 7 | /var/log/httpd/error_log 8 | /var/log/httpd/access_log 9 | /var/log/nginx/access.log 10 | /var/log/nginx/error.log 11 | /var/log/apache2/error.log 12 | /var/log/apache2/access.log 13 | -------------------------------------------------------------------------------- /etc/templates/config/ar-disable-account.template: -------------------------------------------------------------------------------- 1 | 2 | disable-account 3 | disable-account.sh 4 | user 5 | yes 6 | 7 | 8 | 9 | restart-ossec 10 | restart-ossec.sh 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /etc/templates/config/ar-firewall-drop.template: -------------------------------------------------------------------------------- 1 | 2 | firewall-drop 3 | firewall-drop.sh 4 | srcip 5 | yes 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/config/ar-host-deny.template: -------------------------------------------------------------------------------- 1 | 2 | host-deny 3 | host-deny.sh 4 | srcip 5 | yes 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/config/ar-routenull.template: -------------------------------------------------------------------------------- 1 | 2 | route-null 3 | route-null.sh 4 | srcip 5 | yes 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/config/pgsql-logs.template: -------------------------------------------------------------------------------- 1 | /var/log/postgresql/postgresql-8.1-main.log 2 | /var/log/postgresql/postgresql.log 3 | -------------------------------------------------------------------------------- /etc/templates/config/snort-logs.template: -------------------------------------------------------------------------------- 1 | /var/log/snort/alert 2 | -------------------------------------------------------------------------------- /etc/templates/de/errors/0x1-location.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/etc/templates/de/errors/0x1-location.txt -------------------------------------------------------------------------------- /etc/templates/de/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/etc/templates/de/errors/0x2-beroot.txt -------------------------------------------------------------------------------- /etc/templates/de/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/etc/templates/de/errors/0x3-dependencies.txt -------------------------------------------------------------------------------- /etc/templates/de/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/etc/templates/de/errors/0x4-installtype.txt -------------------------------------------------------------------------------- /etc/templates/de/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | 2 | Fehler 0x5. 3 | Fehler beim compilieren. Das Paket kann nicht installiert werden. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/de/language.txt: -------------------------------------------------------------------------------- 1 | ** Fur eine deutsche Installation wohlen Sie [de]. 2 | -------------------------------------------------------------------------------- /etc/templates/de/messages.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/etc/templates/de/messages.txt -------------------------------------------------------------------------------- /etc/templates/de/messages/0x101-initial.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/etc/templates/de/messages/0x101-initial.txt -------------------------------------------------------------------------------- /etc/templates/de/messages/0x102-installhelp.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/etc/templates/de/messages/0x102-installhelp.txt -------------------------------------------------------------------------------- /etc/templates/de/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/etc/templates/de/messages/0x103-thanksforusing.txt -------------------------------------------------------------------------------- /etc/templates/de/messages/0x104-client.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/etc/templates/de/messages/0x104-client.txt -------------------------------------------------------------------------------- /etc/templates/de/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | 2 | - Es wurde kein Startup Script erstellt. Um OSSEC HIDS beim 3 | booten automatisch zu starten, sollten Sie die folgende Zeile 4 | in ein init Script aufnehmen: 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/de/messages/0x106-logs.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/etc/templates/de/messages/0x106-logs.txt -------------------------------------------------------------------------------- /etc/templates/de/messages/0x107-ar.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/etc/templates/de/messages/0x107-ar.txt -------------------------------------------------------------------------------- /etc/templates/de/messages/0x108-ar-enabled.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/etc/templates/de/messages/0x108-ar-enabled.txt -------------------------------------------------------------------------------- /etc/templates/el/errors/0x1-location.txt: -------------------------------------------------------------------------------- 1 | 2 | Σφάλμα 0x1. 3 | Το αρχείο αυτό μπορεί να εκτελεστεί μόνο από τον κατάλογο 4 | στον οποίο βρίσκεται. 5 | Μεταβείτε στον κατάλογο που βρίσκεται αυτό το αρχείο και 6 | τρέξτε την εντολή ./install.sh 7 | 8 | -------------------------------------------------------------------------------- /etc/templates/el/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- 1 | 2 | Σφάλμα 0x2. 3 | Πρέπει να είστε συνδεδεμένος ως root 4 | για να εγκαταστήσετε αυτό το πρόγραμμα. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/el/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- 1 | 2 | Σφάλμα 0x3. 3 | Χρειάζεστε έναν μεταγλωττιστή (όπως gcc ή cc) για να 4 | συνεχίσετε με την εγκατάσταση. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/el/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- 1 | 2 | Σφάλμα 0x4. 3 | Λάθος τύπος εγκατάστασης. Μπορεί μόνο να είναι agent, server ή local. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/el/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | 2 | Σφάλμα 0x5. 3 | Λάθος στην δημιουργία του εκτελέσιμου προγράμματος. 4 | Δεν είναι δυνατό να ολοκληρωθεί η εγκατάσταση. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/el/language.txt: -------------------------------------------------------------------------------- 1 | ** Για εγκατάσταση στα Ελληνικά, επιλέξτε [el]. 2 | -------------------------------------------------------------------------------- /etc/templates/el/messages/0x101-initial.txt: -------------------------------------------------------------------------------- 1 | 2 | Πρόκειται να ξεκινήσετε τη διαδικασία εγκατάστασης του OSSEC HIDS. 3 | Για την εγκατάσταση θα πρέπει να έχετε προ-εγκατεστημένο 4 | ένα μεταγλωττιστή της γλώσσας C στον υπολογιστή σας. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/el/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- 1 | 2 | Ευχαριστούμε για τη χρησιμοποίηση του OSSEC HIDS. 3 | Αν έχετε κάποια ερώτηση, πρόταση ή αν βρείτε κάποιο bug, 4 | επικοινωνήστε μαζί μας στο contact@ossec.net ή χρησιμοποιώντας 5 | την λίστα ταχυδρομείου (maillist) στο ossec-list@ossec.net 6 | ( http://www.ossec.net/main/support/ ). 7 | 8 | Περισσότερες πληροφορίες στη διεύθυνση: 9 | http://www.ossec.net/ 10 | 11 | --- Πατήστε ENTER για να ολοκληρωθεί η εγκατάσταση 12 | (μπορεί να ακολουθούν περισσότερες πληροφορίες) 13 | 14 | -------------------------------------------------------------------------------- /etc/templates/el/messages/0x104-client.txt: -------------------------------------------------------------------------------- 1 | 2 | - Αρχικά πρέπει να προσθέσετε αυτόν τον agent στο server 3 | προκειμένου να μπορέσουν να επικοινωνήσουν μεταξύ τους. 4 | Όταν το κάνετε, μπορείτε να εκτελέσετε το εργαλείο 5 | 'manage_agents' προκειμένου να εισαγάγετε το authentication key 6 | από τον server. 7 | 8 | -------------------------------------------------------------------------------- /etc/templates/el/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | 2 | - Δεν έγινε καμία ενέργεια για να ρυθμιστεί το OSSEC HIDS 3 | να ξεκινάει κατά της εκκίνηση του υπολογιστή. 4 | Προσθέστε την ακόλουθη γραμμή στο init script: 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/el/messages/0x106-logs.txt: -------------------------------------------------------------------------------- 1 | - Αν θέλετε να ελέγξετε οποιοδήποτε άλλο αρχείο, αλλάξτε 2 | το ossec.conf και προσθέστε μια νέα εγγραφή για τοπικό 3 | αρχείο (localfile). 4 | Για να λάβετε απαντήσεις σχετικά με τις ρυθμίσεις, 5 | επισκευθείτε μας στη διεύθυνση http://www.ossec.net/ . 6 | 7 | 8 | --- Πατήστε ENTER για να συνεχίσετε --- 9 | 10 | -------------------------------------------------------------------------------- /etc/templates/el/messages/0x107-ar.txt: -------------------------------------------------------------------------------- 1 | 2 | 3.4- Η ενεργή αντίδραση (active response) σας επιτρέπει 3 | να εκτελέσετε μια συγκεκριμένη εντολή βασισμένη στα 4 | γεγονότα (events) που λήφθησαν. Για παράδειγμα, 5 | μπορείτε να μπλοκάρετε μια διεύθυνση IP ή να 6 | απενεργοποιήσετε την πρόσβαση για ένα συγκεκριμένο 7 | χρήστη. 8 | Περισσότερες πληροφορίες στη διεύθυνση: 9 | http://www.ossec.net/el/manual.html#active-response 10 | 11 | -------------------------------------------------------------------------------- /etc/templates/el/messages/0x108-ar-enabled.txt: -------------------------------------------------------------------------------- 1 | - Η ενεργή αντίδραση (active response) ενεργοποιήθηκε. 2 | 3 | - Εξ ορισμού, μπορούμε να ενεργοποιήσουμε τις host-deny 4 | και firewall-drop αντιδράσεις (responses). Η πρώτη θα 5 | προσθέσει ένα υπολογιστή στο αρχείο /etc/hosts.deny. 6 | Η δεύτερη θα μπλοκάρει τον υπολογιστή μέσω 7 | iptables (για linux) ή μέσω ipfilter 8 | (για Solaris, FreeBSD ή NetBSD). 9 | 10 | - Μπορούν να χρησιμοποιηθούν για να σταματήσουν 11 | SSHD brute force scans, portscans και κάποιων άλλων 12 | ειδών επιθέσεις. Μπορείτε επίσης να τις προσθέσετε 13 | για να μπλοκάρετε γενονότα που παράγονται από το 14 | snort, για παράδειγμα. 15 | -------------------------------------------------------------------------------- /etc/templates/en/errors/0x1-location.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x1. 3 | This script can only be executed from the same directory. 4 | Change directory to where this script is before running it. 5 | You must run it as ./install.sh ." 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/en/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x2. 3 | You must be root to use this script. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/en/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x3. 3 | You need a compiler (like gcc or cc) to continue with the 4 | with the installation. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/en/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x4. 3 | Wrong installation type. It can only be agent, server or local. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/en/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x5. 3 | Building error. Unable to finish the installation. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/en/language.txt: -------------------------------------------------------------------------------- 1 | ** For installation in English, choose [en]. 2 | -------------------------------------------------------------------------------- /etc/templates/en/messages/0x101-initial.txt: -------------------------------------------------------------------------------- 1 | 2 | You are about to start the installation process of the OSSEC HIDS. 3 | You must have a C compiler pre-installed in your system. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/en/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- 1 | 2 | Thanks for using the OSSEC HIDS. 3 | If you have any question, suggestion or if you find any bug, 4 | contact us at https://github.com/ossec/ossec-hids or using 5 | our public maillist at 6 | https://groups.google.com/forum/#!forum/ossec-list 7 | 8 | More information can be found at http://www.ossec.net 9 | 10 | --- Press ENTER to finish (maybe more information below). --- 11 | 12 | -------------------------------------------------------------------------------- /etc/templates/en/messages/0x104-client.txt: -------------------------------------------------------------------------------- 1 | 2 | - You first need to add this agent to the server so they 3 | can communicate with each other. When you have done so, 4 | you can run the 'manage_agents' tool to import the 5 | authentication key from the server. 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/en/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | 2 | - No action was made to configure the OSSEC HIDS to start 3 | during the boot. Add the following line to your init script: 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/en/messages/0x106-logs.txt: -------------------------------------------------------------------------------- 1 | - If you want to monitor any other file, just change 2 | the ossec.conf and add a new localfile entry. 3 | Any questions about the configuration can be answered 4 | by visiting us online at http://www.ossec.net . 5 | 6 | 7 | --- Press ENTER to continue --- 8 | 9 | -------------------------------------------------------------------------------- /etc/templates/en/messages/0x107-ar.txt: -------------------------------------------------------------------------------- 1 | 2 | 3.4- Active response allows you to execute a specific 3 | command based on the events received. For example, 4 | you can block an IP address or disable access for 5 | a specific user. 6 | More information at: 7 | http://www.ossec.net/docs/docs/manual/ar/index.html 8 | 9 | -------------------------------------------------------------------------------- /etc/templates/en/messages/0x108-ar-enabled.txt: -------------------------------------------------------------------------------- 1 | - Active response enabled. 2 | 3 | - By default, we can enable the host-deny and the 4 | firewall-drop responses. The first one will add 5 | a host to the /etc/hosts.deny and the second one 6 | will block the host on iptables (if linux) or on 7 | ipfilter (if Solaris, FreeBSD or NetBSD). 8 | - They can be used to stop SSHD brute force scans, 9 | portscans and some other forms of attacks. You can 10 | also add them to block on snort events, for example. 11 | -------------------------------------------------------------------------------- /etc/templates/es/errors/0x1-location.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x1. 3 | El programa puede ser solo ejecutado desde el mismo directorio. 4 | Cambie al directorio donde se encuentra el programa antes de ejecutarlo. 5 | Debe de ejecutarlo como ./install.sh ." 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/es/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x2. 3 | Usted debe ser root para ejecutar el programa. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/es/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x3. 3 | Usted necesita un compilador (semejante a gcc ó cc) para continuar con la instalación. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/es/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x4. 3 | Fallo en el tipo de instalación. Unicamente puede ser 'agente', 'servidor' o 'local'. 4 | 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/es/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x5. 3 | Error durante la construcción. No se ha podido finalizar la instalación. 4 | 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/es/language.txt: -------------------------------------------------------------------------------- 1 | ** Para instalar en Español , eliga [es]. 2 | -------------------------------------------------------------------------------- /etc/templates/es/messages/0x101-initial.txt: -------------------------------------------------------------------------------- 1 | 2 | Usted va a comenzar el proceso de instalación de OSSEC HIDS. 3 | Usted debe tener un compilador de C previamente instalado en el sistema. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/es/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- 1 | 2 | Gracias por usar OSSEC HIDS. 3 | Si tiene alguna duda, sugerencia ó encuentra 4 | algún desperfecto, contacte con nosotros en contact@ossec.net 5 | ó usando nuestrs lista pública de correo en ossec-list@ossec.net 6 | 7 | Más información puede ser encontrada en http://www.ossec.net 8 | 9 | --- Presione ENTER para finalizar. --- 10 | (Tal vez encuentre más información a continuación). 11 | -------------------------------------------------------------------------------- /etc/templates/es/messages/0x104-client.txt: -------------------------------------------------------------------------------- 1 | 2 | - Debe añadir este agente en el servidor así podrán 3 | comunicarse el úno con el ótro. Una vez culminada la tarea 4 | podra ejecutar la herramienta 'manage_agents' para importar 5 | la autenticación por medio de las llaves extraidas del servidor. 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/es/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | 2 | - No realizado ninguna acción para configurar OSSEC HIDS 3 | durante el encendido de la máquina. Agrege las siguiente linea 4 | a vuestro archivo código init: 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/es/messages/0x106-logs.txt: -------------------------------------------------------------------------------- 1 | 2 | - Si desea monitorizar algún otro registro, solo 3 | tendrá que editar el archivo ossec.conf y agregar una 4 | nueva entrada de tipo localfile. 5 | Cualquier otra pregunta de configuración podrá ser 6 | respondida visitandonos en linea en http://www.ossec.net . 7 | 8 | --- Presione ENTER para continuar --- 9 | 10 | -------------------------------------------------------------------------------- /etc/templates/es/messages/0x107-ar.txt: -------------------------------------------------------------------------------- 1 | 2 | 3.4- Las respuestas activas le permitirán ejecutar un comando 3 | específico en base a los eventos recibidos. Por ejemplo, 4 | Usted podra bloquear una dirección IP ó deshabilitar el acceso 5 | de un usuario específico. 6 | Más información en: 7 | http://www.ossec.net/docs/docs/manual/ar/index.html 8 | 9 | -------------------------------------------------------------------------------- /etc/templates/fr/errors/0x1-location.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x1. 3 | Ce script ne peut être exécuté que depuis le même répertoire. 4 | Déplacez vous où est le script avant de l'exécuter. 5 | Vous devez le lancer par ./install.sh ." 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/fr/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x2. 3 | Vous devez être root pour exécuter ce script. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/fr/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x3. 3 | Vous devez avoir un compilateur (gcc ou cc) pour continuer l'installation. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/fr/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x4. 3 | Mauvais type d'installation. Cela ne peut être que agent, serveur ou local. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/fr/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x5. 3 | Erreur de compilation. Impossible de finir l'installation. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/fr/language.txt: -------------------------------------------------------------------------------- 1 | ** Pour une installation en français, choisissez [fr] 2 | -------------------------------------------------------------------------------- /etc/templates/fr/messages/0x101-initial.txt: -------------------------------------------------------------------------------- 1 | 2 | Vous êtes sur le point d'installer OSSEC HIDS. 3 | Vous devez avoir une compilateur C préinstallé sur votre système. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/fr/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- 1 | 2 | Merci d'utiliser OSSEC HIDS. 3 | Si vous avez des questions, suggestions ou si vous trouvez 4 | un bug, contactez nous sur contact@ossec.net ou en utilisant la 5 | liste de diffusion publique sur ossec-list@ossec.net 6 | ( http://www.ossec.net/en/mailing_lists.html ). 7 | 8 | Plus d'information peut être trouver sur http://www.ossec.net 9 | 10 | --- Appuyez sur Entrée pour finir (peut-être plus d'info plus bas). --- 11 | 12 | -------------------------------------------------------------------------------- /etc/templates/fr/messages/0x104-client.txt: -------------------------------------------------------------------------------- 1 | 2 | - Vous devez d'abord ajouter cet agent sur le serveur pour 3 | qu'ils communiquent entre eux. Quand cela sera fait, 4 | vous pourrez lancer l'outil 'manage_agents' pour 5 | importer la clef d'authentification depuis le serveur. 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/fr/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | 2 | - Aucune action n'a été faite pour configurer OSSEC HIDS pour 3 | démarrer lors du boot. Ajoutez la ligne suivante à votre script 4 | d'initialisation : 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/fr/messages/0x106-logs.txt: -------------------------------------------------------------------------------- 1 | - Si vous voulez surveiller d'autres fichiers, changez 2 | le fichier ossec.conf en ajoutant une nouvelle valeur 3 | de nom de fichier local. 4 | Pour toutes vos questions sur la configuration, 5 | consultez notre site web http://www.ossec.net . 6 | 7 | 8 | --- Appuyez sur Entrée pour continuer --- 9 | 10 | -------------------------------------------------------------------------------- /etc/templates/fr/messages/0x107-ar.txt: -------------------------------------------------------------------------------- 1 | 2 | 3.4- La réponse active vous permet d'éxécuter des commandes 3 | spécifiques en fonction d'évènement. Par exemple, 4 | vous pouvez bloquer une adresse IP ou interdire 5 | l'accès à un utilisateur spécifique. 6 | Plus d'information sur : 7 | http://www.ossec.net/docs/docs/manual/ar/index.html 8 | 9 | -------------------------------------------------------------------------------- /etc/templates/fr/messages/0x108-ar-enabled.txt: -------------------------------------------------------------------------------- 1 | - Réponse active activée. 2 | 3 | - Par défaut, nous pouvons activer le contrôle d'hôte 4 | et le pare-feu (firewall-drop). Le premier ajoute 5 | un hôte dans /etc/hosts.deny et le second bloquera 6 | l'hôte dans iptables (sous linux) ou dans ipfilter 7 | (sous Solaris, FreeBSD ou NetSBD). 8 | - Ils peuvent aussi être utilisés pour arrêter les scans 9 | en force brute de SSHD, les scans de ports ou d'autres 10 | formes d'attaques. Vous pouvez aussi les bloquer par 11 | rapport à des évènements snort, par exemple. 12 | -------------------------------------------------------------------------------- /etc/templates/hu/errors/0x1-location.txt: -------------------------------------------------------------------------------- 1 | 2 | Hiba 0x1. 3 | Ez a script csak a saját könyvtárából futtatható. 4 | Kérem lépjen be a kérdéses script könyvtárába mielőtt futtatná. 5 | Úgy kell futtatnia, mint ./install.sh ." 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/hu/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- 1 | 2 | Hiba 0x2. 3 | Ezen script használatához root jogosultsággal kell remdelkeznie. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/hu/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- 1 | 2 | Hiba 0x3. 3 | A telepítés folytatásához szüksége van egy fordító programra (pl. gcc vagy cc). 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/hu/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- 1 | 2 | Hiba 0x4. 3 | Rossz telepítési típus. Csak agent(kliens), szerver vagy lokális lehet. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/hu/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | 2 | Hiba 0x5. 3 | Hiba merült fel a kompilálás közben. Nem tudtam befejezni a telepítést. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/hu/language.txt: -------------------------------------------------------------------------------- 1 | ** A Magyar nyelvű telepítéshez válassza [hu]. 2 | -------------------------------------------------------------------------------- /etc/templates/hu/messages/0x101-initial.txt: -------------------------------------------------------------------------------- 1 | 2 | Ön elindította az OSSEC HIDS telepítési folyamatát. 3 | Egy C fordító programnak, már előzőleg telepítve kell lennie a rendszerén. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/hu/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- 1 | 2 | Köszönjük, hogy az OSSEC HIDS programot használja! 3 | Ha egyéb kérdése, javaslata van, illetve valamilyen bugot talált 4 | a programban, lépjen velünk kapcsolatba a contact@ossec.net, 5 | vagy a nyilvános levelezőlistánkat használva az 6 | ossec-list@ossec.net e-mail címeken. 7 | ( http://www.ossec.net/main/support/ ). 8 | 9 | További információkért látogasson el a http://www.ossec.net weboldalra. 10 | 11 | --- A befejezéshez nyomjon ENTER-t (alább további információkat talál). --- 12 | 13 | -------------------------------------------------------------------------------- /etc/templates/hu/messages/0x104-client.txt: -------------------------------------------------------------------------------- 1 | 2 | - Először hozzá kell adnia ezt a klienst a szerverhez, 3 | így azok tudnak kommunikálni egymással. Amikor ezzel 4 | végzett, már futtathatja a 'manage_agents' eszközt, 5 | a hitelesítő kulcs szerverről történő importálásához. 6 | -------------------------------------------------------------------------------- /etc/templates/hu/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | 2 | - Nem történt intézkedés az OSSEC HIDS bootoláskor 3 | történő automatikus indításának beállítása érdekében. 4 | Adja hozzá a következő sort az ön init scriptjéhez. 5 | -------------------------------------------------------------------------------- /etc/templates/hu/messages/0x106-logs.txt: -------------------------------------------------------------------------------- 1 | - Ha egyéb fájlokat is szeretne monitorozni, 2 | csak változtassa meg az ossec.conf-ot 3 | és adjon hozzá egy új helyi fájl bejegyzést. 4 | A konfigurálással kapcsolatos egyéb kérdéseire választ kaphat, 5 | ha felkeresi weboldalunkat: http://www.ossec.net . 6 | 7 | --- A folytatáshoz nyomja meg az ENTER billentyűt --- 8 | 9 | -------------------------------------------------------------------------------- /etc/templates/hu/messages/0x107-ar.txt: -------------------------------------------------------------------------------- 1 | 2 | 3.4- Az active response funkció lehetővé teszi 3 | specifikus parancsok végrehajtását a beérkezett események alapján. 4 | Például, önnek így lehetősége van blokkolni egy IP címet 5 | vagy egy adott felhasználó hozzáférését. 6 | További információk: 7 | http://www.ossec.net/docs/docs/manual/ar/index.html 8 | -------------------------------------------------------------------------------- /etc/templates/hu/messages/0x108-ar-enabled.txt: -------------------------------------------------------------------------------- 1 | - Active response bekapcsolva. 2 | 3 | - Alapértelmezés szerint engedélyezheti a host-deny és a 4 | firewall-drop responses funkciókat. 5 | Az első hozzá fog adni egy hosztot az /etc/hosts.deny 6 | fájlhoz, és a második pedig blokkolni fogja a hosztot 7 | (linux esetében) az iptables vagy (Solaris, FreeBSD 8 | vagy NetBSD esetében) az ipfilter tűzfalakban. 9 | - Ezek a funkciók az SSHD brute force scan-ek, 10 | a portscan-ek és néhány egyéb támadási forma 11 | megakadályozására használhatók. 12 | Példának okáért ezeket a blokkolási mechanizmusokat, 13 | akár a snort riasztásokra is alapozhatja. 14 | -------------------------------------------------------------------------------- /etc/templates/it/errors/0x1-location.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x1. 3 | Questo script deve essere eseguito a partire dalla directory in cui 4 | si trova. 5 | Prima di eseguire questo script entra nella directory in cui si trova. 6 | Per eseguire lo script scrivi "./install.sh" 7 | 8 | -------------------------------------------------------------------------------- /etc/templates/it/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x2. 3 | Devi essere root per eseguire questo script. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/it/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x3. 3 | E' necessario avere un compilatore installato (come gcc o cc) per proseguire 4 | con l'installazione. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/it/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x4. 3 | Tipo di installazione errata. Può essere solamente Server, Agent o Local. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/it/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x5. 3 | Errore di compilazione. Impossibile terminare l'installazione. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/it/language.txt: -------------------------------------------------------------------------------- 1 | ** Per l'installazione in Italiano, scegli [it]. 2 | -------------------------------------------------------------------------------- /etc/templates/it/messages/0x101-initial.txt: -------------------------------------------------------------------------------- 1 | 2 | Stai per iniziare il processo di installazione di OSSEC HIDS. 3 | Devi avere un compilatore C pre-installato sul tuo sistema. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/it/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- 1 | 2 | Grazie per aver scelto OSSEC HIDS. 3 | Per qualsiasi domanda, suggerimento o se hai trovato qualche bug, 4 | contattaci all'indirizzo contact@ossec.net o utlizza la nostra 5 | mailinglist pubblica: 6 | ( http://www.ossec.net/en/mailing_lists.html ). 7 | 8 | Puoi trovare ulteriori informazioni all'indirizzo http://www.ossec.net 9 | 10 | --- Premi ENTER per terminare --- 11 | 12 | -------------------------------------------------------------------------------- /etc/templates/it/messages/0x104-client.txt: -------------------------------------------------------------------------------- 1 | 2 | - Come prima cosa devi aggiungere questo agent al server affinchè possano comunicare 3 | tra di loro. Una volta fatto questo, potrai utilizzare il comando 'manage_agents' 4 | per importare la chiave di autenticazione dal server. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/it/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | 2 | - Non è stata effettuata alcuna modifica per avviare OSSEC HIDS 3 | in fase di boot. 4 | Aggiungi la seguente riga al tuo script di init: 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/it/messages/0x106-logs.txt: -------------------------------------------------------------------------------- 1 | - Se desideri monitorare qualsiasi altro file, modifica ossec.conf 2 | e aggiungi una nuova, specifica, sezione. 3 | Per qualsiasi dubbio sulla configurazione visita il sito del progetto 4 | all'indirizzo http://www.ossec.net . 5 | 6 | 7 | --- Premi ENTER per continuare --- 8 | 9 | -------------------------------------------------------------------------------- /etc/templates/it/messages/0x107-ar.txt: -------------------------------------------------------------------------------- 1 | 2 | 3.4- La risposta attiva consente di eseguire uno specifico comando in 3 | conseguenza di un evento. Ad esempio, puoi bloccare un indrizzo IP o 4 | disabilitare l'accesso ad uno specifico user. 5 | Ulteriori informazioni su: 6 | http://www.ossec.net/docs/docs/manual/ar/index.html 7 | 8 | -------------------------------------------------------------------------------- /etc/templates/it/messages/0x108-ar-enabled.txt: -------------------------------------------------------------------------------- 1 | - Risposta attiva abilitata. 2 | 3 | - Per default, si possono abilitare le risposte di 4 | tipo host-deny e firewall-drop. La prima aggiunge 5 | un host a /etc/host.deny e la seconda blocca l'host 6 | con iptables (Linux) o con ipfilter (Solaris, FreeBSD o NetBSD). 7 | - Possono essere utilizzate per interrompere attacchi brute-force 8 | a SSHD, portscans e diverse altre forme di attacchi. 9 | -------------------------------------------------------------------------------- /etc/templates/jp/errors/0x1-location.txt: -------------------------------------------------------------------------------- 1 | 2 | エラー 0x1. 3 | このスクリプトは同じディレクトリからのみ実行できます. 4 | スクリプトを実行させる前にディレクトリを変更してください. 5 | そして,./install.sh として実行してください." 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/jp/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- 1 | 2 | エラー 0x2. 3 | このスクリプトはルート権限で動作させてください. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/jp/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- 1 | 2 | エラー 0x3. 3 | インストールを続けるにはコンパイラ(gcc または cc 等)が 4 | 必要です. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/jp/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- 1 | 2 | エラー 0x4. 3 | インストールに選んだ種類が間違っています. 4 | agent,server あるいは local のみです. 5 | -------------------------------------------------------------------------------- /etc/templates/jp/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | 2 | エラー 0x5. 3 | 構築エラー.インストールを完了できませんでした. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/jp/language.txt: -------------------------------------------------------------------------------- 1 | ** 日本語でインストールします.選択して下さい.[jp]. 2 | -------------------------------------------------------------------------------- /etc/templates/jp/messages/0x101-initial.txt: -------------------------------------------------------------------------------- 1 | 2 | OSSEC HIDS のインストール作業を始めます. 3 | 事前に C コンパイラがシステムにインストールされてる必要があります. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/jp/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- 1 | 2 | OSSEC HIDS の使用に感謝します. 3 | あなたが何らかの質問,提案したいときや,バグを発見したときは, 4 | contact@ossec.net まで連絡するか ossec-list@ossec.net にある 5 | 我々の公開メーリングリストを使ってください. 6 | (http://www.ossec.net/main/support/). 7 | 8 | 詳細な情報は http://www.ossec.net にあります. 9 | 10 | --- ENTER を押すと終了します (以下,詳細な情報が続きます).--- 11 | 12 | -------------------------------------------------------------------------------- /etc/templates/jp/messages/0x104-client.txt: -------------------------------------------------------------------------------- 1 | 2 | - 最初に,このエージェントをサーバに追加する必要があります. 3 | それにより互いに通信が可能となります.その後,サーバから 4 | の認証鍵を取り入れるために 'manage_agents' ツールを実行 5 | することができます. 6 | -------------------------------------------------------------------------------- /etc/templates/jp/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | 2 | - 起動中において,OSSEC HIDS を開始し設定する動作が行われませんでした. 3 | 以下のラインをあなたの初期スクリプトに加えてください: 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/jp/messages/0x106-logs.txt: -------------------------------------------------------------------------------- 1 | - 他のファイルを監視したい場合は,ossec.conf を変更し 2 | 新しいエントリーを追加してください. 3 | 設定に関するどんな質問にも我々の Web サイト http://www.ossec.net 4 | を訪れることで答えることができます. 5 | 6 | 7 | --- 続けるには ENTER を押してください --- 8 | -------------------------------------------------------------------------------- /etc/templates/jp/messages/0x107-ar.txt: -------------------------------------------------------------------------------- 1 | 2 | 3.4- アクティブレスポンスによりイベントが発生した際に特定の 3 | コマンドを実行することができます. 4 | 例えば,ある IP アドレスを遮断することや特定のユーザ 5 | に対してアクセスを無効にすることができます. 6 | 詳細な情報は以下にあります: 7 | http://www.ossec.net/docs/docs/manual/ar/index.html 8 | 9 | -------------------------------------------------------------------------------- /etc/templates/jp/messages/0x108-ar-enabled.txt: -------------------------------------------------------------------------------- 1 | - アクティブレスポンスを有効にしました. 2 | 3 | - デフォルトでは,host-deny と firewall-drop レスポンス 4 | が有効化することができます.一つ目は /etc/hosts.deny 5 | にホストを加えます.二つ目は iptable (linux) か 6 | ipfilter (Solaris, FreeBSD または NetBSD) によりホストを 7 | 遮断します. 8 | 9 | - SSHD への総当たりスキャン,ポートスキャンや他の何らかの 10 | 攻撃手法を停止することに使うことができます. 11 | また,例えば,snort のイベントに基づいてそれらを遮断する 12 | こともできます. 13 | -------------------------------------------------------------------------------- /etc/templates/nl/errors/0x1-location.txt: -------------------------------------------------------------------------------- 1 | 2 | Fout 0x1. 3 | Dit script kan enkel uit dezelfde map worden uitgevoerd. 4 | Wijzig de map naar de scriptmap alvorens u de installatie uitvoert. 5 | U dient het script zo aan te roepen ./install.sh ." 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/nl/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- 1 | 2 | Fout 0x2. 3 | Je moet administratie rechten bekeomen om dit script 4 | uit te voeren. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/nl/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- 1 | 2 | Fout 0x3. 3 | U heeft een compiler (zoals gcc of cc) nodig om door 4 | te kunnen gaan met de installatie. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/nl/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- 1 | 2 | Fout 0x4. 3 | Onjuist installatie type. Het kan enkel agent, server of local zijn. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/nl/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | 2 | Fout 0x5. 3 | Tijdens het bouwen trad er een fout op. Kan de installatie niet 4 | voortzetten. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/nl/language.txt: -------------------------------------------------------------------------------- 1 | ** Voor installatie in het Nederlands, kies [nl]. 2 | -------------------------------------------------------------------------------- /etc/templates/nl/messages/0x101-initial.txt: -------------------------------------------------------------------------------- 1 | 2 | U staat op het punt om het installatie proces te starten van OSSEC HIDS. 3 | U heeft een C compiler nodig voorgeinstalleerd op uw systeem. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/nl/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- 1 | 2 | Bedankt voor het gebruiken van OSSEC HIDS. 3 | Heeft u een vraag of suggestie of een andere vorm van opmerking, 4 | neem contact met ons op via contact@ossec.net of gebruik de mailinglijst 5 | ossec-list@ossec.net 6 | ( http://www.ossec.net/main/support/ ). 7 | 8 | Meer informatie vindt u op http://www.ossec.net 9 | 10 | --- Druk op ENTER om te finaliseren (wellicht meer informatie hieronder). --- 11 | 12 | -------------------------------------------------------------------------------- /etc/templates/nl/messages/0x104-client.txt: -------------------------------------------------------------------------------- 1 | 2 | - U dient eerst deze agent aan de server toe te voegen 3 | zodat ze met elkaar kunnen communiceren. Als u dit 4 | gedaan heeft dan kunt u de 'manage_agents' tool ge- 5 | bruiken om de authenticatiesleutel te importeren 6 | vanaf de server. 7 | 8 | -------------------------------------------------------------------------------- /etc/templates/nl/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | 2 | - Er is geen actie ondernomen om een opstart script te maken voor 3 | OSSEC HIDS. U dient de volgede regel toe te voegen aan uw initscript: 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/nl/messages/0x106-logs.txt: -------------------------------------------------------------------------------- 1 | - Als u een ander bestand in de gaten wilt houden, 2 | kunt u het bestand ossec.conf wijzigen door een 3 | nieuwe localfile in te brengen. 4 | Vragen over het configuratie bestand kunnen worden 5 | beantwoord door ons online te bezoeken op 6 | http://www.ossec.net . 7 | 8 | 9 | --- Druk op ENTER om door te gaan --- 10 | 11 | -------------------------------------------------------------------------------- /etc/templates/nl/messages/0x107-ar.txt: -------------------------------------------------------------------------------- 1 | 2 | 3.4- Actief handelen stelt u in staat om een specifiek 3 | commando uit te voeren op basis van de ontvangen 4 | events. Bijvoorbeeld, u kunt een IP adres blokkeren 5 | of de toegang ontzeggen voor een bepaalde gebruiker. 6 | Meer informatie vindt u op: 7 | http://www.ossec.net/docs/docs/manual/ar/index.html 8 | 9 | -------------------------------------------------------------------------------- /etc/templates/nl/messages/0x108-ar-enabled.txt: -------------------------------------------------------------------------------- 1 | - Actief handelen is ingeschakeld. 2 | 3 | - Als standaard, kunnen we de host-deny en 4 | firewall-drop handelingen inschakelen. De 5 | eerste voegt een host toe aan /etc/hosts.deny 6 | en de tweede zal de host blokkeren op iptables 7 | (bij linux) of ipfilter (bij Solaris, FreeBSD 8 | of NetBSD). 9 | - Ze kunnen gebruikt worden om SSHD brute force scans, 10 | portscans of andere vormen van aanvallen te stoppen. 11 | U kunt deze ook gebruiken om blokkeren op basis van 12 | bijvoorbeeld snort events. 13 | -------------------------------------------------------------------------------- /etc/templates/pl/errors/0x1-location.txt: -------------------------------------------------------------------------------- 1 | 2 | Błąd 0x1. 3 | Skrypt może być tylko uruchamiany ze swojego katalogu. 4 | Przejdź do katalogu w którym jest skrypt. 5 | Następnie uruchom poprzez: ./install.sh ." 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/pl/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- 1 | 2 | Błąd 0x2. 3 | Skrypt należy uruchamiać na prawach root'a. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/pl/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- 1 | 2 | Błąd 0x3. 3 | Potrzebujesz kompilatora (np. gcc lub cc) aby kontynuować 4 | instalacje. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/pl/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- 1 | 2 | Błąd 0x4. 3 | Niewłaściwy typ instalacji. Wybierz spośród: agent, serwer, lokalna. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/pl/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | 2 | Błąd 0x5. 3 | Błąd kompilacji. Nie można zakończyć instalacji. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/pl/language.txt: -------------------------------------------------------------------------------- 1 | ** Aby instalować w języku Polskim, wybierz [pl]. 2 | -------------------------------------------------------------------------------- /etc/templates/pl/messages/0x101-initial.txt: -------------------------------------------------------------------------------- 1 | 2 | Rozpoczynasz proces instalacji programu OSSEC HIDS. 3 | Aby kontynuować musisz mieć zainstalowany kompilator C. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/pl/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- 1 | 2 | Dziękujemy za użycie OSSEC HIDS. 3 | Jeśli masz jakieś pytania, propozycje lub znalazłeś jakiś błąd, 4 | skontaktuj się z nami poprzez contact@ossec.net lub publiczną 5 | listę mailingową ossec-list@ossec.net 6 | ( http://www.ossec.net/main/support/ ). 7 | 8 | Więcej informacji można znaleźć na http://www.ossec.net 9 | 10 | --- Wciśnij ENTER aby zakończyć (więcej informacji poniżej?). --- 11 | 12 | -------------------------------------------------------------------------------- /etc/templates/pl/messages/0x104-client.txt: -------------------------------------------------------------------------------- 1 | 2 | - Najpierw musisz dodać tego agenta do serwera aby 3 | umożliwić komunikację między nimi. Jeśli zakończyłeś 4 | możesz uruchomić narzędzie 'manage_agents' aby 5 | zaimportować klucz autoryzacyjny z serwera. 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/pl/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | 2 | - Nie została podjęta żadna akcja aby skonfigurować OSSEC HIDS 3 | do startowania podczas bootowania. 4 | Dodaj następującą linię do skryptu init: 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/pl/messages/0x106-logs.txt: -------------------------------------------------------------------------------- 1 | - Jeśli chcesz monitorować inne pliki, poprostu 2 | zmień ossec.conf oraz dodaj nowy wpis localfile. 3 | Wszystkie wyjaśnienia odnośnie konfiguracji 4 | znajdziesz na http://www.ossec.net . 5 | 6 | 7 | --- Wciśnij ENTER aby kontynuować --- 8 | 9 | -------------------------------------------------------------------------------- /etc/templates/pl/messages/0x107-ar.txt: -------------------------------------------------------------------------------- 1 | 2 | 3.4- Aktywna ochrona pozwala na wykonywanie określonych 3 | komend w zależności od otrzymanego sygnału. Np. 4 | możesz zablokować adres IP lub dostęp dla wybranego 5 | użytkownika. 6 | Więcej informacji na: 7 | http://www.ossec.net/docs/docs/manual/ar/index.html 8 | 9 | -------------------------------------------------------------------------------- /etc/templates/pl/messages/0x108-ar-enabled.txt: -------------------------------------------------------------------------------- 1 | - Aktywna ochrona włączona. 2 | 3 | - Domyślnie, możemy włączyć ochronę host-deny oraz 4 | firewall-drop. Pierwsze doda hosta do listy 5 | /etc/hosts.deny, a drugie zablokuje hosta na 6 | poziomie iptables (dla linuxa) lub ipfilter 7 | (dla Solaris, FreeBSD oraz NetBSD). 8 | - Przedstawione metody mogą zatrzymać ataki brute 9 | force na ssh, skanowanie portów oraz pare innych. 10 | Możesz również na przykład dodać blokowanie 11 | korzystając ze zdarzeń snort'a. 12 | -------------------------------------------------------------------------------- /etc/templates/ru/errors/0x1-location.txt: -------------------------------------------------------------------------------- 1 | Ошибка 0x1. Этот скрипт может быть запущен только из того же каталога 2 | Сделайте каталог где находится скрипт текущей перед его зпуском 3 | Вы должны запустить скрипт командой ./install.sh 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/ru/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- 1 | Ошибка 0x2 .Вы должны иметь права root чтобы воспользоваться этим скриптом 2 | -------------------------------------------------------------------------------- /etc/templates/ru/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- 1 | Ошибка 0x3. Вам нужен компиллятор (например gcc или cc) чтобы продолжить 2 | далее. 3 | -------------------------------------------------------------------------------- /etc/templates/ru/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- 1 | Ошибка 0x4. Неправильный тип установки . Он должен быть :агент,сервер или локальный. 2 | 3 | -------------------------------------------------------------------------------- /etc/templates/ru/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | Ошибка 0x5 .Ошибка компиляции. Невозможно завершить установку. 2 | 3 | -------------------------------------------------------------------------------- /etc/templates/ru/language.txt: -------------------------------------------------------------------------------- 1 | ** Для инструкций по установке на русском ,введите [ru]. 2 | -------------------------------------------------------------------------------- /etc/templates/ru/messages/0x101-initial.txt: -------------------------------------------------------------------------------- 1 | 2 | Вы готовы начать процесс установки OSSEC HIDS. Для следующего шага на Вашей 3 | системе должен уже быть установлен компиллятор языка С. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/ru/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- 1 | Спасибо что воспользовались OSSEC HIDS . 2 | Со всеми вопросами замечаниями или багами пожалуйста обращайтесь на 3 | contact@ossec.net или в свободно доступную почтовую рассылку ossec-list@ossec.net 4 | ( http://www.ossec.net/main/support/ ). 5 | 6 | Дополнительная информация доступна тут: http://www.ossec.net 7 | 8 | --- Нажмите Ввод для завершения (возможна дополнительная информация далее). 9 | -------------------------------------------------------------------------------- /etc/templates/ru/messages/0x104-client.txt: -------------------------------------------------------------------------------- 1 | Сначала Вы должны добавить этого агента на 2 | сервере, чтобы они смогли обмениваться информацией друг с 3 | другом. После этого Вы можете ,командой 'manage_agents', 4 | импортировать ключ идентификации с сервера. 5 | -------------------------------------------------------------------------------- /etc/templates/ru/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | - Никаких изменений с целью запускать OSSEC HIDS при перезагрузке системы 2 | в конфигурации произведено не было. 3 | Добавьте следующую строку в скрипт init: 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/ru/messages/0x106-logs.txt: -------------------------------------------------------------------------------- 1 | - Если Вы хотите отслеживать любой другой файл, просто 2 | измените ossec.conf и добавьте новое значение в localfile. 3 | Любые ответы по конфигурации могут быть найдены на сайте 4 | http://www.ossec.net 5 | -------------------------------------------------------------------------------- /etc/templates/ru/messages/0x107-ar.txt: -------------------------------------------------------------------------------- 1 | 3.4- Активное реагирование позволяет Вам выполнить выбранную команду в 2 | зависимости от полученного события. Например, Вы можете блокировать адрес IP 3 | или отказать в доступе определённому пользователю. Дополнительная информация 4 | на сайте: http://www.ossec.net/docs/docs/manual/ar/index.html 5 | -------------------------------------------------------------------------------- /etc/templates/ru/messages/0x108-ar-enabled.txt: -------------------------------------------------------------------------------- 1 | - Активное реагирование включено. 2 | - По умолчанию, мы можем задействовать host-deny и firewall-drop ответные 3 | реакции. Первая добавит хост в файл /etc/hosts.deny , а вторая заблокирует 4 | хост через iptables (если Линукс) или через ipfilter (если Solaris, 5 | FreeBSD или NetBSD). 6 | - Они могут быть полезны для остановки сканирования методом перебора, 7 | а также сканирования портов и некоторые другие формы атак. Также можно 8 | добавить их для блокирования в связке с событиями snort. 9 | -------------------------------------------------------------------------------- /etc/templates/sr/errors/0x1-location.txt: -------------------------------------------------------------------------------- 1 | Greška 0x1. 2 | Ovaj skript može biti izveden jedino iz istog direktorijuma. 3 | Prebaci direktorij tamo gde je ovaj skript pre nego što ga pustiš. 4 | Moraš ga pustiti kao ./install.sh ." 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/sr/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- 1 | Greška 0x2. 2 | Moraš biti root da bi koristio ovaj skript. 3 | 4 | -------------------------------------------------------------------------------- /etc/templates/sr/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- 1 | Greška 0x3. 2 | Treba ti kompajler (kao gcc ili cc) da nastaviš sa instalacijom. 3 | -------------------------------------------------------------------------------- /etc/templates/sr/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- 1 | Greška 0x4. 2 | Pogrešan tip instalacije. Može biti jedino agent, server ili lokalna. 3 | 4 | -------------------------------------------------------------------------------- /etc/templates/sr/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | Greška 0x5. 2 | Greška u gradnji. U nemogućnosti da završi instalaciju. 3 | 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/sr/language.txt: -------------------------------------------------------------------------------- 1 | ** Za instalaciju na srpskom, izaberi [sr]. 2 | -------------------------------------------------------------------------------- /etc/templates/sr/messages/0x101-initial.txt: -------------------------------------------------------------------------------- 1 | 2 | Nalaziš se pred početkom instalacionog proces OSSEC HIDS. 3 | Moraš imati c kompajler već instaliran u svoj sistem. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/sr/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- 1 | Hvala što koristiš OSSEC HIDS. 2 | Ako imaš bilo kakvo pitanje, predlog ili ako nađeš neki bag, 3 | kontaktiraj nas na contact@ossec.net ili koristeći našu javnu maillistu na 4 | ossec-list@ossec.net 5 | ( http://www.ossec.net/main/support/ ). 6 | 7 | Više informacija možeš naći na http://www.ossec.net 8 | 9 | --- Pritisni ENTER da završiš (možda ima još informacije niže). --- 10 | 11 | 12 | -------------------------------------------------------------------------------- /etc/templates/sr/messages/0x104-client.txt: -------------------------------------------------------------------------------- 1 | - Moraš prvo dodati ovog agenta serveru tako da 2 | mogu da komuniciraju jedan sa drugim. Kada to uradiš 3 | možeš da pustiš 'manage_agents' pomagalo da preuzmeš 4 | ključ autentičnosti od servera. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/sr/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | Ništa nije preduzeto da konfiguriše OSSEC HIDS da startuje 2 | u toku buta. Dodaj sledeći red svom init skriptu: 3 | -------------------------------------------------------------------------------- /etc/templates/sr/messages/0x106-logs.txt: -------------------------------------------------------------------------------- 1 | - Ako želiš da nadgledaš neki drugi fajl, samo promeni 2 | ossec.conf i dodaj novi localfile ulaz. 3 | Sva pitanja vezana za konfiguraciju mogu biti odgovorena 4 | ako nas posetiš online na http://www.ossec.net . 5 | 6 | 7 | --- Pritisni ENTER da nastaviš --- 8 | 9 | 10 | -------------------------------------------------------------------------------- /etc/templates/sr/messages/0x107-ar.txt: -------------------------------------------------------------------------------- 1 | 3.4- Aktivna reakcija ti omogućava da izvedeš specifičnu 2 | komandu na bazi primljenih događaja. Na primer, 3 | možeš da blokiraš IP adresu ili onemogućiš pristup 4 | određenom korisniku. 5 | Više obaveštenja na: 6 | http://www.ossec.net/docs/docs/manual/ar/index.html 7 | 8 | -------------------------------------------------------------------------------- /etc/templates/sr/messages/0x108-ar-enabled.txt: -------------------------------------------------------------------------------- 1 | - Aktivirana aktivna reakcija. 2 | 3 | - Po default-u možemo osposobiti host-deny i 4 | firewall-drop reakcije. Prvi će dodati host-a 5 | na /etc/hosts.deny a drugi će blokirati host-a 6 | na iptabeli (ako je u pitanju Linux) ili na 7 | ipfilteru (Solaris, FreeBSD ili NetBSD). 8 | - Oni se mogu koristiti da zaustave SSHD brute force skenove, 9 | portskenove i neke druge vrste napada. Takođe ih možeš 10 | dodati za blokiranje u slučaju snort dojava, na primer. 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /etc/templates/tr/errors/0x1-location.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x1. 3 | Bu betik sadece aynı dizin içinden çalıştırılabilir. 4 | Bu betiğin daha önce çalıştığı dizine geçin. 5 | Betiği ./install.sh şeklinde çalıştırmalısınız. 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/tr/errors/0x2-beroot.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x2. 3 | Bu betiği çalıştırabilmeniz için root olmalısınız. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/tr/errors/0x3-dependencies.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x3. 3 | Kuruluma devam edebilmek için bir derleyiciye (gcc veya cc gibi) 4 | ihtiyacınız var. 5 | 6 | -------------------------------------------------------------------------------- /etc/templates/tr/errors/0x4-installtype.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x4. 3 | Yanlış kurulum türü. Sadece aracı, sunucu veya yerel olabilir. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/tr/errors/0x5-build.txt: -------------------------------------------------------------------------------- 1 | 2 | Error 0x5. 3 | Oluşturma hatası. Kurulum tamamlanamadı. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/tr/language.txt: -------------------------------------------------------------------------------- 1 | ** Türkçe kurulum için seçin [tr]. 2 | -------------------------------------------------------------------------------- /etc/templates/tr/messages/0x101-initial.txt: -------------------------------------------------------------------------------- 1 | 2 | OSSEC HIDS kurulum sürecini başlatmak üzeresiniz. 3 | Sisteminizde önceden kurulmuş bir C derleyicisi bulunmalıdır. 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/tr/messages/0x103-thanksforusing.txt: -------------------------------------------------------------------------------- 1 | 2 | OSSEC HIDS kullandığınız için teşekkürler. 3 | Sorularınız, önerileriniz olursa veya her hangi bir yanlış 4 | bulursanız contact@ossec.net adresi ile veya kamuya açık 5 | e-posta listemiz ile ossec-list@ossec.net adresinden iletişime 6 | geçiniz. 7 | ( http://www.ossec.net/main/support/ ). 8 | 9 | http://www.ossec.net adresinde daha fazla bilgi bulunabilir. 10 | 11 | --- Bitirmek için ENTER tuşuna basın (aşağıda daha fazla bilgi olabilir). --- 12 | 13 | -------------------------------------------------------------------------------- /etc/templates/tr/messages/0x104-client.txt: -------------------------------------------------------------------------------- 1 | 2 | - Sunucu ile iletişimi sağlayabilmek için önce bu aracıyı 3 | sunucuya eklemeniz gerekmektedir. Bunu yaptıktan sonra 4 | sunucudan yetkilendirme anahtarını aktarmak için 'manage_agents' 5 | komutunu çalıştırabilirsiniz. 6 | 7 | -------------------------------------------------------------------------------- /etc/templates/tr/messages/0x105-noboot.txt: -------------------------------------------------------------------------------- 1 | 2 | - Önyükleme sırasında OSSEC HIDS'i başlatmak için hiç birşey yapılmadı. 3 | Bu satırı başlangıç betiğine ekleyin: 4 | 5 | -------------------------------------------------------------------------------- /etc/templates/tr/messages/0x106-logs.txt: -------------------------------------------------------------------------------- 1 | - Eğer başka bir dosyayı daha gözlemek isterseniz 2 | ossec.conf dosyasına yeni bir localfile girdisi ekleyin. 3 | Yapılandırma hakkındaki herhangi bir sorunuzu cevaplamak için 4 | http://www.ossec.net adresini ziyaret edebilirsiniz. 5 | 6 | 7 | --- Devam etmek için ENTER tuşuna basın --- 8 | 9 | -------------------------------------------------------------------------------- /etc/templates/tr/messages/0x107-ar.txt: -------------------------------------------------------------------------------- 1 | 2 | 3.4- Etkin yanıt üretme (Active response), edinilen olay 3 | bilgilerine göre belirli bir komut çalıştırmanıza olanak 4 | tanır. Örneğin bir IP adresinin engelleyebilir veya bir 5 | kullanıcının erişimini kısıtlayabilirsiniz. 6 | Daha fazla bilgi: 7 | http://www.ossec.net/docs/docs/manual/ar/index.html 8 | 9 | -------------------------------------------------------------------------------- /etc/templates/tr/messages/0x108-ar-enabled.txt: -------------------------------------------------------------------------------- 1 | - Etkin yanıt üretme (Active response) etkin kılındı. 2 | 3 | - Öntanımlı olarak host-deny ve firewall-drop etkin yanıt 4 | mekanizmalarını etkin hale getirebiliriz. Bunlardan ilki 5 | bir bilgisayarı /etc/hosts.deny dosyasına ekler, ikincisi 6 | bilgisayarı iptables (linux) veya ipfilter (Solaris, 7 | FreeBSD vb.) ile engeller. 8 | - Bunlar, SSHD kaba güç saldırılarını, port taramalarını 9 | ve diğer saldırı şekillerini durdurmak için kullanılabilir. 10 | Ayrıca snort olaylarını değerlendirerek engelleme yapmak 11 | için de ekleyebilirsiniz. 12 | -------------------------------------------------------------------------------- /src/LOCATION: -------------------------------------------------------------------------------- 1 | DIR="/var/ossec" 2 | -------------------------------------------------------------------------------- /src/VERSION: -------------------------------------------------------------------------------- 1 | v3.8.0 2 | -------------------------------------------------------------------------------- /src/agentlessd/agentlessd.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All rights reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | #ifndef _AGENTLESSD_H 11 | #define _AGENTLESSD_H 12 | 13 | #include "config/agentlessd-config.h" 14 | 15 | #ifndef ARGV0 16 | #define ARGV0 "ossec-agentlessd" 17 | #endif 18 | 19 | /** Prototypes **/ 20 | 21 | /* Main monitord */ 22 | void Agentlessd(void) __attribute__((noreturn)); 23 | 24 | /* Global variables */ 25 | extern agentlessd_config lessdc; 26 | 27 | #endif 28 | 29 | -------------------------------------------------------------------------------- /src/analysisd/accumulator.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All right reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | #ifndef __ACCUMULATOR_H 11 | #define __ACCUMULATOR_H 12 | 13 | #include "eventinfo.h" 14 | 15 | /* Accumulator Functions */ 16 | int Accumulate_Init(void); 17 | Eventinfo *Accumulate(Eventinfo *lf); 18 | void Accumulate_CleanUp(void); 19 | 20 | #endif /* __ACCUMULATOR_H */ 21 | 22 | -------------------------------------------------------------------------------- /src/analysisd/alerts/alerts.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All right reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | /* Global alert header */ 11 | 12 | #ifndef _ALERT__H 13 | #define _ALERT__H 14 | 15 | #include "log.h" 16 | #include "exec.h" 17 | #include "getloglocation.h" 18 | 19 | #endif 20 | 21 | -------------------------------------------------------------------------------- /src/analysisd/alerts/exec.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All right reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | #ifndef _EXEC__H 11 | #define _EXEC__H 12 | 13 | #include "eventinfo.h" 14 | #include "active-response.h" 15 | 16 | void OS_Exec(int execq, int arq, const Eventinfo *lf, const active_response *ar); 17 | 18 | #endif 19 | 20 | -------------------------------------------------------------------------------- /src/analysisd/alerts/log.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All right reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | /* Basic logging operations */ 11 | 12 | #ifndef __LOG_H 13 | #define __LOG_H 14 | 15 | #include "eventinfo.h" 16 | 17 | #define FWDROP "drop" 18 | #define FWALLOW "accept" 19 | 20 | void OS_LogOutput(Eventinfo *lf); 21 | void OS_Log(Eventinfo *lf); 22 | void OS_CustomLog(const Eventinfo *lf, const char *format); 23 | void OS_Store(const Eventinfo *lf); 24 | int FW_Log(Eventinfo *lf); 25 | 26 | #endif 27 | 28 | -------------------------------------------------------------------------------- /src/analysisd/cdb/cdb_hash.c: -------------------------------------------------------------------------------- 1 | /* Public domain */ 2 | /* Adapted from DJB's original cdb-0.75 package */ 3 | 4 | #include "cdb.h" 5 | 6 | 7 | uint32 cdb_hashadd(uint32 h, unsigned char c) 8 | { 9 | h += (h << 5); 10 | return h ^ c; 11 | } 12 | 13 | uint32 cdb_hash(char *buf, unsigned int len) 14 | { 15 | uint32 h; 16 | 17 | h = CDB_HASHSTART; 18 | while (len) { 19 | h = cdb_hashadd(h, *buf++); 20 | --len; 21 | } 22 | return h; 23 | } 24 | -------------------------------------------------------------------------------- /src/analysisd/cdb/uint32.h: -------------------------------------------------------------------------------- 1 | /* adopted from libowfat 0.9 (GPL) */ 2 | 3 | #ifndef UINT32_H 4 | #define UINT32_H 5 | 6 | typedef unsigned int uint32; 7 | 8 | extern void uint32_pack(char *out, uint32 in); 9 | extern void uint32_unpack(const char *in, uint32 *out); 10 | 11 | #endif 12 | -------------------------------------------------------------------------------- /src/analysisd/cdb/uint32_pack.c: -------------------------------------------------------------------------------- 1 | /* adopted from libowfat 0.9 (GPL) */ 2 | 3 | #define NO_UINT32_MACROS 4 | #include "uint32.h" 5 | 6 | 7 | void uint32_pack(char *out, uint32 in) 8 | { 9 | *out = in & 0xff; 10 | in >>= 8; 11 | *++out = in & 0xff; 12 | in >>= 8; 13 | *++out = in & 0xff; 14 | in >>= 8; 15 | *++out = in & 0xff; 16 | } 17 | -------------------------------------------------------------------------------- /src/analysisd/cdb/uint32_unpack.c: -------------------------------------------------------------------------------- 1 | /* adopted from libowfat 0.9 (GPL) */ 2 | 3 | #define NO_UINT32_MACROS 4 | #include "uint32.h" 5 | 6 | 7 | void uint32_unpack(const char *in, uint32 *out) 8 | { 9 | *out = (((uint32)(unsigned char)in[3]) << 24) | 10 | (((uint32)(unsigned char)in[2]) << 16) | 11 | (((uint32)(unsigned char)in[1]) << 8) | 12 | (uint32)(unsigned char)in[0]; 13 | } 14 | -------------------------------------------------------------------------------- /src/analysisd/cleanevent.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2015 Trend Micro Inc. 2 | * All rights reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation. 8 | */ 9 | 10 | #ifndef _CLEANEVENT_H_ 11 | #define _CLEANEVENT_H_ 12 | 13 | #include "eventinfo.h" 14 | 15 | int OS_CleanMSG(char *msg, Eventinfo *lf); 16 | 17 | 18 | #endif /* _CLEANEVENT_H_ */ 19 | -------------------------------------------------------------------------------- /src/analysisd/compiled_rules/.function_list: -------------------------------------------------------------------------------- 1 | check_id_size 2 | comp_srcuser_dstuser 3 | comp_mswin_targetuser_calleruser_diff 4 | is_simple_http_request 5 | is_valid_crawler 6 | -------------------------------------------------------------------------------- /src/analysisd/dodiff.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2015 Trend Micro Inc. 2 | * All rights reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation. 8 | */ 9 | 10 | #ifndef _DODIFF_H_ 11 | #define _DODIFF_H_ 12 | 13 | #include "rules.h" 14 | #include "eventinfo.h" 15 | 16 | int doDiff(RuleInfo *rule, const Eventinfo *lf); 17 | 18 | 19 | #endif /* _DODIFF_H_ */ 20 | -------------------------------------------------------------------------------- /src/analysisd/format/to_json.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2015 Trend Micro Inc. 2 | * All rights reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation. 8 | */ 9 | 10 | #ifndef __TO_JSON_H__ 11 | #define __TO_JSON_H__ 12 | 13 | #include "eventinfo.h" 14 | char *Eventinfo_to_jsonstr(const Eventinfo *lf); 15 | char *Archiveinfo_to_jsonstr(const Eventinfo *lf); 16 | #endif /* __TO_JSON_H__ */ 17 | -------------------------------------------------------------------------------- /src/analysisd/lists_make.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All right reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 3) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | #ifndef __LISTSMAKE_H 11 | #define __LISTSMAKE_H 12 | 13 | void Lists_OP_MakeCDB(const char *txt_filename, const char *cdb_filename, int force); 14 | void Lists_OP_MakeAll(int force); 15 | 16 | #endif /* __LISTSMAKE_H */ 17 | 18 | -------------------------------------------------------------------------------- /src/analysisd/output/jsonout.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2015 Trend Micro Inc. 2 | * All rights reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation. 8 | */ 9 | 10 | #ifndef _JSONOUT_H_ 11 | #define _JSONOUT_H_ 12 | 13 | #include "eventinfo.h" 14 | 15 | void jsonout_output_event(const Eventinfo *lf); 16 | void jsonout_output_archive(const Eventinfo *lf); 17 | 18 | #endif /* _JSONOUT_H_ */ 19 | -------------------------------------------------------------------------------- /src/analysisd/output/prelude.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All rights reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation. 8 | */ 9 | 10 | #ifdef PRELUDE_OUTPUT_ENABLED 11 | 12 | #ifndef _PRELUDE_H_ 13 | #define _PRELUDE_H_ 14 | 15 | #include "eventinfo.h" 16 | 17 | /* Start Prelude client */ 18 | void prelude_start(const char *profile, int argc, char **argv); 19 | 20 | /* Log to Prelude */ 21 | void OS_PreludeLog(const Eventinfo *lf); 22 | 23 | #endif /* _PRELUDE_H_ */ 24 | 25 | #endif /* PRELUDE_OUTPUT_ENABLED */ 26 | -------------------------------------------------------------------------------- /src/analysisd/schemas/md5_ignore_sqlite3.schema: -------------------------------------------------------------------------------- 1 | CREATE TABLE files ( 2 | md5sum VARCHAR(32), 3 | file VARCHAR(256), 4 | time DATETIME 5 | ); 6 | CREATE UNIQUE INDEX files_idx ON files(md5sum); 7 | -------------------------------------------------------------------------------- /src/analysisd/stats.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All rights reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation. 8 | */ 9 | 10 | #ifndef _STAT__H 11 | #define _STAT__H 12 | 13 | void LastMsg_Change(const char *log); 14 | int LastMsg_Stats(const char *log); 15 | 16 | extern char __stats_comment[192]; 17 | 18 | void Update_Hour(void); 19 | int Check_Hour(void); 20 | int Start_Hour(void); 21 | 22 | #endif /* _STAT__H */ 23 | 24 | -------------------------------------------------------------------------------- /src/client-agent/COPYRIGHT: -------------------------------------------------------------------------------- 1 | Copyright (C) 2009 Trend Micro Inc. 2 | All rights reserved. 3 | This program is a free software; you can redistribute it 4 | and/or modify it under the terms of the GNU General Public 5 | License (version 2) as published by the FSF - Free Software 6 | Foundation 7 | 8 | OSSEC HIDS, ossec-agent 9 | Available at http://www.ossec.net/hids/ 10 | -------------------------------------------------------------------------------- /src/client-agent/VERSION: -------------------------------------------------------------------------------- 1 | 0.3 2 | -------------------------------------------------------------------------------- /src/external/cJSON/tests/test1: -------------------------------------------------------------------------------- 1 | { 2 | "glossary": { 3 | "title": "example glossary", 4 | "GlossDiv": { 5 | "title": "S", 6 | "GlossList": { 7 | "GlossEntry": { 8 | "ID": "SGML", 9 | "SortAs": "SGML", 10 | "GlossTerm": "Standard Generalized Markup Language", 11 | "Acronym": "SGML", 12 | "Abbrev": "ISO 8879:1986", 13 | "GlossDef": { 14 | "para": "A meta-markup language, used to create markup languages such as DocBook.", 15 | "GlossSeeAlso": ["GML", "XML"] 16 | }, 17 | "GlossSee": "markup" 18 | } 19 | } 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/external/cJSON/tests/test2: -------------------------------------------------------------------------------- 1 | {"menu": { 2 | "id": "file", 3 | "value": "File", 4 | "popup": { 5 | "menuitem": [ 6 | {"value": "New", "onclick": "CreateNewDoc()"}, 7 | {"value": "Open", "onclick": "OpenDoc()"}, 8 | {"value": "Close", "onclick": "CloseDoc()"} 9 | ] 10 | } 11 | }} 12 | -------------------------------------------------------------------------------- /src/external/cJSON/tests/test3: -------------------------------------------------------------------------------- 1 | {"widget": { 2 | "debug": "on", 3 | "window": { 4 | "title": "Sample Konfabulator Widget", 5 | "name": "main_window", 6 | "width": 500, 7 | "height": 500 8 | }, 9 | "image": { 10 | "src": "Images/Sun.png", 11 | "name": "sun1", 12 | "hOffset": 250, 13 | "vOffset": 250, 14 | "alignment": "center" 15 | }, 16 | "text": { 17 | "data": "Click Here", 18 | "size": 36, 19 | "style": "bold", 20 | "name": "text1", 21 | "hOffset": 250, 22 | "vOffset": 100, 23 | "alignment": "center", 24 | "onMouseUp": "sun1.opacity = (sun1.opacity / 100) * 90;" 25 | } 26 | }} -------------------------------------------------------------------------------- /src/external/lua: -------------------------------------------------------------------------------- 1 | lua-5.2.3 -------------------------------------------------------------------------------- /src/external/lua-5.2.3/README: -------------------------------------------------------------------------------- 1 | 2 | This is Lua 5.2.3, released on 11 Nov 2013. 3 | 4 | For installation instructions, license details, and 5 | further information about Lua, see doc/readme.html. 6 | 7 | -------------------------------------------------------------------------------- /src/external/lua-5.2.3/doc/logo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/external/lua-5.2.3/doc/logo.gif -------------------------------------------------------------------------------- /src/external/lua-5.2.3/doc/manual.css: -------------------------------------------------------------------------------- 1 | h3 code { 2 | font-family: inherit ; 3 | font-size: inherit ; 4 | } 5 | 6 | pre, code { 7 | font-size: 12pt ; 8 | } 9 | 10 | span.apii { 11 | float: right ; 12 | font-family: inherit ; 13 | font-style: normal ; 14 | font-size: small ; 15 | color: gray ; 16 | } 17 | 18 | p+h1, ul+h1 { 19 | font-style: normal ; 20 | padding-top: 0.4em ; 21 | padding-bottom: 0.4em ; 22 | padding-left: 16px ; 23 | margin-left: -16px ; 24 | background-color: #D0D0FF ; 25 | border-radius: 8px ; 26 | border: solid #000080 1px ; 27 | } 28 | -------------------------------------------------------------------------------- /src/external/lua-5.2.3/doc/osi-certified-72x60.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/external/lua-5.2.3/doc/osi-certified-72x60.png -------------------------------------------------------------------------------- /src/external/lua-5.2.3/src/lapi.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** $Id: lapi.h,v 2.7.1.1 2013/04/12 18:48:47 roberto Exp $ 3 | ** Auxiliary functions from Lua API 4 | ** See Copyright Notice in lua.h 5 | */ 6 | 7 | #ifndef lapi_h 8 | #define lapi_h 9 | 10 | 11 | #include "llimits.h" 12 | #include "lstate.h" 13 | 14 | #define api_incr_top(L) {L->top++; api_check(L, L->top <= L->ci->top, \ 15 | "stack overflow");} 16 | 17 | #define adjustresults(L,nres) \ 18 | { if ((nres) == LUA_MULTRET && L->ci->top < L->top) L->ci->top = L->top; } 19 | 20 | #define api_checknelems(L,n) api_check(L, (n) < (L->top - L->ci->func), \ 21 | "not enough elements in the stack") 22 | 23 | 24 | #endif 25 | -------------------------------------------------------------------------------- /src/external/lua-5.2.3/src/lfs.def: -------------------------------------------------------------------------------- 1 | LIBRARY lfs.dll 2 | DESCRIPTION "LuaFileSystem" 3 | VERSION 1.5.0 4 | EXPORTS 5 | luaopen_lfs 6 | -------------------------------------------------------------------------------- /src/external/lua-5.2.3/src/lfs.h: -------------------------------------------------------------------------------- 1 | /* 2 | ** LuaFileSystem 3 | ** Copyright Kepler Project 2003 (http://www.keplerproject.org/luafilesystem) 4 | ** 5 | ** $Id: lfs.h,v 1.5 2008/02/19 20:08:23 mascarenhas Exp $ 6 | */ 7 | 8 | /* Define 'chdir' for systems that do not implement it */ 9 | #ifdef NO_CHDIR 10 | #define chdir(p) (-1) 11 | #define chdir_error "Function 'chdir' not provided by system" 12 | #else 13 | #define chdir_error strerror(errno) 14 | #endif 15 | 16 | 17 | int luaopen_lfs (lua_State *L); 18 | -------------------------------------------------------------------------------- /src/external/lua-5.2.3/src/lua.hpp: -------------------------------------------------------------------------------- 1 | // lua.hpp 2 | // Lua header files for C++ 3 | // <> not supplied automatically because Lua also compiles as C++ 4 | 5 | extern "C" { 6 | #include "lua.h" 7 | #include "lualib.h" 8 | #include "lauxlib.h" 9 | } 10 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | -@echo "Please use ./configure first. Thank you." 3 | 4 | distclean: 5 | make -f Makefile.in distclean 6 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/ada/zlib.gpr: -------------------------------------------------------------------------------- 1 | project Zlib is 2 | 3 | for Languages use ("Ada"); 4 | for Source_Dirs use ("."); 5 | for Object_Dir use "."; 6 | for Main use ("test.adb", "mtest.adb", "read.adb", "buffer_demo"); 7 | 8 | package Compiler is 9 | for Default_Switches ("ada") use ("-gnatwcfilopru", "-gnatVcdfimorst", "-gnatyabcefhiklmnoprst"); 10 | end Compiler; 11 | 12 | package Linker is 13 | for Default_Switches ("ada") use ("-lz"); 14 | end Linker; 15 | 16 | package Builder is 17 | for Default_Switches ("ada") use ("-s", "-gnatQ"); 18 | end Builder; 19 | 20 | end Zlib; 21 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/blast/Makefile: -------------------------------------------------------------------------------- 1 | blast: blast.c blast.h 2 | cc -DTEST -o blast blast.c 3 | 4 | test: blast 5 | blast < test.pk | cmp - test.txt 6 | 7 | clean: 8 | rm -f blast blast.o 9 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/blast/README: -------------------------------------------------------------------------------- 1 | Read blast.h for purpose and usage. 2 | 3 | Mark Adler 4 | madler@alumni.caltech.edu 5 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/blast/test.pk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/external/zlib-1.2.11/contrib/blast/test.pk -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/blast/test.txt: -------------------------------------------------------------------------------- 1 | AIAIAIAIAIAIA -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/delphi/ZLibConst.pas: -------------------------------------------------------------------------------- 1 | unit ZLibConst; 2 | 3 | interface 4 | 5 | resourcestring 6 | sTargetBufferTooSmall = 'ZLib error: target buffer may be too small'; 7 | sInvalidStreamOp = 'Invalid stream operation'; 8 | 9 | implementation 10 | 11 | end. 12 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/dotzlib/DotZLib.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/external/zlib-1.2.11/contrib/dotzlib/DotZLib.chm -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/dotzlib/DotZLib/ChecksumImpl.cs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/external/zlib-1.2.11/contrib/dotzlib/DotZLib/ChecksumImpl.cs -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/dotzlib/DotZLib/CircularBuffer.cs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/external/zlib-1.2.11/contrib/dotzlib/DotZLib/CircularBuffer.cs -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/dotzlib/DotZLib/CodecBase.cs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/external/zlib-1.2.11/contrib/dotzlib/DotZLib/CodecBase.cs -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/dotzlib/DotZLib/Deflater.cs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/external/zlib-1.2.11/contrib/dotzlib/DotZLib/Deflater.cs -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/dotzlib/DotZLib/DotZLib.cs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/external/zlib-1.2.11/contrib/dotzlib/DotZLib/DotZLib.cs -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/dotzlib/DotZLib/GZipStream.cs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/external/zlib-1.2.11/contrib/dotzlib/DotZLib/GZipStream.cs -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/dotzlib/DotZLib/Inflater.cs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/external/zlib-1.2.11/contrib/dotzlib/DotZLib/Inflater.cs -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/infback9/README: -------------------------------------------------------------------------------- 1 | See infback9.h for what this is and how to use it. 2 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/iostream/test.cpp: -------------------------------------------------------------------------------- 1 | 2 | #include "zfstream.h" 3 | 4 | int main() { 5 | 6 | // Construct a stream object with this filebuffer. Anything sent 7 | // to this stream will go to standard out. 8 | gzofstream os( 1, ios::out ); 9 | 10 | // This text is getting compressed and sent to stdout. 11 | // To prove this, run 'test | zcat'. 12 | os << "Hello, Mommy" << endl; 13 | 14 | os << setcompressionlevel( Z_NO_COMPRESSION ); 15 | os << "hello, hello, hi, ho!" << endl; 16 | 17 | setcompressionlevel( os, Z_DEFAULT_COMPRESSION ) 18 | << "I'm compressing again" << endl; 19 | 20 | os.close(); 21 | 22 | return 0; 23 | 24 | } 25 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/iostream3/TODO: -------------------------------------------------------------------------------- 1 | Possible upgrades to gzfilebuf: 2 | 3 | - The ability to do putback (e.g. putbackfail) 4 | 5 | - The ability to seek (zlib supports this, but could be slow/tricky) 6 | 7 | - Simultaneous read/write access (does it make sense?) 8 | 9 | - Support for ios_base::ate open mode 10 | 11 | - Locale support? 12 | 13 | - Check public interface to see which calls give problems 14 | (due to dependence on library internals) 15 | 16 | - Override operator<<(ostream&, gzfilebuf*) to allow direct copying 17 | of stream buffer to stream ( i.e. os << is.rdbuf(); ) 18 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/masmx64/bld_ml64.bat: -------------------------------------------------------------------------------- 1 | ml64.exe /Flinffasx64 /c /Zi inffasx64.asm 2 | ml64.exe /Flgvmat64 /c /Zi gvmat64.asm 3 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/masmx86/bld_ml32.bat: -------------------------------------------------------------------------------- 1 | ml /coff /Zi /c /Flmatch686.lst match686.asm 2 | ml /coff /Zi /c /Flinffas32.lst inffas32.asm 3 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/minizip/Makefile: -------------------------------------------------------------------------------- 1 | CC=cc 2 | CFLAGS=-O -I../.. 3 | 4 | UNZ_OBJS = miniunz.o unzip.o ioapi.o ../../libz.a 5 | ZIP_OBJS = minizip.o zip.o ioapi.o ../../libz.a 6 | 7 | .c.o: 8 | $(CC) -c $(CFLAGS) $*.c 9 | 10 | all: miniunz minizip 11 | 12 | miniunz: $(UNZ_OBJS) 13 | $(CC) $(CFLAGS) -o $@ $(UNZ_OBJS) 14 | 15 | minizip: $(ZIP_OBJS) 16 | $(CC) $(CFLAGS) -o $@ $(ZIP_OBJS) 17 | 18 | test: miniunz minizip 19 | ./minizip test readme.txt 20 | ./miniunz -l test.zip 21 | mv readme.txt readme.old 22 | ./miniunz test.zip 23 | 24 | clean: 25 | /bin/rm -f *.o *~ minizip miniunz 26 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/minizip/MiniZip64_Changes.txt: -------------------------------------------------------------------------------- 1 | 2 | MiniZip 1.1 was derrived from MiniZip at version 1.01f 3 | 4 | Change in 1.0 (Okt 2009) 5 | - **TODO - Add history** 6 | 7 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/minizip/minizip.pc.in: -------------------------------------------------------------------------------- 1 | prefix=@prefix@ 2 | exec_prefix=@exec_prefix@ 3 | libdir=@libdir@ 4 | includedir=@includedir@/minizip 5 | 6 | Name: minizip 7 | Description: Minizip zip file manipulation library 8 | Requires: 9 | Version: @PACKAGE_VERSION@ 10 | Libs: -L${libdir} -lminizip 11 | Libs.private: -lz 12 | Cflags: -I${includedir} 13 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/puff/zeros.raw: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/external/zlib-1.2.11/contrib/puff/zeros.raw -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/testzlib/testzlib.txt: -------------------------------------------------------------------------------- 1 | To build testzLib with Visual Studio 2005: 2 | 3 | copy to a directory file from : 4 | - root of zLib tree 5 | - contrib/testzlib 6 | - contrib/masmx86 7 | - contrib/masmx64 8 | - contrib/vstudio/vc7 9 | 10 | and open testzlib8.sln -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/untgz/Makefile: -------------------------------------------------------------------------------- 1 | CC=cc 2 | CFLAGS=-g 3 | 4 | untgz: untgz.o ../../libz.a 5 | $(CC) $(CFLAGS) -o untgz untgz.o -L../.. -lz 6 | 7 | untgz.o: untgz.c ../../zlib.h 8 | $(CC) $(CFLAGS) -c -I../.. untgz.c 9 | 10 | ../../libz.a: 11 | cd ../..; ./configure; make 12 | 13 | clean: 14 | rm -f untgz untgz.o *~ 15 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/contrib/untgz/Makefile.msc: -------------------------------------------------------------------------------- 1 | CC=cl 2 | CFLAGS=-MD 3 | 4 | untgz.exe: untgz.obj ..\..\zlib.lib 5 | $(CC) $(CFLAGS) untgz.obj ..\..\zlib.lib 6 | 7 | untgz.obj: untgz.c ..\..\zlib.h 8 | $(CC) $(CFLAGS) -c -I..\.. untgz.c 9 | 10 | ..\..\zlib.lib: 11 | cd ..\.. 12 | $(MAKE) -f win32\makefile.msc 13 | cd contrib\untgz 14 | 15 | clean: 16 | -del untgz.obj 17 | -del untgz.exe 18 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/inffast.h: -------------------------------------------------------------------------------- 1 | /* inffast.h -- header to use inffast.c 2 | * Copyright (C) 1995-2003, 2010 Mark Adler 3 | * For conditions of distribution and use, see copyright notice in zlib.h 4 | */ 5 | 6 | /* WARNING: this file should *not* be used by applications. It is 7 | part of the implementation of the compression library and is 8 | subject to change. Applications should only use zlib.h. 9 | */ 10 | 11 | void ZLIB_INTERNAL inflate_fast OF((z_streamp strm, unsigned start)); 12 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/nintendods/README: -------------------------------------------------------------------------------- 1 | This Makefile requires devkitARM (http://www.devkitpro.org/category/devkitarm/) and works inside "contrib/nds". It is based on a devkitARM template. 2 | 3 | Eduardo Costa 4 | January 3, 2009 5 | 6 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/old/README: -------------------------------------------------------------------------------- 1 | This directory contains files that have not been updated for zlib 1.2.x 2 | 3 | (Volunteers are encouraged to help clean this up. Thanks.) 4 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/win32/VisualC.txt: -------------------------------------------------------------------------------- 1 | 2 | To build zlib using the Microsoft Visual C++ environment, 3 | use the appropriate project from the contrib/vstudio/ directory. 4 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/zlib.3.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/external/zlib-1.2.11/zlib.3.pdf -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/zlib.pc.cmakein: -------------------------------------------------------------------------------- 1 | prefix=@CMAKE_INSTALL_PREFIX@ 2 | exec_prefix=@CMAKE_INSTALL_PREFIX@ 3 | libdir=@INSTALL_LIB_DIR@ 4 | sharedlibdir=@INSTALL_LIB_DIR@ 5 | includedir=@INSTALL_INC_DIR@ 6 | 7 | Name: zlib 8 | Description: zlib compression library 9 | Version: @VERSION@ 10 | 11 | Requires: 12 | Libs: -L${libdir} -L${sharedlibdir} -lz 13 | Cflags: -I${includedir} 14 | -------------------------------------------------------------------------------- /src/external/zlib-1.2.11/zlib.pc.in: -------------------------------------------------------------------------------- 1 | prefix=@prefix@ 2 | exec_prefix=@exec_prefix@ 3 | libdir=@libdir@ 4 | sharedlibdir=@sharedlibdir@ 5 | includedir=@includedir@ 6 | 7 | Name: zlib 8 | Description: zlib compression library 9 | Version: @VERSION@ 10 | 11 | Requires: 12 | Libs: -L${libdir} -L${sharedlibdir} -lz 13 | Cflags: -I${includedir} 14 | -------------------------------------------------------------------------------- /src/headers/custom_output_search.h: -------------------------------------------------------------------------------- 1 | #ifndef CUSTOM_OUTPUT_SEARCH_H_ 2 | #define CUSTOM_OUTPUT_SEARCH_H_ 3 | 4 | /* Search for 'search' in string and replaces it by value 5 | * Returns NULL on error, otherwise returns the orig string with the replacements 6 | */ 7 | char *searchAndReplace(const char *orig, const char *search, const char *value) __attribute__((nonnull)); 8 | 9 | /* Escape the newline characters 10 | * Returns NULL on error, otherwise returns a newly allocated string 11 | */ 12 | char *escape_newlines(const char *orig) __attribute__((nonnull)); 13 | 14 | #endif /* CUSTOM_OUTPUT_SEARCH_H_ */ 15 | 16 | -------------------------------------------------------------------------------- /src/headers/help.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All rights reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | /* Help Function */ 11 | 12 | #ifndef __HELP_H 13 | #define __HELP_H 14 | 15 | void print_header(void); 16 | void print_version(void) __attribute__((noreturn)); 17 | 18 | #endif 19 | 20 | -------------------------------------------------------------------------------- /src/headers/math_op.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All rights reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | #ifndef H_MATHOP_OS 11 | #define H_MATHOP_OS 12 | 13 | /* Get the first available prime after the provided value 14 | * Returns 0 on error 15 | */ 16 | unsigned int os_getprime(unsigned int val); 17 | 18 | #endif 19 | 20 | -------------------------------------------------------------------------------- /src/headers/pthreads_op.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All rights reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | #ifndef PTHREADS_OP_H 11 | #define PTHREADS_OP_H 12 | 13 | #ifndef WIN32 14 | int CreateThread(void *function_pointer(void *data), void *data) __attribute__((nonnull(1))); 15 | #endif 16 | 17 | #endif 18 | 19 | -------------------------------------------------------------------------------- /src/headers/randombytes.h: -------------------------------------------------------------------------------- 1 | #ifndef __RANDOMBYTES_H 2 | #define __RANDOMBYTES_H 3 | 4 | void randombytes(void *ptr, size_t length); 5 | void srandom_init(void); 6 | 7 | #endif 8 | 9 | -------------------------------------------------------------------------------- /src/headers/regex_op.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All rights reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | #ifndef OS_REGEX_OP_H 11 | #define OS_REGEX_OP_H 12 | 13 | /* POSIX regex pattern matching */ 14 | int OS_PRegex(const char *str, const char *regex); 15 | 16 | #endif 17 | 18 | -------------------------------------------------------------------------------- /src/headers/wait_op.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All rights reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | #ifndef __WAIT_OP_H 11 | #define __WAIT_OP_H 12 | 13 | void os_setwait(void); 14 | void os_delwait(void); 15 | void os_wait(void); 16 | 17 | #endif 18 | 19 | -------------------------------------------------------------------------------- /src/init/functions.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Shell script functions for the OSSEC HIDS 3 | # Author: Daniel B. Cid 4 | 5 | TRUE="true"; 6 | FALSE="false"; 7 | 8 | 9 | isFile() 10 | { 11 | FILE=$1 12 | ls ${FILE} >/dev/null 2>&1 13 | if [ $? = 0 ]; then 14 | echo "${TRUE}" 15 | return 0; 16 | fi 17 | echo "${FALSE}" 18 | return 1; 19 | } 20 | 21 | -------------------------------------------------------------------------------- /src/init/ossec-hids-aix.init: -------------------------------------------------------------------------------- 1 | #!/bin/ksh 2 | # 3 | # name: ossec 4 | # purpose: Init script for ossec-hids 5 | # Aug. 07 2008 Chris Cuevas 6 | # 7 | 8 | case "$1" in 9 | start) 10 | if [ -f /var/ossec/bin/ossec-control ]; then 11 | echo "Starting OSSEC" 12 | /var/ossec/bin/ossec-control start 13 | fi 14 | ;; 15 | stop) 16 | if [ -f /var/ossec/bin/ossec-control ]; then 17 | echo "Stopping OSSEC" 18 | /var/ossec/bin/ossec-control stop 19 | fi 20 | ;; 21 | status) 22 | if [ -f /var/ossec/bin/ossec-control ]; then 23 | /var/ossec/bin/ossec-control status 24 | fi 25 | ;; 26 | *) 27 | echo "Usage: $0 (start | stop | status)" 28 | exit 1 29 | esac 30 | -------------------------------------------------------------------------------- /src/logcollector/COPYRIGHT: -------------------------------------------------------------------------------- 1 | Copyright (C) 2009 Trend Micro Inc. 2 | All right reserved. 3 | This program is a free software; you can redistribute it 4 | and/or modify it under the terms of the GNU General Public 5 | License (version 2) as published by the FSF - Free Software 6 | Foundation 7 | 8 | OSSEC, logcollector. 9 | Available at http://www.ossec.net/hids/ 10 | -------------------------------------------------------------------------------- /src/logcollector/VERSION: -------------------------------------------------------------------------------- 1 | 0.4 2 | -------------------------------------------------------------------------------- /src/os_crypto/blowfish/bf_op.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All right reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | /* OS_crypto/blowfish Library 11 | * APIs for many crypto operations 12 | */ 13 | 14 | #ifndef __BF_OP_H 15 | #define __BF_OP_H 16 | 17 | #define OS_ENCRYPT 1 18 | #define OS_DECRYPT 0 19 | 20 | int OS_BF_Str(const char *input, char *output, const char *charkey, 21 | long size, short int action) __attribute((nonnull)); 22 | 23 | #endif 24 | 25 | -------------------------------------------------------------------------------- /src/os_crypto/md5/md5_op.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All right reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | /* OS_crypto/md5 Library 11 | * APIs for many crypto operations 12 | */ 13 | 14 | #ifndef __MD5_OP_H 15 | #define __MD5_OP_H 16 | 17 | typedef char os_md5[33]; 18 | 19 | int OS_MD5_File(const char *fname, os_md5 output, int mode) __attribute((nonnull)); 20 | int OS_MD5_Str(const char *str, os_md5 output) __attribute((nonnull)); 21 | 22 | #endif 23 | 24 | -------------------------------------------------------------------------------- /src/os_crypto/md5_sha1/md5_sha1_op.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All right reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | #ifndef __MD5SHA1_OP_H 11 | #define __MD5SHA1_OP_H 12 | 13 | #include "../md5/md5_op.h" 14 | #include "../sha1/sha1_op.h" 15 | 16 | int OS_MD5_SHA1_File(const char *fname, const char *prefilter_cmd, os_md5 md5output, os_sha1 sha1output, int mode) __attribute((nonnull(1, 3, 4))); 17 | 18 | #endif 19 | 20 | -------------------------------------------------------------------------------- /src/os_crypto/sha1/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "sha1_op.h" 6 | 7 | 8 | void usage(char **argv) 9 | { 10 | printf("%s file\n", argv[0]); 11 | exit(1); 12 | } 13 | 14 | int main(int argc, char **argv) 15 | { 16 | os_sha1 filesum; 17 | 18 | if (argc < 2) { 19 | usage(argv); 20 | } 21 | 22 | if (OS_SHA1_File(argv[1], filesum, OS_BINARY) == 0) { 23 | printf("SHA1Sum for \"%s\" is: %s\n", argv[1], filesum); 24 | } else { 25 | printf("SHA1Sum for \"%s\" failed\n", argv[1]); 26 | } 27 | return (0); 28 | } 29 | 30 | -------------------------------------------------------------------------------- /src/os_crypto/sha1/sha1_op.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2009 Trend Micro Inc. 2 | * All right reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | #ifndef __SHA1_OP_H 11 | #define __SHA1_OP_H 12 | 13 | typedef char os_sha1[65]; 14 | 15 | int OS_SHA1_File(const char *fname, os_sha1 output, int mode) __attribute((nonnull)); 16 | 17 | #endif 18 | 19 | -------------------------------------------------------------------------------- /src/os_dbd/dbd_help.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "defs.h" 5 | 6 | void dbd_print_version() 7 | { 8 | printf(" "); 9 | printf("%s %s - %s", __ossec_name, __ossec_version, __author); 10 | printf(" "); 11 | printf("%s", __license); 12 | 13 | printf("\n"); 14 | 15 | #ifdef MYSQL_DATABASE_ENABLED 16 | printf("** Compiled with MySQL support\n"); 17 | #endif 18 | 19 | #ifdef PGSQL_DATABASE_ENABLED 20 | printf("** Compiled with PostgreSQL support\n"); 21 | #endif 22 | 23 | #if !defined(MYSQL_DATABASE_ENABLED) && !defined(PGSQL_DATABASE_ENABLED) 24 | printf("** Compiled without any database support\n"); 25 | #endif 26 | 27 | exit(1); 28 | } 29 | -------------------------------------------------------------------------------- /src/os_net/COPYRIGHT: -------------------------------------------------------------------------------- 1 | Copyright (C) 2009 Trend Micro Inc. 2 | All rights reserved. 3 | This program is a free software; you can redistribute it 4 | and/or modify it under the terms of the GNU General Public 5 | License (version 2) as published by the FSF - Free Software 6 | Foundation 7 | 8 | OSSEC, os_net library. 9 | Available at http://www.ossec.net/ 10 | -------------------------------------------------------------------------------- /src/os_net/VERSION: -------------------------------------------------------------------------------- 1 | 0.3 2 | -------------------------------------------------------------------------------- /src/os_regex/COPYRIGHT: -------------------------------------------------------------------------------- 1 | Copyright (C) 2009 Trend Micro Inc. 2 | All right reserved. 3 | This program is a free software; you can redistribute it 4 | and/or modify it under the terms of the GNU General Public 5 | License (version 2) as published by the FSF - Free Software 6 | Foundation 7 | 8 | OSSEC, os_regex library. 9 | Available at http://www.ossec.net/ 10 | -------------------------------------------------------------------------------- /src/os_regex/VERSION: -------------------------------------------------------------------------------- 1 | 0.3 2 | -------------------------------------------------------------------------------- /src/os_regex/examples/Makefile: -------------------------------------------------------------------------------- 1 | # Makefile for os_regex tests 2 | 3 | maketest: 4 | $(CC) -o regex regex.c ../os_regex.a -I../ -Wall 5 | $(CC) -o match match.c ../os_regex.a -I../ -Wall 6 | $(CC) -o regex_str regex_str.c ../os_regex.a -I../ -Wall 7 | 8 | clean: 9 | rm -f regex match regex_str *.core 10 | -------------------------------------------------------------------------------- /src/os_regex/examples/match.c: -------------------------------------------------------------------------------- 1 | /* Copyright by Daniel B. Cid (2005) 2 | * Under the public domain. It is just an example. 3 | * Some examples of the usage for the os_regex library. 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | #include "os_regex.h" 11 | 12 | 13 | int main(int argc, char **argv) 14 | { 15 | if (argc != 3) { 16 | printf("%s regex word\n", argv[0]); 17 | exit(1); 18 | } 19 | 20 | printf("for MATCH: "); 21 | if (OS_Match2(argv[1], argv[2])) { 22 | printf("TRUE\n"); 23 | } else { 24 | printf("FALSE\n"); 25 | } 26 | 27 | return (0); 28 | } 29 | 30 | -------------------------------------------------------------------------------- /src/os_regex/examples/regex.c: -------------------------------------------------------------------------------- 1 | /* Copyright by Daniel B. Cid (2005) 2 | * Under the public domain. It is just an example. 3 | * Some examples of the usage for the os_regex library. 4 | */ 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | #include "os_regex.h" 11 | 12 | 13 | int main(int argc, char **argv) 14 | { 15 | if (argc != 3) { 16 | printf("%s regex word\n", argv[0]); 17 | exit(1); 18 | } 19 | 20 | printf("for REGEX: "); 21 | if (OS_Regex(argv[1], argv[2])) { 22 | printf("TRUE\n"); 23 | } else { 24 | printf("FALSE\n"); 25 | } 26 | 27 | return (0); 28 | } 29 | 30 | -------------------------------------------------------------------------------- /src/os_regex/examples/run.sh: -------------------------------------------------------------------------------- 1 | make 2 | perl ./validate.pl "./match" tests/true.tests FALSE 3 | perl ./validate.pl "./match" tests/false.tests TRUE 4 | perl ./validate.pl "./newmatch" tests/true.tests FALSE 5 | perl ./validate.pl "./newmatch" tests/false.tests TRUE 6 | perl ./validate.pl "./regex" tests/true.tests FALSE 7 | perl ./validate.pl "./regex" tests/false.tests TRUE 8 | perl ./validate.pl "./regex" tests/true.regex FALSE 9 | perl ./validate.pl "./regex" tests/false.regex TRUE 10 | perl ./validate.pl "./regex_str" tests/str.regex FALSE 11 | -------------------------------------------------------------------------------- /src/os_regex/examples/tests/false.regex: -------------------------------------------------------------------------------- 1 | "\w+\s+\w+\d+\s\$" "a aa11 " 2 | "^\s+\s l" " lala" 3 | "test123test\d+" "test123test" 4 | "test123test\d+\$" "test123test" 5 | "(lalala" "lalala" 6 | "test123(\d)" "test123a" 7 | "\(test)" "test" 8 | "(\w+)(\d+)" "1 1" 9 | -------------------------------------------------------------------------------- /src/os_regex/examples/tests/false.tests: -------------------------------------------------------------------------------- 1 | "abc" "abb" 2 | "^ab" " ab" 3 | "test" "tes" 4 | "abcd" "abc" 5 | "abbb" "abb" 6 | "abbbbbbbb" "abbbbbbb" 7 | "a|b|c| " "def" 8 | "lala$" "lalalalalal" 9 | "^ab$" "abc" 10 | "zzzz$" "zzzzzzzzzzzz " 11 | "^bin$|^shell$" "bina" 12 | "^bin$|^shell$" "shella" 13 | "^bin$|^shell$" "ashell" 14 | -------------------------------------------------------------------------------- /src/os_regex/examples/tests/str.regex: -------------------------------------------------------------------------------- 1 | "123(\w+\s+)abc" "123sdf abc" 2 | "123(\w+\s+)abc" "abc123sdf abc" 3 | "123 (\d+.\d.\d.\d\d*\d*)" "123 45.6.5.567" 4 | "from (\S*\d+.\d+.\d+.\d\d*\d*)" "sshd[21576]: Illegal user web14 from ::ffff:212.227.60.55" 5 | "^sshd[\d+]: Accepted \S+ for (\S+) from (\S+) port " "sshd[21405]: Accepted password for root from 192.1.1.1 port 6023" 6 | ": \((\S+)@(\S+)\) [" "pure-ftpd: (?@enigma.lab.ossec.net) [INFO] New connection from enigma.lab.ossec.net" 7 | -------------------------------------------------------------------------------- /src/os_regex/examples/tests/true.tests: -------------------------------------------------------------------------------- 1 | "abc" "abcd" 2 | "abcd" "abcd" 3 | "a" "a" 4 | "a" "aa" 5 | "^a" "ab" 6 | "test" "testa" 7 | "test" "testest" 8 | "lalaila" "lalalalaila" 9 | "abc|cde" "cde" 10 | "^aa|ee|ii|oo|uu" "dfgdsii" 11 | "Abc" "abc" 12 | "ZBE" "zbe" 13 | "ABC" "ABc" 14 | "^A" "a" 15 | "a|E" "abcdef" 16 | "daniel" "daniel" 17 | "DANIeL" "daNIel" 18 | "^abc " "abc " 19 | "ddd|eee|fff|ggg|ggg|hhh|iii" "iii" 20 | "kwo|fe|fw|wfW|edW|dwDF|WdW|dw|d|^la" "la" 21 | "^a" "a" 22 | "^ab$" "ab" 23 | "c$" "c" 24 | "c$" "lalalalac" 25 | "^bin$|^shell$" "bin" 26 | "^bin$|^shell$" "shell" 27 | "^bin$|^shell$|^ftp$" "shell" 28 | "^bin$|^shell$|^ftp$" "ftp" 29 | -------------------------------------------------------------------------------- /src/os_regex/examples/validate.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | use strict; 4 | use warnings; 5 | 6 | if (@ARGV < 2) { 7 | die "$0 file error_msg\n"; 8 | } 9 | 10 | my ($prog, $file,$msg) = (@ARGV); 11 | 12 | open(FILE,$file) || die "Error opening file: $file\n"; 13 | 14 | if (! -f $prog) { 15 | die "File $prog not present\n"; 16 | } 17 | 18 | while() { 19 | my $line = $_; 20 | print "running: $prog $line\n"; 21 | my $result = `$prog $line`; 22 | if ($result =~ /$msg/) { 23 | print $result; 24 | print "\t ** $line **\n"; 25 | ; 26 | } else { 27 | print $result; 28 | } 29 | } 30 | 31 | -------------------------------------------------------------------------------- /src/os_regex/os_regex_startswith.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2014 Trend Micro Inc. 2 | * All right reserved. 3 | * 4 | * This program is a free software; you can redistribute it 5 | * and/or modify it under the terms of the GNU General Public 6 | * License (version 2) as published by the FSF - Free Software 7 | * Foundation 8 | */ 9 | 10 | #include "os_regex.h" 11 | #include "os_regex_internal.h" 12 | 13 | 14 | int OS_StrStartsWith(const char *str, const char *pattern) 15 | { 16 | while (*pattern) { 17 | if (*pattern++ != *str++) { 18 | return FALSE; 19 | } 20 | } 21 | 22 | return TRUE; 23 | } 24 | -------------------------------------------------------------------------------- /src/os_xml/COPYRIGHT: -------------------------------------------------------------------------------- 1 | Copyright (C) 2009 Trend Micro Inc. 2 | All rights reserved. 3 | This program is a free software; you can redistribute it 4 | and/or modify it under the terms of the GNU General Public 5 | License (version 2) as published by the FSF - Free Software 6 | Foundation 7 | 8 | OSSEC, os_xml library. 9 | Available at http://www.ossec.net 10 | -------------------------------------------------------------------------------- /src/os_xml/VERSION: -------------------------------------------------------------------------------- 1 | 0.3 2 | -------------------------------------------------------------------------------- /src/remoted/COPYRIGHT: -------------------------------------------------------------------------------- 1 | Copyright (C) 2009 Trend Micro Inc. 2 | All rights reserved. 3 | This program is a free software; you can redistribute it 4 | and/or modify it under the terms of the GNU General Public 5 | License (version 2) as published by the FSF - Free Software 6 | Foundation. 7 | 8 | OSSEC, logremote. 9 | Available at http://www.ossec.net/ 10 | -------------------------------------------------------------------------------- /src/remoted/README: -------------------------------------------------------------------------------- 1 | How Remoted works: 2 | 3 | Three daemons (forked): 4 | 5 | -Secured (udp port 1514) 6 | -Syslogd (udp port 514) 7 | -Syslogd (tcp port 514) 8 | 9 | 10 | -How secured works: 11 | 12 | -Three threads. 13 | 14 | -Main thread (remote receiver). 15 | - Receives data from remote clients. 16 | - If the data is a log, send to analysisd. 17 | - If data is connection related, send to the manager thread 18 | (by save_controlmsg). 19 | -AR_Forward (local receiver). 20 | - Receives data (active responses) locally from analysisd. 21 | - Forward them to the configured agent. 22 | -Manager (sends data to remote clients). 23 | - Waits for messages from the main thread (wait_for_msgs). 24 | 25 | -------------------------------------------------------------------------------- /src/remoted/VERSION: -------------------------------------------------------------------------------- 1 | 1.3 2 | -------------------------------------------------------------------------------- /src/shared/tests/ip_test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "validate_op.h" 5 | 6 | 7 | int main(int argc, char **argv) 8 | { 9 | os_ip myip; 10 | 11 | if (!argv[1]) { 12 | return (1); 13 | } 14 | 15 | if (!OS_IsValidIP(argv[1], &myip)) { 16 | printf("Invalid ip\n"); 17 | } 18 | 19 | if (OS_IPFound(argv[2], &myip)) { 20 | printf("IP MATCHED!\n"); 21 | } 22 | 23 | return (0); 24 | } 25 | 26 | -------------------------------------------------------------------------------- /src/shared/tests/merge_test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "file_op.h" 6 | 7 | 8 | int main(int argc, char **argv) 9 | { 10 | if (!argv[1]) { 11 | printf("%s [mu] ..\n", argv[0]); 12 | exit(1); 13 | } 14 | 15 | if (strcmp(argv[1], "m") == 0) { 16 | MergeFiles(argv[2], argv + 3); 17 | } else if (strcmp(argv[1], "u") == 0) { 18 | UnmergeFiles(argv[2]); 19 | } else { 20 | printf("ERROR\n"); 21 | } 22 | 23 | return (0); 24 | } 25 | 26 | -------------------------------------------------------------------------------- /src/shared/tests/prime_test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "math_op.h" 6 | 7 | 8 | int main(int argc, char **argv) 9 | { 10 | if (!argv[1]) { 11 | printf("%s \n", argv[0]); 12 | exit(1); 13 | } 14 | 15 | printf("Value: %d\n", os_getprime(atoi(argv[1]))); 16 | 17 | return (0); 18 | } 19 | 20 | -------------------------------------------------------------------------------- /src/shared/tests/string_test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include "string_op.h" 5 | 6 | 7 | int main(int argc, char **argv) 8 | { 9 | int i = 0; 10 | char *tmp; 11 | char buf[] = "/var/www/html/Testing This Interface$%^&*().txt"; 12 | 13 | tmp = os_shell_escape(buf); 14 | char clean[] = "/var/www/html/index.html"; 15 | 16 | printf("Sent: '%s'\n", buf); 17 | printf("Fixed: '%s'\n", tmp); 18 | free(tmp); 19 | 20 | tmp = os_shell_escape(clean); 21 | printf("Sent: '%s'\n", clean); 22 | printf("Fixed: '%s'\n", tmp); 23 | 24 | return (0); 25 | } 26 | 27 | -------------------------------------------------------------------------------- /src/systemd/agent/ossec-agent.target: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC HIDS agent 3 | After=network.target 4 | Requires=ossec-execd.service 5 | Requires=ossec-syscheckd.service 6 | Requires=ossec-agentd.service 7 | Requires=ossec-logcollector.service 8 | 9 | [Install] 10 | WantedBy=multi-user.target 11 | -------------------------------------------------------------------------------- /src/systemd/agent/ossec-agentd.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC Agent 3 | PartOf=ossec-agent.target 4 | 5 | [Service] 6 | EnvironmentFile=/etc/ossec-init.conf 7 | Environment=DIRECTORY=/var/ossec 8 | 9 | ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/ossec-agentd -t 10 | ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-agentd -f 11 | -------------------------------------------------------------------------------- /src/systemd/agent/ossec-execd.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC Execd 3 | PartOf=ossec-agent.target 4 | 5 | [Service] 6 | EnvironmentFile=/etc/ossec-init.conf 7 | Environment=DIRECTORY=/var/ossec 8 | 9 | ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/ossec-execd -t 10 | ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-execd -f 11 | -------------------------------------------------------------------------------- /src/systemd/agent/ossec-logcollector.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC Logcollector 3 | PartOf=ossec-agent.target 4 | 5 | [Service] 6 | EnvironmentFile=/etc/ossec-init.conf 7 | Environment=DIRECTORY=/var/ossec 8 | 9 | ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/ossec-logcollector -t 10 | ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-logcollector -f 11 | -------------------------------------------------------------------------------- /src/systemd/agent/ossec-syscheckd.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC syscheckd 3 | PartOf=ossec-agent.target 4 | 5 | [Service] 6 | EnvironmentFile=/etc/ossec-init.conf 7 | Environment=DIRECTORY=/var/ossec 8 | 9 | ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/ossec-syscheckd -t 10 | ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-syscheckd -f 11 | -------------------------------------------------------------------------------- /src/systemd/server/ossec-agentless.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC Agentless 3 | PartOf=ossec-server.target 4 | 5 | [Service] 6 | EnvironmentFile=/etc/ossec-init.conf 7 | Environment=DIRECTORY=/var/ossec 8 | 9 | ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/ossec-agentlessd -t 10 | ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-agentlessd -f -------------------------------------------------------------------------------- /src/systemd/server/ossec-analysisd.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC Analysisd 3 | PartOf=ossec-server.target 4 | 5 | [Service] 6 | EnvironmentFile=/etc/ossec-init.conf 7 | Environment=DIRECTORY=/var/ossec 8 | 9 | ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/ossec-analysisd -t 10 | ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-analysisd -f 11 | -------------------------------------------------------------------------------- /src/systemd/server/ossec-csyslog.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC Syslog client 3 | PartOf=ossec-server.target 4 | 5 | [Service] 6 | EnvironmentFile=/etc/ossec-init.conf 7 | Environment=DIRECTORY=/var/ossec 8 | 9 | ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/ossec-csyslogd -t 10 | ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-csyslogd -f -------------------------------------------------------------------------------- /src/systemd/server/ossec-dbd.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=The OSSEC DBD 3 | PartOf=ossec-server.target 4 | 5 | [Service] 6 | EnvironmentFile=/etc/ossec-init.conf 7 | Environment=DIRECTORY=/var/ossec 8 | 9 | ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/ossec-dbd -t 10 | ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-dbd -f 11 | -------------------------------------------------------------------------------- /src/systemd/server/ossec-execd.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC Execd 3 | PartOf=ossec-server.target 4 | 5 | [Service] 6 | EnvironmentFile=/etc/ossec-init.conf 7 | Environment=DIRECTORY=/var/ossec 8 | 9 | ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/ossec-execd -t 10 | ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-execd -f 11 | -------------------------------------------------------------------------------- /src/systemd/server/ossec-logcollector.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC Logcollector 3 | PartOf=ossec-server.target 4 | 5 | [Service] 6 | EnvironmentFile=/etc/ossec-init.conf 7 | Environment=DIRECTORY=/var/ossec 8 | 9 | ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/ossec-logcollector -t 10 | ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-logcollector -f 11 | -------------------------------------------------------------------------------- /src/systemd/server/ossec-maild.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC Maild 3 | PartOf=ossec-server.target 4 | 5 | [Service] 6 | EnvironmentFile=/etc/ossec-init.conf 7 | Environment=DIRECTORY=/var/ossec 8 | 9 | ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/ossec-maild -t 10 | ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-maild -f 11 | -------------------------------------------------------------------------------- /src/systemd/server/ossec-monitord.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC monitord 3 | PartOf=ossec-server.target 4 | 5 | [Service] 6 | EnvironmentFile=/etc/ossec-init.conf 7 | Environment=DIRECTORY=/var/ossec 8 | 9 | ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/ossec-monitord -t 10 | ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-monitord -f 11 | -------------------------------------------------------------------------------- /src/systemd/server/ossec-remoted.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC remoted 3 | PartOf=ossec-server.target 4 | 5 | [Service] 6 | Type=forking 7 | EnvironmentFile=/etc/ossec-init.conf 8 | Environment=DIRECTORY=/var/ossec 9 | 10 | ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/ossec-remoted -t 11 | ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-remoted -f 12 | -------------------------------------------------------------------------------- /src/systemd/server/ossec-server.target: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC HIDS server 3 | After=network.target 4 | Wants=ossec-dbd.service 5 | Wants=ossec-csyslog.service 6 | Wants=ossec-agentless.service 7 | Requires=ossec-maild.service 8 | Requires=ossec-execd.service 9 | Requires=ossec-analysisd.service 10 | Requires=ossec-logcollector.service 11 | Requires=ossec-remoted.service 12 | Requires=ossec-syscheckd.service 13 | Requires=ossec-monitord.service 14 | 15 | [Install] 16 | WantedBy=multi-user.target 17 | -------------------------------------------------------------------------------- /src/systemd/server/ossec-syscheckd.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OSSEC syscheckd 3 | PartOf=ossec-server.target 4 | 5 | [Service] 6 | EnvironmentFile=/etc/ossec-init.conf 7 | Environment=DIRECTORY=/var/ossec 8 | 9 | ExecStartPre=/usr/bin/env ${DIRECTORY}/bin/ossec-syscheckd -t 10 | ExecStart=/usr/bin/env ${DIRECTORY}/bin/ossec-syscheckd -f 11 | -------------------------------------------------------------------------------- /src/win32/SimpleSC/SimpleSC.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/win32/SimpleSC/SimpleSC.dll -------------------------------------------------------------------------------- /src/win32/doc.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | Redirecting to the online documentation at http://www.ossec.net/doc/index.html...
8 | 9 | 10 | -------------------------------------------------------------------------------- /src/win32/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/win32/favicon.ico -------------------------------------------------------------------------------- /src/win32/icofile.rc: -------------------------------------------------------------------------------- 1 | 101 ICON favicon.ico 2 | -------------------------------------------------------------------------------- /src/win32/nsProcess/nsProcess.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/win32/nsProcess/nsProcess.dll -------------------------------------------------------------------------------- /src/win32/nsProcess/nsProcess.nsh: -------------------------------------------------------------------------------- 1 | !define nsProcess::FindProcess `!insertmacro nsProcess::FindProcess` 2 | 3 | !macro nsProcess::FindProcess _FILE _ERR 4 | nsProcess::_FindProcess /NOUNLOAD `${_FILE}` 5 | Pop ${_ERR} 6 | !macroend 7 | 8 | 9 | !define nsProcess::KillProcess `!insertmacro nsProcess::KillProcess` 10 | 11 | !macro nsProcess::KillProcess _FILE _ERR 12 | nsProcess::_KillProcess /NOUNLOAD `${_FILE}` 13 | Pop ${_ERR} 14 | !macroend 15 | 16 | 17 | !define nsProcess::Unload `!insertmacro nsProcess::Unload` 18 | 19 | !macro nsProcess::Unload 20 | nsProcess::_Unload 21 | !macroend 22 | -------------------------------------------------------------------------------- /src/win32/ossec-uninstall.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/win32/ossec-uninstall.ico -------------------------------------------------------------------------------- /src/win32/ui/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossec/ossec-hids/f6502012b7380208db81f82311ad4a1994d39905/src/win32/ui/favicon.ico -------------------------------------------------------------------------------- /src/win32/ui/os_win32ui.exe.manifest: -------------------------------------------------------------------------------- 1 | 2 | 7 | OSSEC win32 Agent UI 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /src/win32/unix2dos.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $file; 4 | 5 | if(@ARGV < 1) 6 | { 7 | die "$0: \n"; 8 | } 9 | 10 | $file = shift (@ARGV); 11 | 12 | # File 13 | open(FILE,"<$file")|| die "Unable to open file: $file\n"; 14 | 15 | while() 16 | { 17 | my $line = $_; 18 | 19 | $line =~ s/\n/\r\n/; 20 | print $line; 21 | } 22 | --------------------------------------------------------------------------------