WHIDS configuration file example
# Windows log channels to listen to. Either channel names
# can be used (i.e. Microsoft-Windows-Sysmon/Operational) or aliases
channels = ["all"]
# Dumps/forward only events above criticality threshold
# or filtered events (i.e. Gene filtering rules)
criticality-treshold = 5
# Enable enrichment hooks and dump hooks
en-hooks = true
# Enable event filtering (log filtered events, not only alerts)
en-filters = true
# Logfile used to log messages generated by the engine
logfile = "C:\\Program Files\\Whids\\Logs\\whids.log"
# Log any incoming event passing through the engine
log-all = false
# True if current host is the endpoint on which logs are generated
# Example: turn this off if running on a WEC
endpoint = true
# Forwarder configuration
[forwarder]
# If forwarder is local (this setting equals true)
# neither alerts nor dumps will be forwarded to manager
local = false
# Configure connection to the manager
[forwarder.manager]
# Protocol to use to connect to manager (http or https)
proto = "https"
# Hostname or IP of the manager
host = "192.168.56.1"
# Port at which endpoint API is running on manager server
port = 8000
# Endpoint UUID configured on manager used to authenticate this endpoint
endpoint-uuid = "03e31275-2277-d8e0-bb5f-480fac7ee4ef"
# Endpoint key configured on manager used to authenticate this endpoint
endpoint-key = "ztBdB6XGl81Vx957YmVXjmh1SfnqliRMeoa7zYewtimXCGCNoR6O2Nfw9YjVD8KX"
# Key configured on manager, used to authenticate server on this endpoint
# This settings does not protect from MITM, so configuring server
# certificate pinning is recommended.
server-key = ""
# Configure manager certificate pinning
# Put here the manager's certificate fingerprint
server-fingerprint = ""
# Allow unsafe HTTPS connection
unsafe = true
# Maximum allowed upload size
max-upload-size = 104857600
# Forwarder's logging configuration
[forwarder.logging]
# Directory used to store logs
dir = "C:\\Program Files\\Whids\\Logs\\Alerts"
# Logfile rotation interval
rotation-interval = "1h0m0s"
# Sysmon related settings
[sysmon]
# Path to Sysmon binary
bin = "C:\\Windows\\Sysmon64.exe"
# Path to Sysmon Archive directory
archive-directory = "C:\\Sysmon\\"
# Delete files older than 5min archived by Sysmon
clean-archived = true
# Dump related settings
[dump]
# Dump mode (choices: file, registry, memory)
# Modes can be combined together, separated by |
mode = "file|registry"
# Directory used to store dumps
dir = "C:\\Program Files\\Whids\\Dumps"
# Dumps only when event criticality is above this threshold
treshold = 8
# Maximum number of dumps per process
max-dumps = 4
# Enable dumps compression
compression = true
# Dumps untracked process. Untracked processes are missing
# enrichment information and may generate unwanted dumps
dump-untracked = false
# Gene rules related settings
# Gene repo: /~https://github.com/0xrawsec/gene
# Gene rules repo: /~https://github.com/0xrawsec/gene-rules
[rules]
# Path to Gene rules database
rules-db = "C:\\Program Files\\Whids\\Database\\Rules"
# Path to Gene rules containers
# (c.f. Gene documentation)
containers-db = "C:\\Program Files\\Whids\\Database\\Containers"
# Update interval at which rules should be pulled from manager
# NB: only applies if a manager server is configured
update-interval = "1m0s"
Manager configuration example
# Gene rule directory.
# See: /~https://github.com/0xrawsec/gene-rules
rules-dir = "./data/rules"
# Directory where to dump artifacts collected on hosts
dump-dir = "./data/dumps"
# Gene rules' containers directory
# (c.f. Gene documentation /~https://github.com/0xrawsec/gene)
containers-dir = "./data/containers"
# Settings to configure administrative API (not supposed to be reachable by endpoints)
[admin-api]
# Hostname or IP address where the API should listen to
host = "localhost"
# Port used by the API
port = 8001
[[admin-api.users]]
identifier = "admin"
key = "admin"
# Settings to configure API used by endpoints
[endpoint-api]
# Hostname or IP where the API should listen to
host = ""
# Port used by the API
port = 8000
# Server key used to do basic authentication of the server on clients.
# Configure certificate pinning on client offers better security.
server-key = ""
[[endpoint-api.endpoints]]
# Unique client identifier
uuid = "03e31275-2277-d8e0-bb5f-480fac7ee4ef"
# API key used to authenticate the client
key = "ztBdB6XGl81Vx957YmVXjmh1SfnqliRMeoa7zYewtimXCGCNoR6O2Nfw9YjVD8KX"
# Example of another endpoint configured
[[endpoint-api.endpoints]]
# Unique client identifier
uuid = "03e31275-2277-d8e0-bb5f-480fac7ee4eb"
# API key used to authenticate the client
key = "ztBdB6XGl81Vx957YmVXjmh1SfnqliRMeoa7zYewtimXCGCNoR6O2Nfw9YjVD8Ky"
# Logging settings
[logging]
# Root directory where logfiles are stored
root = "./data/logs"
# Logfile name (relative to root) used to store logs.
logfile = "forwarded"
# Enable endpoint logging.In addition to log in the main log file,
# it will store logs individually for each endpoints.
enable-endpoint-logging = true
verbose-http = false
# TLS settings. Leave empty, not to use TLS
[tls]
# Path to the certificate file to use for TLS connections
cert = "cert.pem"
# Path to the key to use for TLS connection
key = "key.pem"
# MISP settings. Use this setting to push IOCs as containers on endpoints.
[misp]
# HTTP protocol to use (http or https)
protocol = ""
# Hostname or IP address of MISP server
host = ""
# MISP API key
api-key = ""