Skip to content

Latest commit

 

History

History
225 lines (157 loc) · 5.7 KB

configuration.md

File metadata and controls

225 lines (157 loc) · 5.7 KB

Configuration

WHIDS

WHIDS configuration file example

# Windows log channels to listen to. Either channel names
# can be used (i.e. Microsoft-Windows-Sysmon/Operational) or aliases
channels = ["all"]

# Dumps/forward only events above criticality threshold
# or filtered events (i.e. Gene filtering rules)
criticality-treshold = 5

# Enable enrichment hooks and dump hooks
en-hooks = true

# Enable event filtering (log filtered events, not only alerts)
en-filters = true

# Logfile used to log messages generated by the engine
logfile = "C:\\Program Files\\Whids\\Logs\\whids.log"

# Log any incoming event passing through the engine
log-all = false

# True if current host is the endpoint on which logs are generated
# Example: turn this off if running on a WEC
endpoint = true

# Forwarder configuration
[forwarder]

  # If forwarder is local (this setting equals true)
  # neither alerts nor dumps will be forwarded to manager
  local = false

  # Configure connection to the manager
  [forwarder.manager]

    # Protocol to use to connect to manager (http or https)
    proto = "https"

    # Hostname or IP of the manager
    host = "192.168.56.1"

    # Port at which endpoint API is running on manager server
    port = 8000

    # Endpoint UUID configured on manager used to authenticate this endpoint
    endpoint-uuid = "03e31275-2277-d8e0-bb5f-480fac7ee4ef"

    # Endpoint key configured on manager used to authenticate this endpoint
    endpoint-key = "ztBdB6XGl81Vx957YmVXjmh1SfnqliRMeoa7zYewtimXCGCNoR6O2Nfw9YjVD8KX"

    # Key configured on manager, used to authenticate server on this endpoint
    # This settings does not protect from MITM, so configuring server
    # certificate pinning is recommended.
    server-key = ""

    # Configure manager certificate pinning
    # Put here the manager's certificate fingerprint
    server-fingerprint = ""

    # Allow unsafe HTTPS connection
    unsafe = true

    # Maximum allowed upload size
    max-upload-size = 104857600

  # Forwarder's logging configuration
  [forwarder.logging]

    # Directory used to store logs
    dir = "C:\\Program Files\\Whids\\Logs\\Alerts"

    # Logfile rotation interval
    rotation-interval = "1h0m0s"

# Sysmon related settings
[sysmon]

  # Path to Sysmon binary
  bin = "C:\\Windows\\Sysmon64.exe"

  # Path to Sysmon Archive directory
  archive-directory = "C:\\Sysmon\\"

  # Delete files older than 5min archived by Sysmon
  clean-archived = true

# Dump related settings
[dump]

  # Dump mode (choices: file, registry, memory)
  # Modes can be combined together, separated by |
  mode = "file|registry"

  # Directory used to store dumps
  dir = "C:\\Program Files\\Whids\\Dumps"

  # Dumps only when event criticality is above this threshold
  treshold = 8

  # Maximum number of dumps per process
  max-dumps = 4

  # Enable dumps compression
  compression = true

  # Dumps untracked process. Untracked processes are missing
  # enrichment information and may generate unwanted dumps
  dump-untracked = false

# Gene rules related settings
# Gene repo: /~https://github.com/0xrawsec/gene
# Gene rules repo: /~https://github.com/0xrawsec/gene-rules
[rules]

  # Path to Gene rules database
  rules-db = "C:\\Program Files\\Whids\\Database\\Rules"

  # Path to Gene rules containers
  # (c.f. Gene documentation)
  containers-db = "C:\\Program Files\\Whids\\Database\\Containers"

  # Update interval at which rules should be pulled from manager
  # NB: only applies if a manager server is configured
  update-interval = "1m0s"

Manager

Manager configuration example

# Gene rule directory.
# See: /~https://github.com/0xrawsec/gene-rules
rules-dir = "./data/rules"

# Directory where to dump artifacts collected on hosts
dump-dir = "./data/dumps"

# Gene rules' containers directory
# (c.f. Gene documentation /~https://github.com/0xrawsec/gene)
containers-dir = "./data/containers"

# Settings to configure administrative API (not supposed to be reachable by endpoints)
[admin-api]

  # Hostname or IP address where the API should listen to
  host = "localhost"

  # Port used by the API
  port = 8001

  [[admin-api.users]]
    identifier = "admin"
    key = "admin"

# Settings to configure API used by endpoints
[endpoint-api]

  # Hostname or IP where the API should listen to
  host = ""

  # Port used by the API
  port = 8000

  # Server key used to do basic authentication of the server on clients.
  # Configure certificate pinning on client offers better security.
  server-key = ""

  [[endpoint-api.endpoints]]

    # Unique client identifier
    uuid = "03e31275-2277-d8e0-bb5f-480fac7ee4ef"
    # API key used to authenticate the client
    key = "ztBdB6XGl81Vx957YmVXjmh1SfnqliRMeoa7zYewtimXCGCNoR6O2Nfw9YjVD8KX"

  # Example of another endpoint configured
  [[endpoint-api.endpoints]]

    # Unique client identifier
    uuid = "03e31275-2277-d8e0-bb5f-480fac7ee4eb"
    # API key used to authenticate the client
    key = "ztBdB6XGl81Vx957YmVXjmh1SfnqliRMeoa7zYewtimXCGCNoR6O2Nfw9YjVD8Ky"

# Logging settings
[logging]

  # Root directory where logfiles are stored
  root = "./data/logs"

  # Logfile name (relative to root) used to store logs.
  logfile = "forwarded"

  # Enable endpoint logging.In addition to log in the main log file,
  # it will store logs individually for each endpoints.
  enable-endpoint-logging = true
    
  verbose-http = false

# TLS settings. Leave empty, not to use TLS
[tls]

  # Path to the certificate file to use for TLS connections
  cert = "cert.pem"

  # Path to the key to use for TLS connection
  key = "key.pem"

# MISP settings. Use this setting to push IOCs as containers on endpoints.
[misp]

  # HTTP protocol to use (http or https)
  protocol = ""

  # Hostname or IP address of MISP server
  host = ""

  # MISP API key
  api-key = ""