yes no rules_config.xml pam_rules.xml sshd_rules.xml telnetd_rules.xml syslog_rules.xml arpwatch_rules.xml symantec-av_rules.xml symantec-ws_rules.xml pix_rules.xml named_rules.xml smbd_rules.xml vsftpd_rules.xml pure-ftpd_rules.xml proftpd_rules.xml ms_ftpd_rules.xml ftpd_rules.xml hordeimp_rules.xml roundcube_rules.xml wordpress_rules.xml cimserver_rules.xml vpopmail_rules.xml vmpop3d_rules.xml courier_rules.xml web_rules.xml web_appsec_rules.xml apache_rules.xml nginx_rules.xml php_rules.xml mysql_rules.xml postgresql_rules.xml ids_rules.xml squid_rules.xml firewall_rules.xml apparmor_rules.xml cisco-ios_rules.xml netscreenfw_rules.xml sonicwall_rules.xml postfix_rules.xml sendmail_rules.xml imapd_rules.xml mailscanner_rules.xml dovecot_rules.xml ms-exchange_rules.xml racoon_rules.xml vpn_concentrator_rules.xml spamd_rules.xml msauth_rules.xml mcafee_av_rules.xml trend-osce_rules.xml ms-se_rules.xml zeus_rules.xml solaris_bsm_rules.xml vmware_rules.xml ms_dhcp_rules.xml asterisk_rules.xml ossec_rules.xml attack_rules.xml openbsd_rules.xml clam_av_rules.xml dropbear_rules.xml sysmon_rules.xml opensmtpd_rules.xml exim_rules.xml openbsd-dhcpd_rules.xml dnsmasq_rules.xml nsd_rules.xml unbound_rules.xml psad_rules.xml local_rules.xml 79200 /etc,/usr/bin,/usr/sbin /bin,/sbin,/boot /etc/mtab /etc/mnttab /etc/hosts.deny /etc/mail/statistics /etc/random-seed /etc/adjtime /etc/httpd/logs /etc/utmpx /etc/wtmpx /etc/cups/certs /etc/dumpdates /etc/svc/volatile C:\WINDOWS/System32/LogFiles C:\WINDOWS/Debug C:\WINDOWS/WindowsUpdate.log C:\WINDOWS/iis6.log C:\WINDOWS/system32/wbem/Logs C:\WINDOWS/system32/wbem/Repository C:\WINDOWS/Prefetch C:\WINDOWS/PCHEALTH/HELPCTR/DataColl C:\WINDOWS/SoftwareDistribution C:\WINDOWS/Temp C:\WINDOWS/system32/config C:\WINDOWS/system32/spool C:\WINDOWS/system32/CatRoot /var/ossec/etc/shared/rootkit_files.txt /var/ossec/etc/shared/rootkit_trojans.txt /var/ossec/etc/shared/system_audit_rcl.txt /var/ossec/etc/shared/cis_debian_linux_rcl.txt /var/ossec/etc/shared/cis_rhel_linux_rcl.txt /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt 127.0.0.1 ::1 localhost.localdomain 8.8.8.8 8.8.4.4 192.168.0.2 192.168.0.3 syslog secure 1 host-deny host-deny.sh srcip yes firewall-drop firewall-drop.sh srcip yes disable-account disable-account.sh user yes restart-ossec restart-ossec.sh route-null route-null.sh srcip yes ossec-slack ossec-slack.sh no cloudflare-ban cloudflare-ban.sh yes srcip host-deny all 6 600 30,60,120,240,480 firewall-drop all 6 600 30,60,120,240,480 ossec-slack server 6 cloudflare-ban server 6 43200 syslog /var/log/messages syslog /var/log/secure syslog /var/log/maillog snort-fast /var/log/snort/alert syslog /var/log/fail2ban.log command df -P full_command netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| ::1)' | sort full_command last -n 5