os-hids README file - 19/10/2003
Daniel B. Cid <daniel@ossec.net>
http://www.ossec.net/oshids/ , http://ossec.underlinux.com.br/oshids/


What is that ?

OsHids is an Open Source software that analyzes your log files and take some actions if
it founds something malicious. The OsHids can be run on "Real-time", as a daemon, or you
can execute it using crontab.


Only that ?

No. When OsHids found something malicious (specified on the oshids.rules), it can take
some actions. Right now, the supported options are:
	- Notify by email
	- Log in html
	- Log in txt
	- Send a SNMP trap (no available)
	- Block the "attacker" IP address, if running snort (not available yet).

The other interesting thing that OsHids can do, is to help you visualize any break
on to your Firewall Policy. If you use IpTables, or any other kind of firewall that support
syslog, you can use it.


How to start (quick) ?

Basically, you have two configuration files: oshids.conf and oshids.rules.
On the first one, you have the basic configuration; and on the second one,
the entries to search in the files.
Th default configuration can be used by 99% of the cases (you only need to change your email
address and your smtp server, if using the notification option), but sometimes you
can have change it to something more specific.


step 1: Change your email address and smtp server (in the ./conf/oshids.conf):

*dont forget the \ (back slash) before the @. Be sure to add the "" and the ; at the end

	$mailto="youremail\@yourdomain.com";

	$smtpserver="yoursmtp.server.com";


step 2: Add any different log file to analyze(from zero to the number of files, in order):

*you can use the default config

	$logg[0]="/var/log/messages";
	$logg[1]="/var/log/secure";
	$logg[2]="/var/log/somethingelse";


step 3: Add (or delete) any entry to be checked on the file oshids.rules:
	
	The sintaxe of the rules are:

		type of log: action : string to search : level : string to add in the log : comment

		Where,
 
		Type of log can be: 
				syslog (syslog file)
			  	snort-sys (snort entries in syslog)
			  	win (eventlog-syslog converted by MonitorWare)
				iptables (iptables logs)


		Action can be:
				log-txt (log in txt)
				log-html (log in html)
				notify (send an email)
                
          
		String to search can be:
			  
				Any string (or regular expression, like bad, fail, b.d, etc)


		Level can be:
			  
				Any level that you want( when choosing log-html, the level will be
			  	the color of the line (red,orange, green, for example)


		String to add in the log can be:
			  	Any string that will be appended to your log file (from oshids)


		Comment:
				Any comment that you want.



		*Examples:			  			  

		#Log all snort entries in html, that matches "Priority 1" as level green and add an "-ids" to the log file.
		snort-sys:log-html:Priority\S\s+1:green:-ids: Priority 1 snort messages

		#Log and notify when the string "unknown" is find
		syslog:log-txt,notify:unknownn:red:: Unkown string found



Step 4: Start the program:

			 perl os-hids.pl



-- Options to the oshids.conf --

	See examples/oshids.conf


-- Other Options and ways to execute it --

	See examples/README.examples
