SfR Fresh: [wormscan-1.6.1-src.tar.gz] Member wormscan.properties (wormscan- ...

"SfR Fresh" - the SfR Freeware/Shareware Archive

Member "wormscan-1.6.1-src/wormscan.properties" of archive wormscan-1.6.1-src.tar.gz:

#    WormScan 1.6.1 http://www.websoup.net/wormscan
#    Copyright (c) 2001-2004 Andriy Rozeluk <arozeluk@websoup.net>
#
#    This file is part of WormScan.
#
#    WormScan is free software; you can redistribute it and/or
#    modify it under the terms of the GNU General Public License
#    as published by the Free Software Foundation; either version 2
#    of the License, or (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.

#path (absolute or relative) to Apache log file
#you may specify multiple log files by separating them with a space
#filenames may also use wildcards (* and ?)
#take care to escape any \ characters (\ becomes \\)
logFile = access_log

#whether or not to check to see if log file has been compressed with GZIP
logCheckGZIP = 1

#whether or not to check to see if log file has been compressed with BZIP2
logCheckBZIP2 = 1

#base path/filename for generated reports
#sorted reports will be produced with filenames beginning with this
#take care to escape any \ characters (\ becomes \\)
reportFilename = wormreport

#filename extension for generated reports
reportExtension = .html

#template to be read to produce detailed reports
reportTemplate = wormreport.vm

#template to be read to produce summary report
summaryTemplate = wormsummary.vm

#detailed reports can be disabled (not generated) to save time
disableReportByWorm = 0
disableReportByNumattacks = 0
disableReportByDate = 0
disableReportByIP = 0
disableReportByHostname = 0

#whether or not to produce charts in jpeg format
#to illustrate attack details visually
produceCharts = 1

#base path/filename for generated charts
#this should be put in the same directory as the generated reports
#take care to escape any \ characters (\ becomes \\)
chartFilename = chart

#width of generated chart graphic in pixels
chartWidth = 400

#height of generated chart graphic in pixels
chartHeight = 240

#path/filename to output the number of attacks to
#take care to escape any \ characters (\ becomes \\)
numAttacksFile = numattacks

#resolve the hostnames of the IP addresses in the log file
resolveDNS = 1

#write captured IP/Host information to file (0 or 1)
cacheDNS = 1

#which file to write DNS cache information to using Java's Serialization
#take care to escape any \ characters (\ becomes \\)
cacheFilename = wormreport.dnscache

#set to 1 if you wish to output reports compressed with GZIP
#these will be created with the same path/filename as the HTML files,
#but with .gz appended to their filenames
writeGZIP = 1

#how much information to output when running
#0 - nothing
#1 - fatal errors only
#2 - fatal errors and warnings
#3 - fatal errors, warnings and informative messages
#4 - all of the above plus debugging information
outputLevel = 3

#How many entries to reserve to store the number of attacks
#this will grow automatically, but a number closer to the actual amount
#will improve efficiency
initialAttackStorageSize = 10000

#How many entries to reserve to store the number of unique hosts
#this will also grow automatically
initialSourceStorageSize = 5000

#how many threads to use to parse the log file
numParseThreads = 1

#how many threads to use to resolve domain names
#this will run concurrently with the parsing
numResolverThreads = 1

#how many hosts can in the queue to be resolved before parsing is stopped
#this can be set to 0 for no blocking
#this value is set if memory might be a consideration
maxResolverQueue = 0

#how many threads to use concurrently to sort the attack records
#threads begin after the parsing is complete
#no point in making this more than 5 - there are only 5 ways to sort the data at this point
numSortThreads = 1

#show only most recent attack per host in report
#Setting this to 0 may greatly increase report size
showLatestAttackOnly = 1

#set to Apache by default
serverType = Apache

#don't change these unless the dates in your log file are written in another language
serverLocaleLanguage = en
serverLocaleCountry = US

#if serverType is Apache, this helps us parse the log file
#new serverTypes can be created by copying these lines and giving them a new name
Apache_pattern = ^(.*?)\\s+(?:.*?)\\[(.*?)\\](?:.*?)(?:GET|POST)\\s+(.*?)\\s+(?:.*?)$
Apache_caseSensitive = 0
Apache_hostIndex = 1
Apache_dateIndex = 2
Apache_dateFormat = d/MMM/yyyy:H:mm:ss
Apache_uriIndex = 3
Apache_prependFilenameToDate = 0

# numWorms: number of worms to read in.
# each worm (starting at 0) must then define the following values:
# worm#_name = Full name of worm (for summary)
# worm#_shortName = Abbreviated name of worm (in table for each entry)
# worm#_pattern = regular expression (with '\' escaped) to scan for worm in log
# worm#_caseSensitive = whether pattern is case-sEnsiTiVe (default 1 for true)
# worm#_colour = colour to use to highlight information about worm in report
# take care to escape any \ characters (\ becomes \\)
numWorms = 4

worm0_name = Nimda
worm0_shortName = Nimda
worm0_pattern = ^(?:.*?)(?:cmd|root).exe\\?/c\\+dir(?:.*?)
worm0_colour = #777700
worm0_caseSensitive = 1

worm1_name = CodeRed 2
worm1_shortName = CR2
worm1_pattern = ^(?:.*?)\\.ida\\?X
worm1_colour = #FF0000
worm1_caseSensitive = 1

worm2_name = CodeRed
worm2_shortName = CR
worm2_pattern = ^(?:.*?)\\.ida\\?N
worm2_colour = #00AA00
worm2_caseSensitive = 1

worm3_name = CodeRed Unknown Version
worm3_shortName = CR?
worm3_pattern = ^(?:.*?)\\.ida\\?
worm3_colour = #AAAABB
worm3_caseSensitive = 1