File: //usr/share/ossec/contrib/config2xml
#!/usr/bin/perl -w
#
#
# config2xml
#
# Written by: Charlie Heselton (gentuxx@gmail.com)
# Date: 08/22/2006
# Version: 0.1
#
# Description: OSSEC-HIDS uses XML for it's configuration
# and rules files. This script allows a user to use a
# more traditional "key = value" format and convert it
# to the XML required by OSSEC.
#
#
require 5.006;
use strict;
use Getopt::Std;
my (%opts, %config);
getopts('f:', \%opts);
my $current_line = 0;
if ($opts{'f'}) {
# open the "traditional" file and parse the contents.
open CONF, $opts{'f'} or die "Couldn't open input config file ($opts{'f'}): $! \n";
while (<CONF>) {
$current_line++;
# skip commented or blank lines
next if (/^#/);
next if (/^$/);
chomp;
# strip out any double quotes
#s/\"//g;
# strip out spaces or tabs
#s/(\s+|\t+)//g;
my ($key, $value);
#print STDERR "DEBUG: \$\_ ===> $_\n";
if (/^\s*(\S+)\s*\=\s*\"?([^=]+)\"?/) {
$key = $1; $value = $2;
} else {
die "Config error! Found an extra equals sign (=) in line $current_line\. Input file not converted!\n";
}
# the keys below will be repeated, but if the value is assigned initially,
# then the script fails when unwrapping the hash.
# key/value pairs that shouldn't be repeated throw a config error if they are repeated.
if ($key =~ /monitor_file|rules_include|active_response_command/) {
push @{$config{$key}}, $value;
} else {
if (exists($config{$key})) { die "$key has already been specified in the config file and can only be used once. Input file not converted!\n"; }
$config{$key} = $value;
}
}
close CONF;
} else {
die "No input file specified.\n";
}
undef $current_line;
# strip out any double-quotes
# this is handled for all the rest of the key/value pairs when the input file is initially parsed
foreach my $key ( qw/ active_response_command / ) { foreach ( @{$config{$key}} ) { s!\"!!g; } }
# separate the "complex" options into arrays
my @whitelisted = split(/\,/, $config{'whitelist_ips'});
my @ignored = split(/\,/, $config{'ignore'});
# Write the xml file. Easiest way is just to be deliberate. Not the most elegant solution, but it should work.
print <<END;
<!-- OSSEC example config -->
<ossec_config>
<global>
<email_notification>$config{'email_notify'}</email_notification>
<email_to>$config{'email_addr'}</email_to>
<smtp_server>$config{'smtp_server'}</smtp_server>
<email_from>$config{'email_from'}</email_from>
END
foreach my $wip ( sort( @whitelisted ) ) {
print " <white_list>$wip</white_list>\n";
}
print " </global>\n\n";
print " <rules>\n";
foreach my $rulesfile ( sort( @{$config{'rules_include'}} ) ) {
print " <include>$rulesfile</include>\n";
}
print <<END;
</rules>
<syscheck>
<!-- Frequency that syscheck is executed -- default every 2 hours -->
<frequency>$config{'frequency'}</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">$config{'directories_check_all'}</directories>
<!-- Files/directories to ignore -->
END
foreach my $ignored ( @ignored ) {
print " <ignore>$ignored</ignore>\n";
}
print <<END;
</syscheck>
<rootcheck>
<rootkit_files>$config{'rootkit_files_db'}</rootkit_files>
<rootkit_trojans>$config{'rootkit_trojans_db'}</rootkit_trojans>
</rootcheck>
END
if ( exists($config{'remote'}) ) {
print " <remote>\n";
if ((exists($config{'connection_type'})) && ($config{'connection_type'} eq 'secure')) {
print " <connection>$config{'connection_type'}</connection>\n";
}
print " </remote>\n";
}
print <<END;
<alerts>
<log_alert_level>$config{'log_alert_level'}</log_alert_level>
<email_alert_level>$config{'email_alert_level'}</email_alert_level>
</alerts>
END
if ( exists($config{'active_response'}) ) { # should always be true
if ($config{'active_response'} eq 'disabled') {
print " <active-response>\n <disabled>yes</disabled>\n </active-response>\n\n";
} else {
# Could use some comments/insight here, since I don't use the active response features.
foreach my $cmd ( sort(@{$config{'active-response-command'}}) ) {
my ( $name, $exe, $expect, $timeout ) = split(/\,/, $cmd);
print <<END;
<command>
<name>$name</name>
<executable>$exe</executable>
<expect>$expect</expect>
<timeout_allowed>$timeout</timeout_allowed>
</command>
END
}
print <<END;
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<!-- Files to monitor (localfiles) -->
END
}
}
foreach my $file ( sort( @{$config{'monitor_file'}} ) ) {
my ($fileloc, $fformat) = split(/\,/, $file);
print " <localfile>\n";
print " <log_format>$fformat</log_format>\n";
print " <location>$fileloc</location>\n";
print " </localfile>\n";
}
print "</ossec_config>\n";