Cleanups

Mostly formatting or sphinx syntax errors.

Author: ddpbsd

about/how_to_help.rst

@@ -47,15 +47,15 @@ If you want to support a new language, just copy the English one to your country
 Documenting OSSEC:
 ^^^^^^^^^^^^^^^^^^
 
-The OSSEC documentation is hosted in a `github repository <https://github.com/ossec/ossec-docs>`_.
+The OSSEC documentation is hosted in the `ossec-docs <https://github.com/ossec/ossec-docs>`_ github repository.
 Issues and pull requests can be submitted on the site.
 Emails containing details of issues can also be sent to the `ossec-list <https://groups.google.com/forum/#!forum/ossec-list>`_ google group.
 
 
 Development of OSSEC:
 ^^^^^^^^^^^^^^^^^^^^^
 
-The OSSEC code is hosted in a `github repository <https://github.com/ossec/ossec-hids>`_.
+The OSSEC code is hosted in the `ossec-hids <https://github.com/ossec/ossec-hids>`_ github repository.
 Issues and pull requests can be submited on the site.
 
 Contributing to the development of OSSEC's code base will most likely require knwoledge of **C**,

docs/examples/output/granular_email_examples.trst

@@ -1,5 +1,3 @@
-.. _granular_email_examples:
-
 Example 1: Group alerts 
 ~~~~~~~~~~~~~~~~~~~~~~~
 

docs/examples/output/index.rst

@@ -9,7 +9,7 @@ Output
 Granular Email Examples
 ^^^^^^^^^^^^^^^^^^^^^^^
 
-.. include:: granular_email_examples.trst
+.. include:: ./granular_email_examples.trst
 
 Report Output Examples
 ^^^^^^^^^^^^^^^^^^^^^^

docs/examples/output/report_output_examples.trst

@@ -1,6 +1,3 @@
-.. _report_output_examples:
-
-
 Receive a summary of all authentication success alerts
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

docs/examples/output/syslog_output_examples.trst

@@ -1,5 +1,3 @@
-.. _syslog_output_examples:
-
 Send all alerts to 10.10.10.125:
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

docs/faq/syscheck.rst

@@ -1,5 +1,3 @@
-.. _faq_syscheck-faq:
-
 Syscheck: FAQ
 -------------
 

docs/log_samples/auth/microsoft_rras.rst

@@ -21,7 +21,7 @@ A description of this format is found `on the Microsoft site <http://www.microso
   "RasBox","RAS",10/22/2006,11:57:54,1,"ACME\megaman","acme.net/Users/megaman",,,,,,"192.168.132.45",13,,"192.168.132.45",,,,0,"CONNECT 26400",1,2,4,,0,"311 1 192.168.132.45 07/31/2006 21:35:14 754",,,,,,,,,,,,,,,,,,,,,,,,,,,,"MSRASV5.00",311,,,,
 
 
-You can find information on the IAS standard log format `here <http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_ias_log1a.html>`_ and `here <http://www.radiusreporting.com/IAS-Standard-Attribute-Table.html>`_
+You can find information on the IAS standard log format here on `Microsoft's site <http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_ias_log1a.html>`_ and here `on radiusreporting <http://www.radiusreporting.com/IAS-Standard-Attribute-Table.html>`_
 
 
 

docs/log_samples/email/postfix.rst

@@ -34,8 +34,7 @@ Insufficient storage:
 .. code-block:: console
 
   Sep  4 01:14:35 vector postfix/smtpd[15337]: NOQUEUE: reject: MAIL from 89.pool85-60-78.dynamic.orange.es[85.60.78.89]: 452 4.3.1 Insufficient system storage; proto=ESMTP helo=<89.pool85-60-78.dynamic.orange.es>
-  Sep  4 02:24:39 vector postfix/smtpd[16863]: NOQUEUE: reject: MAIL from 217-133-56-239.b2b.tiscali.it[217.133.56.239]: 452 4.3.1 Insufficient system storage; proto=ESMTP
-helo=<217-133-56-239.b2b.tiscali.it>
+  Sep  4 02:24:39 vector postfix/smtpd[16863]: NOQUEUE: reject: MAIL from 217-133-56-239.b2b.tiscali.it[217.133.56.239]: 452 4.3.1 Insufficient system storage; proto=ESMTP helo=<217-133-56-239.b2b.tiscali.it>
   Jun 29 17:28:38 linuxserver postfix/smtpd[27712]: NOQUEUE: reject: MAIL from localhost[127.0.0.1]: 452 Insufficient system storage; proto=ESMTP helo=<localhost>
 
 

docs/log_samples/security_devices/iplog.rst

@@ -261,6 +261,7 @@ Nov 18 19:28:07 ICMP/UDP: smurf attack mode expired for 201.223.41.0 - received
 <font color="red">Nov 14 15:57:56 TCP: Bogus TCP flags set by 10.10.160.2:60873 (dest port 25)</font>
 
 ='''OSSEC (HIDS) + iplog (sensor) implementation'''=
+
 *Work in progress
 *TODO: improve regex, decoders and rules. p0f complementation?
 *Configuration tested in FreeBSD 6.1 and archlinux gimmick
@@ -282,11 +283,13 @@ Nov 14 18:30:30 TCP: Xmas scan detected [ports 636,256,554,389,1723,53,443,21,33
 
 '''a working decoder is:''' 
 
- <decoder name="iplog-scan">
-  <prematch>\S+ scan detected</prematch>
-  <regex offset="after_prematch">\S+ \S+ from (\S+)</regex>
-  <order>srcip</order>
- </decoder>
+.. code-block:: xml
+
+   <decoder name="iplog-scan">
+    <prematch>\S+ scan detected</prematch>
+    <regex offset="after_prematch">\S+ \S+ from (\S+)</regex>
+    <order>srcip</order>
+   </decoder>
 
 
 '''For this log:'''
@@ -295,23 +298,27 @@ Nov 14 18:35:00 UDP: scan/flood detected [ports 33161,41107,63571,48714,25271,..
 
 '''a proppossed decoder is (not tested):'''
 
- <decoder name="iplog-flood">
-  <prematch>scan/flood detected</prematch>
-  <regex offset="after_prematch">\S+ \S+ from (\S+)</regex>
-  <order>srcip</order>
- </decoder>
+.. code-block:: xml
+
+   <decoder name="iplog-flood">
+     <prematch>scan/flood detected</prematch>
+     <regex offset="after_prematch">\S+ \S+ from (\S+)</regex>
+     <order>srcip</order>
+   </decoder>
 
 '''For this log:'''
 
 Nov 14 19:09:33 ICMP: ping flood detected from 10.10.150.1
 
 '''a proppossed decoder is (not tested):'''
 
- <decoder name="iplog-pingflood">
-  <prematch>ping flood detected from</prematch>
-  <regex offset="after_prematch">(\S+)</regex>
-  <order>srcip</order>
- </decoder>
+.. code-block:: xml
+
+   <decoder name="iplog-pingflood">
+     <prematch>ping flood detected from</prematch>
+     <regex offset="after_prematch">(\S+)</regex>
+     <order>srcip</order>
+   </decoder>
 
 '''For this log:'''
 (necesary to include???????) i Think no (very paranoic)
@@ -320,11 +327,13 @@ Nov 14 18:57:18 UDP: traceroute from 10.10.150.2
 
 '''a proppossed decoder is (not tested):'''
 
- <decoder name="iplog-traceroute">
-  <prematch>pingtraceroute from</prematch>
-  <regex offset="after_prematch">(\S+)</regex>
-  <order>srcip</order>
- </decoder>
+.. code-block:: xml
+
+   <decoder name="iplog-traceroute">
+     <prematch>pingtraceroute from</prematch>
+     <regex offset="after_prematch">(\S+)</regex>
+     <order>srcip</order>
+   </decoder>
 
  
 
@@ -335,55 +344,71 @@ Nov 14 15:57:56 TCP: Bogus TCP flags set by 10.10.160.2:60873 (dest port 25)
 
 '''a proppossed decoder is (not tested):'''
 
- <decoder name="iplog-bogustcp">
-  <prematch>Bogus TCP flags set by</prematch>
-  <regex offset="after_prematch">(\S+):\d+</regex>
-  <order>srcip</order>
- </decoder>
+.. code-block:: xml
+
+   <decoder name="iplog-bogustcp">
+     <prematch>Bogus TCP flags set by</prematch>
+     <regex offset="after_prematch">(\S+):\d+</regex>
+     <order>srcip</order>
+   </decoder>
 
 =='''iplog rules'''==
 
 Only for working decoders
 
- cd ~/ossec/rules
- touch iplog_rules.xml
- chown root:ossec iplog_rules.xml
- chmod 550 iplog_rules.xml
+.. code-block:: console
+
+   cd ~/ossec/rules
+   touch iplog_rules.xml
+   chown root:ossec iplog_rules.xml
+   chmod 550 iplog_rules.xml
 
 in iplog_rules.xml include:
 
- <group name="syslog,errors,">
-  <rule id="99990" level="6">
-    <decoded_as>iplog-scan</decoded_as>
-    <description>iplog scan detect</description>
-  </rule>
+.. code-block:: xml
+
+   <group name="syslog,errors,">
+     <rule id="99990" level="6">
+     <decoded_as>iplog-scan</decoded_as>
+     <description>iplog scan detect</description>
+   </rule>
  </group>
 
 =='''ossec.conf'''==
 
- cd ~/ossec/etc
- vi  ossec.conf
+.. code-block:: console
+
+   cd ~/ossec/etc
+   vi  ossec.conf
 
 include in the correct place:
 
- <include>iplog_rules.xml</include>
+.. code-block:: xml
+
+   <include>iplog_rules.xml</include>
 
 and
 
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/log/iplog</location>
-  </localfile>
+.. code-block:: xml
+
+   <localfile>
+     <log_format>syslog</log_format>
+     <location>/var/log/iplog</location>
+   </localfile>
 
 or wherever you put your iplog logs
 
 start iplog
 
- iplog -d 
+.. code-block:: console
+
+   iplog -d 
 
 restart ossec
 
- ~/ossec/bin/ossec-control restart
+.. code-block:: console
+
+   ~/ossec/bin/ossec-control restart
 
 test with nmap (see before)
 
@@ -392,8 +417,10 @@ test with nmap (see before)
 =='''Firewall Drop: FreeBSD-IPFW'''==
 add to your ipfw script the follow lines, if you are using the 00001 rule number disoccupying:
 
- /sbin/ipfw add 00001 deny ip from table\(00002\) to any
- /sbin/ipfw add 00001 deny ip from any to table\(00002\)
+.. code-block:: console
+
+   /sbin/ipfw add 00001 deny ip from table\(00002\) to any
+   /sbin/ipfw add 00001 deny ip from any to table\(00002\)
 
 Change  ~/ossec/active-response/bin/firewall-drop.sh to adjust to the red lines
 

docs/log_samples/vpn/racoon.rst

@@ -10,27 +10,17 @@ Good login:
 
 .. code-block:: console
 
-  2006-08-10 19:22:40: INFO: respond new phase 1 negotiation:
-111.111.111.194[500]<=>83.36.51.44[500]
+  2006-08-10 19:22:40: INFO: respond new phase 1 negotiation: 111.111.111.194[500]<=>83.36.51.44[500]
   2006-08-10 19:22:40: INFO: begin Aggressive mode.
-  2006-08-10 19:22:40: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-
-ike-02
-  2006-08-10 19:22:41: INFO: ISAKMP-SA established 111.111.111.194
-[500]-83.36.51.44[500] spi:3ac2d5023f433d3e:e2d682b6f4fc4830
-  2006-08-10 19:22:42: INFO: respond new phase 2 negotiation:
-111.111.111.194[0]<=>83.36.51.44[0]
-  2006-08-10 19:22:42: INFO: no policy found, try to generate the
-policy : 10.0.1.5/32[0] 10.15.13.224/27[0] proto=any dir=in
-  2006-08-10 19:22:42: INFO: IPsec-SA established: ESP/Tunnel
-83.36.51.44->111.111.111.194 spi=188599340(0xb3dcc2c)
-  2006-08-10 19:22:42: INFO: IPsec-SA established: ESP/Tunnel
-111.111.111.194->83.36.51.44 spi=19221256(0x1254b08)
-  2006-08-10 19:22:42: ERROR: such policy does not already exist:
-10.0.1.5/32[0] 10.15.13.224/27[0] proto=any dir=in
-  2006-08-10 19:22:42: ERROR: such policy does not already exist:
-10.0.1.5/32[0] 10.15.13.224/27[0] proto=any dir=fwd
-  2006-08-10 19:22:42: ERROR: such policy does not already exist:
-10.15.13.224/27[0] 10.0.1.5/32[0] proto=any dir=out
+  2006-08-10 19:22:40: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
+  2006-08-10 19:22:41: INFO: ISAKMP-SA established 111.111.111.114[500]-83.36.51.44[500] spi:3ac2d5023f433d3e:e2d682b6f4fc4830
+  2006-08-10 19:22:42: INFO: respond new phase 2 negotiation: 111.111.111.194[0]<=>83.36.51.44[0]
+  2006-08-10 19:22:42: INFO: no policy found, try to generate the policy : 10.0.1.5/32[0] 10.15.13.224/27[0] proto=any dir=in
+  2006-08-10 19:22:42: INFO: IPsec-SA established: ESP/Tunnel 83.36.51.44->111.111.111.194 spi=188599340(0xb3dcc2c)
+  2006-08-10 19:22:42: INFO: IPsec-SA established: ESP/Tunnel 111.111.111.194->83.36.51.44 spi=19221256(0x1254b08)
+  2006-08-10 19:22:42: ERROR: such policy does not already exist: 10.0.1.5/32[0] 10.15.13.224/27[0] proto=any dir=in
+  2006-08-10 19:22:42: ERROR: such policy does not already exist: 10.0.1.5/32[0] 10.15.13.224/27[0] proto=any dir=fwd
+  2006-08-10 19:22:42: ERROR: such policy does not already exist: 10.15.13.224/27[0] 10.0.1.5/32[0] proto=any dir=out
 
 
 This line indicates that the initial phase 1 auth (pskeys or certificates) have been exchanged correctly:

docs/log_samples/web/servers/nginx.rst

@@ -2,14 +2,17 @@ Log Samples from Nginx
 by default nginx writes logs to access.log and error.log, similarly to apache.
 
 = access log samples =
+
 .. code-block:: console
+
 66.75.252.36 - - [14/Aug/2008:04:54:45 +0000] "GET /wiki/skins/common/shared.css?116 HTTP/1.1" 200 818 "http:// example.com/wiki/index.php?title=Main_Page" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_4; en-us)           AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.2 Safari/525.20.1"
 66.75.252.36 - - [14/Aug/2008:04:54:45 +0000] "GET /wiki/skins/common/commonPrint.css?116 HTTP/1.1" 200 1980    "http://example.com/wiki/index.php?title=Main_Page" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_4; en-us)   AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.2 Safari/525.20.1"
 
 
 = error log samples =
+
 .. code-block:: console
+
 2008/08/14 12:59:05 [error] 7419#0: *625 directory index of "/var/www/example.com/wiki/skins/" is forbidden,    client: 66.249.71.183, server: example.com, request: "GET /wiki/skins/ HTTP/1.1", host: "example.com"
 2008/08/14 14:37:31 [error] 7418#0: *820 open() "/var/www/example.com/robots.txt" failed (2: No such file or    directory), client: 66.249.71.184, server: example.com, request: "GET /robots.txt HTTP/1.1", host: "example.com"
 
-

docs/manual/installation/install-source-unattended.rst

@@ -22,7 +22,6 @@ Example preloaded-vars.conf:
 
 .. code-block:: console
 
-
    # preloaded-vars.conf, Daniel B. Cid (dcid @ ossec.net).
    #
    # Use this file to customize your installations.

docs/manual/installation/installation-requirements.rst

@@ -154,7 +154,7 @@ FreeBSD
 -------
 
 If you want to build and install OSSEC on FreeBSD you can work together with
-its `Ports Collection <https://www.freebsd.org/ports>`_.
+its `FreeBSD Ports Collection <https://www.freebsd.org/ports>`_.
 
 There you can find and setup **ossec-hids-agent**, **ossec-hids-local** or
 **ossec-hids-server**.
@@ -176,7 +176,7 @@ want to install them you must work with
 OpenBSD
 -------
 
-As OpenBSD also has its own `Ports Collection <https://www.openbsd.org/faq/ports/ports.html>`_,
+As OpenBSD also has its own `OpenBSD Ports Collection <https://www.openbsd.org/faq/ports/ports.html>`_,
 you can build and install OSSEC using it if you want.
 
 It only offers **security/ossec-hids**, so:

docs/manual/notes/iptables_configuration.rst

@@ -34,10 +34,10 @@ For deny rules, the following action should be set:
 They will generate the following log (or similar):
 
 .. code-block:: console
+
 Jan 11 20:44:49 xxx kernel: [89463.101343] DROP IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=33772 DF PROTO=TCP SPT=43961 DPT=81 WINDOW=32767 RES=0x00 SYN URGP=0
 
 
 Note that ossec will based its action based on the "DROP" or ALLOW that you configured.
 For more information about iptables log, take a look `here <http://logi.cc/linux/netfilter-log-format.php3>`_ .
 
-