forked from wedaa/LongTail-Log-Analysis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
LongTail.config
executable file
·112 lines (93 loc) · 3.82 KB
/
LongTail.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
############################################################################
# Assorted Variables
#
# NOTE: Variables MUST start at the start of the line
# so that the perl scripts can read this file properly
#
# Please do not add extra spaces or tabs into this file
# or else it might break :-)
#
#
# Is this a public webserver? If so then we need to protect
# certain webpages so they are not seen by the badguys. We
# have to do this in order to hide what the current "Hot" or
# "Desirable" account and password combinations are
#
# Do not assume that just because your page isn't indexed
# by Google that your webpage is private.
#
# Set it to 1 if it is public, or 0 if it is private.
# If it's public we're going to restrict access to some
# of the webpages via a chmod command in LongTail
PUBLIC_WEBSERVER=0
# Do you want Pretty graphs using jpgraph? Set this to 1
# http://jpgraph.net/ JpGraph - Most powerful PHP-driven charts
GRAPHS=1
# Which honeypot are you running? Uncomment only ONE of the following
#KIPPO=1 ; LONGTAIL=0 # This is for the Kippo honeypot
KIPPO=0 ; LONGTAIL=1 # This is for the LongTail honeypot
#Where is the messages file? Uncomment only ONE of the following
PATH_TO_VAR_LOG="/var/log/" # Typically for messages file from ryslog
#PATH_TO_VAR_LOG="/usr/local/kippo-master/log/" # One place for kippo
#PATH_TO_VAR_LOG="/var/log/kippo/" # another place for kippo
# What is the name of the default log file
LOGFILE="messages"
#LOGFILE="kippo.log"
#Where is the apache access_log file?
PATH_TO_VAR_LOG_HTTPD="/var/log/httpd/"
# Do you want debug output? Set this to 1
DEBUG=0
# Do you want ssh analysis? Set this to 1
DO_SSH=1
# Do you want httpd analysis? Set this to 1
DO_HTTPD=1
# Do we obfuscate/rename the IP addresses? You might want to do this if
# you are copying your reports to a public site.
# OBFUSCATE_IP_ADDRESSES=1 will hide addresses
# OBFUSCATE_IP_ADDRESSES=0 will NOT hide addresses
OBFUSCATE_IP_ADDRESSES=0
# OBFUSCATE_URLS=1 will hide URLs in the http report
# OBFUSCATE_URLS=0 will NOT hide URLs in the http report
# This may not work properly yet.
OBFUSCATE_URLS=0
# These are the search strings from the "LogIt" function in auth-passwd.c
# and are used to figure out which ports are being brute-forced.
# The code for PASSLOG2222 has not yet been written.
PASSLOG="PassLog"
PASSLOG2222="Pass2222Log"
# Where do we put the temporary files
TMP_DIRECTORY="/data/tmp"
# Where are the scripts we need to run?
SCRIPT_DIR="/usr/local/etc/"
# Where do we put the reports?
HTML_DIR="/var/www/html"
# What's the top level directory?
SSH_HTML_TOP_DIR="honey" #NO slashes please, it breaks sed
SSH22_HTML_TOP_DIR="honey-22" #NO slashes please, it breaks sed
SSH2222_HTML_TOP_DIR="honey-2222" #NO slashes please, it breaks sed
TELNET_HTML_TOP_DIR="telnet" #NO slashes please, it breaks sed
RLOGIN_HTML_TOP_DIR="rlogin" #NO slashes please, it breaks sed
FTP_HTML_TOP_DIR="ftp" #NO slashes please, it breaks sed
# This is for my personal debugging, just leave them
# commented out if you aren't me.
#PATH_TO_VAR_LOG="/home/wedaa/source/LongTail/var/log/"
#PATH_TO_VAR_LOG_HTTPD="/home/wedaa/source/LongTail/var/log/httpd/"
# Is this a consolidation server? (A server that
# processes many servers results AND makes individual
# reports for each server).
CONSOLIDATION=0
# Do we protect the raw data, and for how long?
# PROTECT_RAW_DATA=1 will protect raw data
# PROTECT_RAW_DATA=0 will NOT protect raw data
PROTECT_RAW_DATA=1
NUMBER_OF_DAYS_TO_PROTECT_RAW_DATA=90;
# What hosts are protected by a firewall or Intrusion Detection System?
# This is used to set the current-attack-count.data.notfullday flag
# in those directories to help "normalize" the data
# Uncomment these and set to hostnames (see LongTail.sh for example)
#HOSTS_PROTECTED=""
#BLACKRIDGE=""
#RESIDENTIAL_SITES=""
#EDUCATIONAL_SITES=""
#CLOUD_SITES=""
#BUSINESS_SITES=""