Atomicorp Documentation
Atomic Enterprise OSSEC
Hub Server
Requirements
Supported Operating Systems
Recommended System resources
Network Security policy
Installation
Command Line Network Installer
Offline ISO Installer
Upgrading
Web Console (Configuration)
Command Line (Manual)
Offline ISO Installer
Marketplace Installation
Azure Marketplace
Clustering
Configuring a cluster Primary node
Configure a cluster Secondary node
Backup / Restore
Backup: Alert data (Cold Storage)
Restore: Alert data (Cold Storage)
Syslog Output
AEO Syslog Output
Local Log collection agent
OpenID Connect
Agents
Requirements
Supported Operating Systems
Recommended System resources
Network Security Policy
Installation
Linux
Windows: Manual Installation with Powershell
Windows: MSI Installer
Windows: Automated Installation using Active Directory (GPO)
AIX
Solaris
OSX
Agentless
Atomic Protector
Installing Atomic Endpoint Defender
Before Installation
IMPORTANT
Prerequisites
Recommendations
AED Installation Guide
Introduction
Before You Start
Prerequisites
Installation and Downloads
Post-Installation Quickstart/Configuration
Utilizing the Command Line to control AED
Important Notes
Upgrading Atomic Endpoint Defender
General-Upgrade Instructions
Version Specific Upgrade Instructions
Automatic Upgrading System
Per Component Upgrade
Upgrading the AED Kernel
Configuring Atomic Endpoint Defender
Atomic Endpoint Defender Configuration
Introduction
Post Installation Configuration
Authentication Information
AED Web Settings
Data Paths
AED General Settings
AED Firewall Settings
AED Kernel Settings
ClamAV Settings
PSMON Settings
OSSEC Settings
Mod Security Settings
PHP Settings
SSH Daemon Settings
Denial of Service Settings
MySQL Security Settings
Plesk Security Settings
Tortixd Configuration
Introduction
Tortixd Settings
Log Files
SSL Certificates
Atomic Endpoint Defender Firewall Configuration
Introduction
How the Firewall Works
Stateful Packet Inspection
Firewall Log Messages
Console Firewall Messages
Fast/Easy Mode
Engine Settings
Advanced Firewall Rule Manager
Using the Firewall Manager
Per Port ACLs
Examples of Using Fast/Easy Mode to Add a Firewall Rule
Examples of Using the Advanced Firewall Manager to Add a Firewall Rule
Using the Advanced Firewall Manager and Fast/Easy Mode together
Frequently Asked Questions
Atomic WAF Configuration
Introduction
Configuring AED WAF
SSL/TLS
AED WAF Configuration Settings
Rule Manager
Configuring Specific Rules
Rule Tuning
Events
Configuring Web Servers to Use the T-WAF
Atomic Endpoint Defender HIDS Configuration
Introduction
Configuring AED HIDS
Editing AED HIDS Rules
Suspicious Behavior Rules
Reconfiguring HIDS Rules
Atomic Endpoint Defender Kernel Configuration
Overview
Do I have the AED Kernel Installed?
How do I know if the AED Kernel is running?
Installing the AED Kernel
Upgrading the AED Kernel
What do I do if the Kernel is not Installed or won’t Upgrade?
Rolling back the Kernel
Setting which Kernel to Boot
Kernel Options
Testing the AED Kernel
Manually Installing the AED Kernel
Kernel Tuning
Technical Abstract of the AED Kernel
Kernel Panics
Additional Kernel Features
Kernel Modules
Source Code
Atomic Endpoint Anti-asl Configuration
Introduction
Configuring Atomic Secured Anti-asl
Real Time Malware Protection
Rebooting the System
Testing Your Protection
Detecting False Positives
Atomic Endpoint Defender File Integrity Manager (FIM) Configuration
Introduction
Accessing
Configuring AED FIM
Usage
Types of Events
Directories
Atomic Endpoint Defender Usage Guide
Introduction
Atomic Endpoint Defender Web Console
Scanning for Malware
Blocking/Unblocking an IP/Network(s)
Debugging Usage
AED X11 Usage
Enabling/Disabling Usage
Active Response Usage
Editing Rules
AED Vulnerability Scanner Usage
Managing PHP by using AED
Manage SSH by using AED
Network Firewall Usage
VPS Errors
Web Application Firewall Usage
AED Data Retention Usage
AED Firewall Usage
AED Kernel Usage
Types of Virtualization Technologies
OSSEC Usage
Advanced Configuration of Atomic Endpoint Defender
Configuring a Remote AED Database
Atomic Endpoint Defender Release Notes
Atomic Endpoint Defender V6
Atomic Endpoint Defender V5
Atomic Endpoint Defender Supporting Documentation
Reporting False Postives/Negatives with AED
General Questions and Answers
WAF/Modsecurity rules False Positives/Negatives
ClamAV False Positives/Negatives
AED HIPS/KIPS/WIPS False Postives/Negatives
Vulnerability Scanner False Positives/Negatives
Reporting a New Piece of Malware
To report a new piece of malware
Atomic CLAMAV Signatures
About the Signatures
Licensing
What does each signature ruleset do?
Third Party Signatures
Easy One Step Installation
Manual Installation
Frequently Asked Questions (FAQ)
Atomicorp Threat Intelligence System (TIS)
Introduction
Enabling the Threat Intelligence System
Looking up Addresses
Zones
Local DNS Mirror
About rbldnsd
Requesting Access to Zones
Local Only Resolver
Remote Resolver
Terms of Use
Frequently Asked Questions
Atomic Update Manager (AUM)
Configuring AUM
Introduction
Ruleset Settings
AUM
Introduction
Atomic Update Manager (AUM)
AUM with Rules Only
Installing AUM
Configuring AUM
Supported Platforms
Notes for CPanel Users
Frequently Asked Questions
Atomic ModSecurity Rules
Requirements
Supported Operating Systems
Versions
Installation
Linux
Automated Installation: Apache
Manual Installation: Apache
Manual Installation: Nginx
Manual Installation: Cpanel
Windows
Manual Installation: IIS
WAF Rule Families
000000000000000000000000_asl_notconfigured.conf
000_asl_threat_intelligence.conf
00_asl_x_searchengines.conf
00_asl_y_searchengines.conf
00_asl_zz_strict.conf
00_asl_0_global.conf
00_asl_rbl.conf
00_asl_blacklist.conf
00_asl_whitelist.conf
01_asl_content.conf
01_asl_domain_blocks.conf
01_asl_rules_special.conf
03_asl_dos.conf
05_asl_exclude.conf
00_asl_z_antievasion.conf
05_asl_scanner.conf
11_asl_rules.conf
10_asl_antimalware.conf
09_asl_rules.conf
10_asl_rules.conf
11_asl_adv_rules.conf
11_asl_data_loss.conf
12_asl_adv_xss_rules.conf
12_asl_brute.conf
20_asl_useragents.conf
30_asl_antispam.conf
30_asl_antispam_advanced.conf
30_asl_antispam_referrer.conf
40_asl_apache2-rules.conf
50_asl_rootkits.conf
51_asl_rootkits.conf
60_asl_recons.conf
61_asl_recons_dlp.conf
99_asl_a_redactor.conf
99_asl_exclude.conf
98_asl_adv_redactor.conf
98_asl_jitp.conf
99_asl_jitp.conf
99_asl_a_redactor.conf
99_asl_redactor.conf
99_asl_redactor_post.conf
99_asl_scanner.conf
99_asl_z_adv_scanner.conf
Paranoid Mode Rules
Beta Rules
Atomicorp WAF Rules Troubleshooting
Introduction
Invalid command ‘SecRemoteRulesFailAction’, perhaps misspelled or defined by a module not included in the server configuration
Invalid command ‘SecTmpSaveUploadedFiles’
Error creating rule: Unknown variable: FILES_TMP_CONTENT
Error creating rule: Failed to resolve operator: fuzzyHash
Error creating rule: Could not open phrase file “/etc/asl/custom-domain-blocks”: No such file or directory
SecReadStateLimit is depricated, use SecConnReadStateLimit instead.
Error creating rule: Could not add entry
ModSecurity: IPmatch: bad IPv4 specification
httpd: ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated
ModSecurity: Failed to access DBM file “/var/asl/data/msa/
Failed to create subdirectories
Error creating rule: Unknown variable: MATCHED_VARS
Exec: Execution failed while reading output: /usr/bin/modsec-clamscan.pl (End of file found)
/usr/bin/modsec-clamscan.pl is not installed on the server.
No action id present within the rule
httpd: ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated
ModSecurity: Found another rule with the same id
Rule execution error - PCRE limits exceeded (-8): (null).
High Memory Usage
ModSecurity Rules Guide
Installing ModSecurity Rules
Disabling Global Rules
Disabling Rules Per Domain
Disabling ModSecurity Per Domain for an IP Address
Disable a Rule for a Single Domain
Disable a Rule for All Domains
Disabling Rules Per IP or Network
Disabling ModSecurity Rules Per Application
Changing the Action of a Rule
Disabling POST Inspection for a Specific URL
Enabling Rules for only Specific Domains
Disabling Rules Using .htaccess
Customizing a Rule
Customizing a Rule for a Domain
Custom Rules in ModSecurity
Modifying a Rule
Configuring and Setting Up ModSecurity
Atomic Mod Security FAQ
Are these the gotroot rules?
Are these the real time rules?
Do I need a real time rules subscription if I am using AED?
How can I purchase your realtime modsecurity rules?
Does a rules subscription include support for setting up mod_security?
Help! I need help!
I have a false positive/negative, how do report it?
What is your approximate support response time?
Do you offer support outside of your normal support coverage?
Do you offer phone support?
How can I give atomicorp support access to my system?
What should I do if I believe a system has been compromised?
Is there any limit on name based or “vhosts”?
Do the Rules provide Brute Force protection?
How can I reset my License Manager password?
How can I reset my support portal password?
What do the Atomic ModSecurity Rules protect against?
What versions of modsecurity do the rules work with?
How often are the rules updated?
Are these the gotroot.com rules?
What is included with an Atomic ModSecurity Rules subscription?
Does a real time subscription include both the modsecurity and clamav rules?
Are there any performance issues with your rules?
Does your rule-set have any performance enhancements built-in?
Are there any issues for high traffic sites with mod_security?
Do I need to edit or modify the rules?
I have unpatched web applications, will your modsecurity rules protect me?
Do I need to install mod_security to use your rules?
What about MODevasive and Suhosin, do i need also those for full protection?
Why do you use a VERSION file method?
Should the VERSION match the latest rule file available?
Why don’t you just use a “latest” file?
What Operating Systems is ModSecurity compatible with?
Does ModSecurity work with Control Panels?
What webservers does ModSecurity work with?
How do I install modsecurity?
How do I configure your modsecurity rules?
How can I modify or disable mod_security rules for a domain, rule, or globally?
How do you exclude a domain from the modsecurity rules?
Why should I change my CPanel mod_Security config file?
How can I keep the rules updated?
Can I setup a cronjob to automatically update the rules?
Error parsing actions: Invalid transformation function: utf8toUnicode
Error creating rule: Failed to resolve operator: detectSQLi
No action id present within the rule
httpd: ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated
Error from ssl wrapper: Unable to produce a valid Apache configuration file
Error creating rule: Unknown variable: MATCHED_VARS
I’m getting this error “Rule execution error - PCRE limits exceeded (-8): (null).”
/usr/bin/modsec-clamscan.pl is not installed on the server.
Exec: Execution failed while reading output: /usr/bin/modsec-clamscan.pl (End of file found)
ModSecurity: Failed to access DBM file “/var/asl/data/msa/
Apache Segmentation Faults
Support Guide
Standard Support Methods
Atomicorp Support Portal
Extended Support Methods
Support Levels
Support Status
Unofficial Support Methods
Frequently Asked Questions (FAQ)
Atomic Endpoint Defender FAQ
How can I buy an Atomic Endpoint Defender (AED) license?
Can I try Atomic Endpoint Defender (AED) before I purchase it?
What is the benefit of Subscribing to AED?
What is the SLA for critical security or support issues in AED?
I need help!
MODSEC version is not current. False reporting has been disabled
How can I give atomicorp support access to my system?
Can I just set up access myself?
How can I verify the integrity of the ssh keys?
Can I set a password for the atomic account?
How can I remove atomicorp access to my system?
Where is the Atomic Protetor Web Console?
Does Atomic Protector have any PHP dependencies?
Does AED install PHP on my system?
Does AED replace PHP on my system?
What are the asl-php rpms?
My system has experienced a kernel panic.
What should I do if I believe a system has been compromised?
Do you have pre-defined access policies , or do we have to configure these policies?
How long are major releases supported?
How can I upgrade a trial?
Do the VPS licenses need to be used on one physical machine or can the VPS boxes be located on different physical machines in different locations?
If we use more than 5 licenses, do we have to add additional licenses 5 at a time, or can we add just 1 at a time after we purchase the initial 5?
Do VPS licenses include support for the kernel?
Can I use AED as a reverse proxy for my other servers?
What Linux distributions do you support?
Is AED compatible with AWS instances?
AED does not support my version of my operating system
Do you support custom builds of apache, or other custom non-standard Linux distributions or hybrids?
Does AED require a control panel?
Does AED work with Plesk?
Can you use AED without plesk?
Will I lose any functionality in Plesk if I use AED?
If predefined will your policy fit into a PLESK system? Since Plesk uses its own chroot enforcements on some deamons?
Does AED work with Directadmin?
Does AED work with Virtualmin?
Does AED work with CPanel?
Does AED work with Interworx?
Does AED work with Apache?
Does AED work with LiteSpeed?
Does AED work with NGINX?
Does AED work with IonCube?
Does AED work with Zend Optimizer?
Is Ipv6 supported?
Does AED work with X11/Xorg?
Is AED compatible with ConfigServer?
Does AED support ipset?
Is AED easy to install?
Is AED safe to install?
Will AED replace core components of my system?
Does AED need to be installed on a system before Plesk/Cpanel/etc. is installed?
Does installing AED require any downtime?
I just purchased an installation from you, what now?
It is OK to install CS4 with AED?
Does AED works with php sites running under fast_cgi?
Is mod_ruid2 supported?
Does AED works with php sites running under suphp?
How easy is it with AED to debug and use modsecurity?
If I face problems with the installation/setup of AED do you provide support?
What are the minimum system requirement for AED?
I also had previously installed rkhunter and chkrootkit, should I have uninstalled those prior to installing AED?
Is there an install log for AED?
What are testing channels for?
What are bleeding channels for?
How do I install AED?
How can I reinstall AED?
How can I disable AED?
How do I remove or uninstall AED?
How can I enable password based authentication?
How can I migrate AED to a new server?
Signatures & Modules window. What do they mean?
Will AED automatically update the rules and signatures?
Will AED automatically update itself?
How can I set the update interval?
How can I set AED to only update the rules and not AED itself?
How do I upgrade AED?
How do I get firewall upgrades and updates?
I cannot connect to the update server?
Where is the license manager?
How can I reset my license manager password?
How can I reset my support portal account password?
How can I update my license manager password in AED?
How can I reset my AED GUI password(s)?
How can I create new accounts in the AED GUI?
What is the default username and password for AED Web?
How can I change the port tortixd listens on?
Does AED modify /etc/hosts.deny?
Does AED modify /etc/hosts.allow?
I want to have greylisting. What do I do?
How do you view/find/install the extra modules/areas for statistics reporting?
vmware-tools will not compile
/usr/bin/vmware-config-tools.pl
What is included in the open-vm-tools?
Why does Linux report that all memory is in use?
How can I find out what process is using swap?
How are malware domains aged out?
How are malware domains added?
Do you use third party malware domain lists?
How are spam domains added?
How are spam domains aged out?
Do you use third party spam domain lists?
Both atomic and asl yum channels are enabled, is this normal?
What are the IPs AED will use to update itself?
I can’t upload files via web
Do you have pre-defined access policies , or do we have to configure these policies?
Does AED include SELinux?
If predefined can you give us a sample policy that mitigates the critical server file access when mod_perl is called via a client, or in other words how hard is your tuning. (intrusion log..etc)?
I’m seeing files owned by apache in /tmp
Why do they call it Europe?
Atomic Mod Security FAQ
Are these the gotroot rules?
Are these the real time rules?
Do I need a real time rules subscription if I am using AED?
How can I purchase your realtime modsecurity rules?
Does a rules subscription include support for setting up mod_security?
Help! I need help!
I have a false positive/negative, how do report it?
What is your approximate support response time?
Do you offer support outside of your normal support coverage?
Do you offer phone support?
How can I give atomicorp support access to my system?
What should I do if I believe a system has been compromised?
Is there any limit on name based or “vhosts”?
Do the Rules provide Brute Force protection?
How can I reset my License Manager password?
How can I reset my support portal password?
What do the Atomic ModSecurity Rules protect against?
What versions of modsecurity do the rules work with?
How often are the rules updated?
Are these the gotroot.com rules?
What is included with an Atomic ModSecurity Rules subscription?
Does a real time subscription include both the modsecurity and clamav rules?
Are there any performance issues with your rules?
Does your rule-set have any performance enhancements built-in?
Are there any issues for high traffic sites with mod_security?
Do I need to edit or modify the rules?
I have unpatched web applications, will your modsecurity rules protect me?
Do I need to install mod_security to use your rules?
What about MODevasive and Suhosin, do i need also those for full protection?
Why do you use a VERSION file method?
Should the VERSION match the latest rule file available?
Why don’t you just use a “latest” file?
What Operating Systems is ModSecurity compatible with?
Does ModSecurity work with Control Panels?
What webservers does ModSecurity work with?
How do I install modsecurity?
How do I configure your modsecurity rules?
How can I modify or disable mod_security rules for a domain, rule, or globally?
How do you exclude a domain from the modsecurity rules?
Why should I change my CPanel mod_Security config file?
How can I keep the rules updated?
Can I setup a cronjob to automatically update the rules?
Error parsing actions: Invalid transformation function: utf8toUnicode
Error creating rule: Failed to resolve operator: detectSQLi
No action id present within the rule
httpd: ModSecurity: WARNING Using transformations in SecDefaultAction is deprecated
Error from ssl wrapper: Unable to produce a valid Apache configuration file
Error creating rule: Unknown variable: MATCHED_VARS
I’m getting this error “Rule execution error - PCRE limits exceeded (-8): (null).”
/usr/bin/modsec-clamscan.pl is not installed on the server.
Exec: Execution failed while reading output: /usr/bin/modsec-clamscan.pl (End of file found)
ModSecurity: Failed to access DBM file “/var/asl/data/msa/
Apache Segmentation Faults
Atomic Protector Troubleshooting Guide
Can’t connect to Web Console on port 30000
Not getting any emails from AED
AED Web Console Not Running
Empty Web Console
No Events in AED Web Console
AED Firewall
Additional Information
Free and Open Source Community Projects
Atomic
Introduction
Installation
Uninstallation
GPG/PGP Key
Support
Frequently Asked Questions
Error Messages
Atomic Endpoint Defender Error Messages
Installation Error Messages
AED Command Line Errors
aum Errors
tortixd Errors
Generic Errors
Up2date Issues
Yum Update Errors
Update Errors
ModSecurity Errors
ClamAV Error Messages
ProFTP Errors
Mod_Evasive Errors
Apache Errors
Kernel Errors
MySQL Errors
OSSEC Errors
PSMON Errors
Apache Errors
CPanel Errors
Segfaults
PHP Segfaults
Tomcat Segfaults
Apache Segfaults
Non-AED Error Messages
Browser Errors
Apache Errors
MySQL Errors
SSHD Errors
Yum Errors
Atomicorp Documentation
»
Atomic Enterprise OSSEC
»
Hub Server
Hub Server
¶
Requirements
Supported Operating Systems
Recommended System resources
Network Security policy
Installation
Command Line Network Installer
Offline ISO Installer
Upgrading
Web Console (Configuration)
Command Line (Manual)
Offline ISO Installer
Marketplace Installation
Azure Marketplace
Clustering
Configuring a cluster Primary node
Configure a cluster Secondary node
Backup / Restore
Backup: Alert data (Cold Storage)
Restore: Alert data (Cold Storage)
Syslog Output
AEO Syslog Output
Local Log collection agent
OpenID Connect