# WormScan 1.6.1 http://www.websoup.net/wormscan # Copyright (c) 2001-2004 Andriy Rozeluk # # This file is part of WormScan. # # WormScan is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. #path (absolute or relative) to Apache log file #you may specify multiple log files by separating them with a space #filenames may also use wildcards (* and ?) #take care to escape any \ characters (\ becomes \\) logFile = access_log #whether or not to check to see if log file has been compressed with GZIP logCheckGZIP = 1 #whether or not to check to see if log file has been compressed with BZIP2 logCheckBZIP2 = 1 #base path/filename for generated reports #sorted reports will be produced with filenames beginning with this #take care to escape any \ characters (\ becomes \\) reportFilename = wormreport #filename extension for generated reports reportExtension = .html #template to be read to produce detailed reports reportTemplate = wormreport.vm #template to be read to produce summary report summaryTemplate = wormsummary.vm #detailed reports can be disabled (not generated) to save time disableReportByWorm = 0 disableReportByNumattacks = 0 disableReportByDate = 0 disableReportByIP = 0 disableReportByHostname = 0 #whether or not to produce charts in jpeg format #to illustrate attack details visually produceCharts = 1 #base path/filename for generated charts #this should be put in the same directory as the generated reports #take care to escape any \ characters (\ becomes \\) chartFilename = chart #width of generated chart graphic in pixels chartWidth = 400 #height of generated chart graphic in pixels chartHeight = 240 #path/filename to output the number of attacks to #take care to escape any \ characters (\ becomes \\) numAttacksFile = numattacks #resolve the hostnames of the IP addresses in the log file resolveDNS = 1 #write captured IP/Host information to file (0 or 1) cacheDNS = 1 #which file to write DNS cache information to using Java's Serialization #take care to escape any \ characters (\ becomes \\) cacheFilename = wormreport.dnscache #set to 1 if you wish to output reports compressed with GZIP #these will be created with the same path/filename as the HTML files, #but with .gz appended to their filenames writeGZIP = 1 #how much information to output when running #0 - nothing #1 - fatal errors only #2 - fatal errors and warnings #3 - fatal errors, warnings and informative messages #4 - all of the above plus debugging information outputLevel = 3 #How many entries to reserve to store the number of attacks #this will grow automatically, but a number closer to the actual amount #will improve efficiency initialAttackStorageSize = 10000 #How many entries to reserve to store the number of unique hosts #this will also grow automatically initialSourceStorageSize = 5000 #how many threads to use to parse the log file numParseThreads = 1 #how many threads to use to resolve domain names #this will run concurrently with the parsing numResolverThreads = 1 #how many hosts can in the queue to be resolved before parsing is stopped #this can be set to 0 for no blocking #this value is set if memory might be a consideration maxResolverQueue = 0 #how many threads to use concurrently to sort the attack records #threads begin after the parsing is complete #no point in making this more than 5 - there are only 5 ways to sort the data at this point numSortThreads = 1 #show only most recent attack per host in report #Setting this to 0 may greatly increase report size showLatestAttackOnly = 1 #set to Apache by default serverType = Apache #don't change these unless the dates in your log file are written in another language serverLocaleLanguage = en serverLocaleCountry = US #if serverType is Apache, this helps us parse the log file #new serverTypes can be created by copying these lines and giving them a new name Apache_pattern = ^(.*?)\\s+(?:.*?)\\[(.*?)\\](?:.*?)(?:GET|POST)\\s+(.*?)\\s+(?:.*?)$ Apache_caseSensitive = 0 Apache_hostIndex = 1 Apache_dateIndex = 2 Apache_dateFormat = d/MMM/yyyy:H:mm:ss Apache_uriIndex = 3 Apache_prependFilenameToDate = 0 # numWorms: number of worms to read in. # each worm (starting at 0) must then define the following values: # worm#_name = Full name of worm (for summary) # worm#_shortName = Abbreviated name of worm (in table for each entry) # worm#_pattern = regular expression (with '\' escaped) to scan for worm in log # worm#_caseSensitive = whether pattern is case-sEnsiTiVe (default 1 for true) # worm#_colour = colour to use to highlight information about worm in report # take care to escape any \ characters (\ becomes \\) numWorms = 4 worm0_name = Nimda worm0_shortName = Nimda worm0_pattern = ^(?:.*?)(?:cmd|root).exe\\?/c\\+dir(?:.*?) worm0_colour = #777700 worm0_caseSensitive = 1 worm1_name = CodeRed 2 worm1_shortName = CR2 worm1_pattern = ^(?:.*?)\\.ida\\?X worm1_colour = #FF0000 worm1_caseSensitive = 1 worm2_name = CodeRed worm2_shortName = CR worm2_pattern = ^(?:.*?)\\.ida\\?N worm2_colour = #00AA00 worm2_caseSensitive = 1 worm3_name = CodeRed Unknown Version worm3_shortName = CR? worm3_pattern = ^(?:.*?)\\.ida\\? worm3_colour = #AAAABB worm3_caseSensitive = 1