From 629aa0c9a53124d4633a81ead86fa5666a96a041 Mon Sep 17 00:00:00 2001 From: M4t3o Date: Thu, 17 Dec 2015 13:36:11 +0100 Subject: [PATCH 1/3] Update conf.maldet --- files/conf.maldet | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/files/conf.maldet b/files/conf.maldet index d595b11..1b05f4e 100644 --- a/files/conf.maldet +++ b/files/conf.maldet @@ -258,3 +258,20 @@ inotify_verbose="0" # [ string length in characters, default = 150000 ] string_length_scan="0" # [ 0 = disabled, 1 = enabled ] string_length="150000" # [ max string length ] + +## +# [ STATISTICAL COLLECT ] +## +# Enable statistic to bring it into ELK stack +# Before enable it, you should verify your firewall settings +# with nc $elk_host $elk_port +# to avoid timeout +enable_statistic="1" +# The host definition for the TCP input +# Must be define if enable_statistic=1 +# Exemple : 192.168.1.1 +elk_host="10.24.1.111" +# The port definition for the TCP input +# Must be define if enable_statistic=1 +# Exemple : 12345 +elk_port="10001" From 824f49a40a72a06488ddc2fffb0ca8b893ac5abd Mon Sep 17 00:00:00 2001 From: M4t3o Date: Thu, 17 Dec 2015 13:43:43 +0100 Subject: [PATCH 2/3] Update scan.etpl --- files/internals/scan.etpl | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/files/internals/scan.etpl b/files/internals/scan.etpl index e99c8e4..85fa528 100644 --- a/files/internals/scan.etpl +++ b/files/internals/scan.etpl @@ -68,6 +68,13 @@ if [ ! "$tot_hits" == "0" ]; then if [ -f "$hitlist_file" ]; then echo "FILE HIT LIST:" >> $tmpf cat $hitlist_file | column -t >> $tmpf + if [ "$enable_statistic" == "1" ]; then + export IFS=$(echo -en "\n\b") + for showhit in `cat $hitlist_file`; do + echo $showhit|awk -v date=$(date +%s) -v hostname=$(hostname) '{print "{\"date\" : \""date"\", \"hit\" : \""$1"\", \"file\" : \""$3"\", \"hostname\" : \""hostname"\"}"}'|nc $elk_host $elk_port -w $nc_timeout + done + export IFS=' ' + fi fi fi From d5f557e48f4dcc33baa0040158499b4101546315 Mon Sep 17 00:00:00 2001 From: M4t3o Date: Thu, 17 Dec 2015 13:46:41 +0100 Subject: [PATCH 3/3] Update conf.maldet --- files/conf.maldet | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/files/conf.maldet b/files/conf.maldet index 1b05f4e..4b4690b 100644 --- a/files/conf.maldet +++ b/files/conf.maldet @@ -260,18 +260,26 @@ string_length_scan="0" # [ 0 = disabled, 1 = enabled ] string_length="150000" # [ max string length ] ## -# [ STATISTICAL COLLECT ] +# [ STATISTICAL ELK COLLECT ] ## -# Enable statistic to bring it into ELK stack + +# Enable statistic to bring it into ELK stack # Before enable it, you should verify your firewall settings # with nc $elk_host $elk_port # to avoid timeout -enable_statistic="1" +enable_statistic="0" + # The host definition for the TCP input # Must be define if enable_statistic=1 -# Exemple : 192.168.1.1 -elk_host="10.24.1.111" +# Example : 192.168.1.1 +elk_host="" + # The port definition for the TCP input # Must be define if enable_statistic=1 -# Exemple : 12345 -elk_port="10001" +# Example : 12345 +elk_port="" + +# The timeout of the TCP sender +# via netcat +# Example : 1 +nc_timeout="1"