├── .classpath
├── .gitignore
├── .project
├── .settings
└── org.eclipse.core.resources.prefs
├── LICENSE
├── NOTICE
├── README.md
├── Version.template
├── build.properties
├── build.xml
├── build_common.xml
├── conf
├── dev
│ ├── .gitignore
│ ├── hibernate.cfg.xml
│ ├── log4j.properties
│ ├── megatron-globals.properties
│ └── systemdata.txt
├── geoip-db
│ ├── .gitignore
│ ├── GeoIP.dat
│ └── readme.txt
├── hibernate-mapping
│ ├── AsNumber.hbm.xml
│ ├── Contact.hbm.xml
│ ├── DomainName.hbm.xml
│ ├── EntryType.hbm.xml
│ ├── IpRange.hbm.xml
│ ├── Job.hbm.xml
│ ├── JobType.hbm.xml
│ ├── LogEntry.hbm.xml
│ ├── MailJob.hbm.xml
│ ├── Organization.hbm.xml
│ ├── OriginalLogEntry.hbm.xml
│ └── Priority.hbm.xml
├── job-type
│ ├── autoshun.properties
│ ├── blade-defender.properties
│ ├── brobot.properties
│ ├── brobot2.properties
│ ├── chaley-ssh-dict.properties
│ ├── clean-mx-phishing.properties
│ ├── clean-mx-viruses.properties
│ ├── compromised-accounts.properties
│ ├── ctir-abuse.properties
│ ├── danger-rulez.properties
│ ├── ddos-amplification.properties
│ ├── dnschanger-isp.properties
│ ├── dronebl.properties
│ ├── dshield.properties
│ ├── emerging-compromised.properties
│ ├── epoch-test.properties
│ ├── iis-to-apache.properties
│ ├── ikyon.properties
│ ├── infiltrated-net-blacklist.properties
│ ├── inteco-cert-fast-flux-old.properties
│ ├── inteco-cert-fast-flux.properties
│ ├── ip-flowing-fast.properties
│ ├── ip-flowing-verbose.properties
│ ├── ip-flowing.properties
│ ├── malc0de.properties
│ ├── malwarepatrol.properties
│ ├── megatron-whois-hostname.properties
│ ├── megatron-whois-ip.properties
│ ├── phishtank.properties
│ ├── rbl-bogusmx.properties
│ ├── rbl-fulldom.properties
│ ├── rbl-hostname.properties
│ ├── rbl-ip-range.properties
│ ├── rbl-syslog-ip-plus-host.properties
│ ├── report-geolocation.properties
│ ├── report-organization.properties
│ ├── shadowserver-cc-ip.properties
│ ├── shadowserver-chargen.properties
│ ├── shadowserver-conficker-http-drone.properties
│ ├── shadowserver-ddos.properties
│ ├── shadowserver-drone.properties
│ ├── shadowserver-drone2.properties
│ ├── shadowserver-microsoft-sinkhole.properties
│ ├── shadowserver-netbios.properties
│ ├── shadowserver-openresolver.properties
│ ├── shadowserver-proxy.properties
│ ├── shadowserver-qotd.properties
│ ├── shadowserver-sandbox-url.properties
│ ├── shadowserver-scan.properties
│ ├── shadowserver-sinkhole-http-drone.properties
│ ├── shadowserver-snmp.properties
│ ├── shadowserver-spam-url.properties
│ ├── sshbl.properties
│ ├── stopforumspam.properties
│ ├── sunet-portscan.properties
│ ├── surfcert-ids.properties
│ ├── syslog-ip-plus-host.properties
│ ├── timestamp-plus-ip.properties
│ ├── turk-h.properties
│ ├── urlquery-mail.properties
│ ├── urlquery.properties
│ ├── vs-db.properties
│ ├── web-apache.properties
│ ├── whois-cymru-timestamp-test.properties
│ ├── whois-cymru-verbose-with-timestamps.properties
│ ├── whois-cymru-verbose.properties
│ ├── xssed.properties
│ ├── zeustracker-blocklist-domain.properties
│ ├── zeustracker-blocklist-ip.properties
│ ├── zeustracker-pushdo.properties
│ └── zone-h.properties
└── template
│ ├── export
│ ├── ddos-amplification_header.txt
│ ├── ddos-amplification_row.txt
│ ├── debug_footer.txt
│ ├── debug_footer.xml
│ ├── debug_header.txt
│ ├── debug_header.xml
│ ├── debug_row.txt
│ ├── debug_row.xml
│ ├── iis-to-apache_row.txt
│ ├── ip-flowing_header.txt
│ ├── ip-flowing_row.txt
│ ├── web-apache_row.txt
│ ├── whois-cymru-verbose_row.txt
│ ├── whois-short-with-hostname_header.txt
│ ├── whois-short-with-hostname_row.txt
│ ├── whois-short-with-orgname_header.txt
│ ├── whois-short-with-orgname_row.txt
│ ├── whois-short_header.txt
│ ├── whois-short_row.txt
│ └── whois_row.txt
│ ├── mail
│ ├── attachment_header.txt
│ ├── attachment_row.txt
│ ├── brobot_header.txt
│ ├── brobot_row.txt
│ ├── clean-mx-phishing_header.txt
│ ├── clean-mx-phishing_row.txt
│ ├── clean-mx-viruses_header.txt
│ ├── clean-mx-viruses_row.txt
│ ├── danger-rulez_header.txt
│ ├── danger-rulez_row.txt
│ ├── debug_footer.txt
│ ├── debug_header.txt
│ ├── debug_row.txt
│ ├── emerging-compromised_header.txt
│ ├── emerging-compromised_row.txt
│ ├── en
│ │ ├── danger-rulez_header.txt
│ │ ├── danger-rulez_row.txt
│ │ ├── general_footer.txt
│ │ ├── rbl-hostname_row.txt
│ │ ├── rbl-with-timestamp_row.txt
│ │ ├── rbl_header.txt
│ │ ├── rbl_row.txt
│ │ ├── shadowserver-conficker-http-drone_header.txt
│ │ ├── shadowserver-conficker_row.txt
│ │ ├── shadowserver-ddos_header.txt
│ │ ├── shadowserver-drone2_header.txt
│ │ ├── shadowserver-drone2_row.txt
│ │ ├── shadowserver-drone_header.txt
│ │ ├── shadowserver-drone_row.txt
│ │ ├── shadowserver-proxy_header.txt
│ │ ├── shadowserver-sinkhole-http-drone_header.txt
│ │ ├── shadowserver-sinkhole-http-drone_row.txt
│ │ ├── shadowserver_row.txt
│ │ ├── zeustracker-pushdo_header.txt
│ │ └── zeustracker-pushdo_row.txt
│ ├── general_footer.txt
│ ├── rbl-hostname_row.txt
│ ├── rbl-with-timestamp_row.txt
│ ├── rbl_header.txt
│ ├── rbl_row.txt
│ ├── report-organization_body.txt
│ ├── shadowserver-cc-ip_header.txt
│ ├── shadowserver-cc-ip_row.txt
│ ├── shadowserver-chargen_header.txt
│ ├── shadowserver-conficker-http-drone_header.txt
│ ├── shadowserver-conficker_row.txt
│ ├── shadowserver-ddos_header.txt
│ ├── shadowserver-drone2_header.txt
│ ├── shadowserver-drone2_row.txt
│ ├── shadowserver-drone_header.txt
│ ├── shadowserver-drone_row.txt
│ ├── shadowserver-microsoft-sinkhole_header.txt
│ ├── shadowserver-netbios_header.txt
│ ├── shadowserver-openresolver_header.txt
│ ├── shadowserver-proxy_header.txt
│ ├── shadowserver-qotd_header.txt
│ ├── shadowserver-sinkhole-http-drone_header.txt
│ ├── shadowserver-sinkhole-http-drone_row.txt
│ ├── shadowserver-snmp_header.txt
│ ├── shadowserver_row.txt
│ ├── urlquery_header.txt
│ ├── urlquery_row.txt
│ ├── zeustracker-pushdo_header.txt
│ ├── zeustracker-pushdo_row.txt
│ ├── zone-h_header.txt
│ └── zone-h_row.txt
│ └── report
│ ├── array-begin_header.json
│ ├── array-end_footer.json
│ ├── array-in-dict-end_footer.json
│ ├── geolocation-city_footer.xml
│ ├── geolocation-city_header.json
│ ├── geolocation-city_header.xml
│ ├── geolocation-city_row.json
│ ├── geolocation-city_row.xml
│ ├── geolocation-entries-city-internal_row.json
│ ├── geolocation-entries-city_row.json
│ ├── geolocation-entries-internal_footer.xml
│ ├── geolocation-entries-internal_header.xml
│ ├── geolocation-entries-internal_row.xml
│ ├── geolocation-entries-overview_row.json
│ ├── geolocation-entries_footer.xml
│ ├── geolocation-entries_header.xml
│ ├── geolocation-entries_row.xml
│ ├── geolocation-organization_footer.xml
│ ├── geolocation-organization_header.json
│ ├── geolocation-organization_header.xml
│ ├── geolocation-organization_row.json
│ ├── geolocation-organization_row.xml
│ ├── geolocation-summary-internal_header.json
│ └── geolocation-summary_header.json
├── doc
├── howto-create-history-db.txt
├── readme-general.txt
├── readme-install.txt
└── release-notes.txt
├── launch
├── megatron-create-xml.launch
├── megatron-import-bgp.launch
├── megatron-import-contacts.launch
├── megatron-ip-flowing-export-no-db.launch
├── megatron-rbl-ip-range.launch
├── megatron-shadowserver-export-no-db.launch
├── megatron-shadowserver.launch
├── megatron-slurp.launch
├── megatron-syslog-export-no-db.launch
├── megatron-usage.launch
├── megatron-web-apache-delete.launch
├── megatron-web-apache-export-from-db.launch
├── megatron-web-apache-export.launch
├── megatron-web-apache-mail-dry-run.launch
└── megatron-whois-cymru-export.launch
├── lib-src
├── commons-net-src.zip
├── dnsjava-src.zip
├── geoip-src.zip
├── jdom-src.zip
├── joda-time-src.zip
├── log4j-src.zip
└── rome-src.zip
├── lib
├── activation.jar
├── antlr-2.7.6.jar
├── commons-collections-3.2.1.jar
├── commons-net.jar
├── dnsjava.jar
├── dom4j-1.6.1.jar
├── geoip.jar
├── hibernate3.jar
├── javassist.jar
├── jdom.jar
├── joda-time.jar
├── jta-1.1.jar
├── log4j.jar
├── mail.jar
├── mysql-connector.jar
├── rome.jar
├── slf4j-api-1.5.6.jar
├── slf4j-log4j12-1.5.6.jar
└── version.txt
├── megatron-dev.sh
├── megatron.bat
├── megatron.sh
├── script
├── generate-org-reports.sh
├── generate-reports.sh
├── remove-stale-lock.sh
└── send_abuse.sh
├── sql
├── megatron-queries.sql
├── megatron-schema.sql
└── select-count-plus-max.sql
├── src-test
└── se
│ └── sitic
│ └── megatron
│ ├── core
│ ├── IntervalTest.java
│ ├── TestEmailAddressBatchUpdater.java
│ └── TimePeriodTest.java
│ ├── db
│ ├── AsnLookupTest.java
│ └── TestDb.java
│ ├── rss
│ └── RssManagerTest.java
│ ├── ui
│ └── TestUI.java
│ └── util
│ ├── AppUtilTest.java
│ ├── FileUtilTest.java
│ ├── IpAddressUtilTest.java
│ └── StringUtilTest.java
├── src
├── IpToolsConverter.java
├── Megatron.java
├── OrganizationContactMigrator.java
└── se
│ └── sitic
│ └── megatron
│ ├── core
│ ├── AbstractExportManager.java
│ ├── AbstractExporter.java
│ ├── AppProperties.java
│ ├── AttributeValueRewriter.java
│ ├── CommandLineParseException.java
│ ├── ConversionException.java
│ ├── EmailAddressBatchUpdater.java
│ ├── FileExportManager.java
│ ├── FileExporter.java
│ ├── Interval.java
│ ├── IntervalList.java
│ ├── JobContext.java
│ ├── JobInfoWriter.java
│ ├── JobListWriter.java
│ ├── JobManager.java
│ ├── JobScheduler.java
│ ├── MailExportManager.java
│ ├── MailExporter.java
│ ├── MailJobContext.java
│ ├── MegatronException.java
│ ├── NetnameUpdater.java
│ ├── StatsRssGenerator.java
│ ├── TimePeriod.java
│ ├── TypedProperties.java
│ └── WhoisWriter.java
│ ├── db
│ ├── AsnLookupDbManager.java
│ ├── DbException.java
│ ├── DbManager.java
│ ├── DbStatisticsData.java
│ ├── ImportBgpTable.java
│ ├── ImportSystemData.java
│ └── ReadOnlyDbManager.java
│ ├── decorator
│ ├── AsnDecorator.java
│ ├── AsnGeoIpDecorator.java
│ ├── CombinedDecorator.java
│ ├── CountryCodeDecorator.java
│ ├── CountryCodeFromHostnameDecorator.java
│ ├── DecoratorManager.java
│ ├── GeolocationDecorator.java
│ ├── HostnameDecorator.java
│ ├── IDecorator.java
│ ├── IpAddressDecorator.java
│ ├── OrganizationMatcherDecorator.java
│ └── UrlToHostnameDecorator.java
│ ├── entity
│ ├── ASNumber.java
│ ├── Contact.java
│ ├── DomainName.java
│ ├── EntryType.java
│ ├── IpRange.java
│ ├── Job.java
│ ├── JobType.java
│ ├── LogEntry.java
│ ├── MailJob.java
│ ├── NameValuePair.java
│ ├── Organization.java
│ ├── OriginalLogEntry.java
│ ├── Priority.java
│ └── base
│ │ ├── BaseASNumber.java
│ │ ├── BaseContact.java
│ │ ├── BaseDomainName.java
│ │ ├── BaseEntryType.java
│ │ ├── BaseIpRange.java
│ │ ├── BaseJob.java
│ │ ├── BaseJobType.java
│ │ ├── BaseLogEntry.java
│ │ ├── BaseMailJob.java
│ │ ├── BaseOrganization.java
│ │ ├── BaseOriginalLogEntry.java
│ │ └── BasePriority.java
│ ├── fileprocessor
│ ├── DiffProcessor.java
│ ├── IFileProcessor.java
│ ├── MultithreadedDnsProcessor.java
│ ├── OsCommandProcessor.java
│ └── XmlToRowFileProcessor.java
│ ├── filter
│ ├── AsnFilter.java
│ ├── AttributeFilter.java
│ ├── CountryCodeFilter.java
│ ├── ILineFilter.java
│ ├── ILogEntryFilter.java
│ ├── LineNumberFilter.java
│ ├── LogEntryFilterManager.java
│ ├── OccurrenceFilter.java
│ ├── OrganizationFilter.java
│ ├── OrganizationOrCountryCodeFilter.java
│ ├── PriorityFilter.java
│ └── RegExpLineFilter.java
│ ├── geoip
│ ├── As.java
│ ├── GeoIpAsnManager.java
│ ├── GeoIpCityManager.java
│ ├── GeoIpCountryManager.java
│ └── Geolocation.java
│ ├── lineprocessor
│ ├── ILineProcessor.java
│ ├── LineMerger.java
│ └── LineSplitter.java
│ ├── mail
│ ├── MailAttachment.java
│ ├── MailException.java
│ ├── MailSender.java
│ └── MimeMapper.java
│ ├── parser
│ ├── IParser.java
│ ├── InvalidExpressionException.java
│ ├── LineExpression.java
│ ├── LogEntryMapper.java
│ ├── ParseException.java
│ └── RegExpParser.java
│ ├── report
│ ├── GeolocationJsonReportGenerator.java
│ ├── GeolocationXmlReportGenerator.java
│ ├── IReportGenerator.java
│ ├── OrganizationReportGenerator.java
│ └── StatisticsXmlReportGenerator.java
│ ├── rss
│ ├── AbstractRssFile.java
│ ├── IRssChannel.java
│ ├── IRssFactory.java
│ ├── IRssItem.java
│ ├── IRssParser.java
│ ├── IRssWriter.java
│ ├── JobRssFile.java
│ ├── RssException.java
│ ├── RssManager.java
│ ├── RssParseException.java
│ ├── StatsRssFile.java
│ └── rome
│ │ ├── RomeRssChannel.java
│ │ ├── RomeRssFactory.java
│ │ ├── RomeRssItem.java
│ │ ├── RomeRssParser.java
│ │ └── RomeRssWriter.java
│ ├── tickethandler
│ └── ITicketHandler.java
│ ├── ui
│ └── OrganizationHandler.java
│ └── util
│ ├── AppUtil.java
│ ├── Constants.java
│ ├── DateUtil.java
│ ├── FileUtil.java
│ ├── IpAddressUtil.java
│ ├── ObjectStringSorter.java
│ ├── SqlUtil.java
│ ├── StringUtil.java
│ └── Version.java
└── test-data
├── 2009-03-23-ddos-report-se.log
├── 2009-06-07-sinkhole-http-drone-report-se.log
├── 2009-06-08-drone-report-se.log
├── 2009-11-29-scan-report-nl.log
├── 2009-12-22-conficker-http-drone-report-se.log
├── 2010-01-14-sinkhole-http-drone-report-se.log
├── 2010-01-17-proxy-report-se.log
├── 2010-01-20-sandbox-url-report-se.log
├── 2010-03-02-drone-report2-se.log
├── 2010-10-02-sinkhole-http-drone-report-se.log
├── 2010-10-27-spam-url-report-se.log
├── 2010-11-06-cc-ip-report-se.log
├── 20100127_pushdo.log
├── 2014-04-01-dns-openresolver-report-se.log
├── 2014-04-02-chargen-report-se.log
├── 2014-04-02-microsoft-sinkhole-report-se.log
├── 2014-04-02-netbios-report-se.log
├── 2014-04-02-qotd-report-se.log
├── 2014-04-02-snmp-report-se.log
├── 2014-04-12-sinkhole-http-drone-report-se.log
├── abuse.rfc-ignorant.org.log
├── autoshun.log
├── bgp-table-small.txt
├── blade-defender.log
├── bogusmx.rfc-ignorant.org.log
├── brobot.log
├── brobot2.log
├── certa-rfi-attacks.log
├── certa-rfi-hosts.log
├── chaley-ssh-dict.log
├── clean-mx-phishing.xml
├── clean-mx-viruses.xml
├── compromised-accounts.log
├── ctir-abuse.log
├── ddos-amplification-sorted.log
├── ddos-amplification.log
├── dnschanger-isp.log
├── dronebl.log
├── dshield.log
├── emerging-compromised.log
├── epoch-test.log
├── fulldom.rfc-ignorant.org.log
├── fullip.rfc-ignorant.org.log
├── ikyon.log
├── infiltrated-net-blacklist.log
├── inteco-cert-fast-flux.log
├── malwarepatrol.xml
├── megatron-whois-hostname.log
├── multiple-ips-per-line.log
├── multiple-ips-per-line2.log
├── multiple-ips-per-line3.log
├── open-resolver-ddos.log
├── open-resolver-ddos2.log
├── phishtank.log
├── rbl-hostname.log
├── rbl-ip-range.log
├── rbl
├── ip-sorbs-escalations.dnsbl.sorbs.net__2009-09-24_075223.log
├── ip-sorbs-http.dnsbl.sorbs.net__2009-09-24_075224.log
├── ip-sorbs-misc.dnsbl.sorbs.net__2009-09-24_075226.log
├── ip-sorbs-new.spam.dnsbl.sorbs.net__2009-09-24_075226.log
├── ip-sorbs-smtp.dnsbl.sorbs.net__2009-09-24_075227.log
├── ip-sorbs-socks.dnsbl.sorbs.net__2009-09-24_075228.log
├── ip-sorbs-web.dnsbl.sorbs.net__2009-09-24_075230.log
├── ip-sorbs-zombie.dnsbl.sorbs.net__2009-09-24_075615.log
├── ip-spamcannibal-bl.spamcannibal.org.in.cmb.rbl__2009-09-24_075615.log
├── ip-spamhaus-pbl__2009-09-24_073601.log
├── ip-spamhaus-sbl__2009-09-24_073617.log
├── ip-spamhaus-xbl__2009-09-24_073618.log
├── ip-uceprotect-dnsbl-1.uceprotect.net__2009-09-24_075747.log
├── ip-uceprotect-dnsbl-2.uceprotect.net__2009-09-24_080339.log
├── ip-uceprotect-dnsbl-3.uceprotect.net__2009-09-24_080611.log
├── ip-uceprotect-ips.backscatterer.org__2009-09-24_080728.log
└── url-sorbs-badconf.rhsbl.sorbs.net__2009-09-24_075222.log
├── rfc-ignorant.org.log
├── sshbl.log
├── stopforumspam.log
├── sunet-portscan.log
├── surfcert-ids.log
├── syslog-ip-plus-host.log
├── time-ip.log
├── timestamp-plus-ip.log
├── turk-h.log
├── urlquery-mail.log
├── urlquery.log
├── vs-db.log
├── web-apache-syslog.log
├── web-iis.log
├── web-iis2.log
├── web-iis3.log
├── web-iis4.log
├── whois-cymru-timestamp-test.log
├── whois-cymru-verbose-with-timestamps.log
├── whois-cymru-verbose.log
├── xssed.log
├── zeustracker-blocklist-domain.log
├── zeustracker-blocklist-ip.log
└── zone-h.log
/.classpath:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | /bin
2 | /classes-eclipse
3 | /log
4 | /tmp
5 | /slurp
6 | /build
7 | /dist
8 | /local-files
9 |
--------------------------------------------------------------------------------
/.project:
--------------------------------------------------------------------------------
1 |
2 |
3 | megatron-java
4 |
5 |
6 |
7 |
8 |
9 | org.eclipse.jdt.core.javabuilder
10 |
11 |
12 |
13 |
14 |
15 | org.eclipse.jdt.core.javanature
16 |
17 |
18 |
--------------------------------------------------------------------------------
/.settings/org.eclipse.core.resources.prefs:
--------------------------------------------------------------------------------
1 | eclipse.preferences.version=1
2 | encoding//conf/dev/megatron-globals.properties=UTF-8
3 | encoding//conf/job-type/brobot.properties=UTF-8
4 | encoding//conf/job-type/brobot2.properties=UTF-8
5 | encoding//conf/job-type/ddos-amplification.properties=UTF-8
6 | encoding//conf/job-type/report-geolocation.properties=UTF-8
7 | encoding//conf/job-type/urlquery-mail.properties=UTF-8
8 | encoding//conf/job-type/urlquery.properties=UTF-8
9 |
--------------------------------------------------------------------------------
/NOTICE:
--------------------------------------------------------------------------------
1 | Megatron: Copyright (c) 2013 CERT-SE (http://www.cert.se/).
2 |
3 | This product includes software developed at
4 | The Apache Software Foundation (http://www.apache.org/).
5 |
6 | This product includes software developed by the
7 | dnsjava project (http://www.xbill.org/dnsjava/)
8 | Copyright (c) 1999-2005, Brian Wellington
9 |
10 | This product includes software developed by the
11 | JDOM Project (http://www.jdom.org/).
12 |
13 | This product includes software developed by the
14 | Joda Time project (http://joda-time.sourceforge.net/)
15 |
16 | This product includes software developed by the
17 | ROME Project (https://rome.dev.java.net/).
18 |
--------------------------------------------------------------------------------
/build.properties:
--------------------------------------------------------------------------------
1 | app.name=Megatron
2 | app.version=1.1.1
3 | app.tag=v1.1.1
4 |
--------------------------------------------------------------------------------
/conf/dev/.gitignore:
--------------------------------------------------------------------------------
1 | /megatron-globals_private.properties
2 |
--------------------------------------------------------------------------------
/conf/dev/hibernate.cfg.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
7 |
8 |
9 |
10 | jdbc:mysql://localhost:3306/megatron
11 |
12 |
13 | org.gjt.mm.mysql.Driver
14 |
15 | megatron
16 | megatron
17 |
18 |
19 |
20 | org.hibernate.dialect.MySQLDialect
21 |
22 | false
23 |
24 | org.hibernate.transaction.JDBCTransactionFactory
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
--------------------------------------------------------------------------------
/conf/dev/log4j.properties:
--------------------------------------------------------------------------------
1 | log4j.rootLogger=DEBUG, CONSOLE, FILE
2 | log4j.appender.se.sitic=CONSOLE, FILE
3 |
4 | log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
5 | log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
6 | #log4j.appender.CONSOLE.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %m%n
7 | #log4j.appender.CONSOLE.layout.ConversionPattern=%d{ISO8601} %p %c - %m%n
8 | #log4j.appender.CONSOLE.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} [%c] %-5p - %m%n
9 | log4j.appender.CONSOLE.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p - %m%n
10 |
11 |
12 | log4j.appender.FILE=org.apache.log4j.DailyRollingFileAppender
13 | log4j.appender.FILE.File=log/megatron.log
14 | log4j.appender.FILE.DatePattern=yyyy-MM-dd
15 | log4j.appender.FILE.layout=org.apache.log4j.PatternLayout
16 | log4j.appender.FILE.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p - %m%n
17 |
18 | log4j.logger.se.sitic=DEBUG
19 | log4j.logger.org.hibernate=WARN
20 |
--------------------------------------------------------------------------------
/conf/geoip-db/.gitignore:
--------------------------------------------------------------------------------
1 | /GeoIPASNum.dat
2 | /GeoLiteCity.dat
3 |
--------------------------------------------------------------------------------
/conf/geoip-db/GeoIP.dat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/conf/geoip-db/GeoIP.dat
--------------------------------------------------------------------------------
/conf/geoip-db/readme.txt:
--------------------------------------------------------------------------------
1 | This directory contains the following GeoIP database:
2 | - GeoIP.dat (~0.6 MB)
3 | - GeoIPASNum.dat (~4 MB)
4 | - GeoLiteCity.dat (~28 MB)
5 |
6 | Only the first one is included in the distribution, due to file size.
7 | The rest have to be downloaded (see below).
8 |
9 | MaxMind offers the following free databases:
10 | - GeoLite Country:
11 | http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
12 |
13 | - GeoLite City:
14 | http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
15 |
16 | - GeoLite ASN:
17 | http://geolite.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz
18 |
19 | The commercial databases from MaxMind are more accurate and have the same format:
20 | http://www.maxmind.com/app/geoip_features
21 |
--------------------------------------------------------------------------------
/conf/hibernate-mapping/AsNumber.hbm.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
7 |
11 | false
12 |
17 |
18 |
19 |
26 |
33 |
34 |
--------------------------------------------------------------------------------
/conf/hibernate-mapping/DomainName.hbm.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
7 |
11 | false
12 |
17 |
18 |
19 |
26 |
32 |
33 |
--------------------------------------------------------------------------------
/conf/hibernate-mapping/EntryType.hbm.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
7 |
11 | false
12 |
17 |
18 |
19 |
20 |
27 |
28 |
--------------------------------------------------------------------------------
/conf/hibernate-mapping/IpRange.hbm.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
7 |
11 | false
12 |
17 |
18 |
19 |
20 |
27 |
34 |
41 |
47 |
48 |
--------------------------------------------------------------------------------
/conf/hibernate-mapping/JobType.hbm.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
7 |
11 | false
12 |
17 |
18 |
19 |
23 |
30 |
36 |
42 |
48 |
49 |
50 |
51 |
--------------------------------------------------------------------------------
/conf/hibernate-mapping/MailJob.hbm.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
7 |
11 | false
12 |
17 |
18 |
19 |
25 |
32 |
39 |
45 |
51 |
57 |
58 |
59 |
60 |
61 |
62 |
--------------------------------------------------------------------------------
/conf/hibernate-mapping/OriginalLogEntry.hbm.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
7 |
8 |
13 |
14 |
15 |
22 |
28 |
33 |
34 |
--------------------------------------------------------------------------------
/conf/hibernate-mapping/Priority.hbm.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
7 |
11 | false
12 |
17 |
18 |
19 |
20 |
27 |
28 |
35 |
36 |
--------------------------------------------------------------------------------
/conf/job-type/autoshun.properties:
--------------------------------------------------------------------------------
1 | # Config file for Autoshun: http://www.autoshun.org/files/shunlist.csv
2 | #
3 | # Example lines:
4 | # 46.4.211.164,2011-10-25 08:09:09,Known RBN Network
5 | # 31.31.73.103,2011-10-22 08:09:03,Hacker
6 | #
7 | # Expanded reg-exp:
8 | # ^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|),(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}),(.*)
9 | #
10 | # Test file: autoshun.log
11 |
12 | # Skip file if same as previous file
13 | general.fileAlreadyProcessedAction=skip
14 |
15 | # Filter out old entries by diffing file in previous job
16 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
17 |
18 | # Exclude first line
19 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.LineNumberFilter
20 | filter.lineNumberFilter.excludeIntervals=1-1
21 |
22 | # Filter: Entries are decorated *before* filter.
23 | filter.preStorage.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
24 | filter.organizationFilter.matchIpAddress=true
25 | filter.organizationFilter.matchHostname=true
26 | filter.organizationFilter.matchAsn=true
27 | filter.countryCodeFilter.includeCountryCodes=SE, NU
28 |
29 | # Example: 2011-10-22 08:09:03 (supposedly in UTC)
30 | parser.timestampFormat=yyyy-MM-dd HH:mm:ss
31 | parser.item.logTimestamp=\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
32 |
33 | # Parse reason for blocking
34 | parser.item.additionalItem.reason=.*
35 |
36 | # Line expression
37 | parser.lineRegExp=^$ipAddress,$logTimestamp,$additionalItem_reason
38 |
39 | # TODO
40 | # Mail templates
41 | #mail.headerFile=autoshun_header.txt
42 | #mail.rowFile=autoshun_row.txt
43 |
--------------------------------------------------------------------------------
/conf/job-type/brobot.properties:
--------------------------------------------------------------------------------
1 | # Config for Brobot file (sent by an organisation that do not want to be disclosed).
2 | #
3 | # Example line:
4 | # 41528,SE,195.74.38.17,http://tshirtdesigns.se/cgi-bin/news2.class.1.php
5 | #
6 | # Expanded reg-exp:
7 | # ^(\d*),(\w{0,2}),(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|),https{0,1}://(.*)
8 | #
9 | # Test file: brobot.log
10 |
11 | # Skip file if same as previous file
12 | general.fileAlreadyProcessedAction=skip
13 |
14 | # Extract hostname from URL, and then add IP, ASN, and country code.
15 | decorator.classNames.0=se.sitic.megatron.decorator.UrlToHostnameDecorator
16 | decorator.classNames.1=se.sitic.megatron.decorator.CombinedDecorator
17 |
18 | # Rewrite malicious links (http --> hxxp and https --> hxxps)
19 | export.rewriters.0=url:(?i)(h)tt(ps{0,1}://.+)-->$1xx$2
20 |
21 | # Include only log records with countryCode=SE|NU
22 | filter.preDecorator.classNames.0=se.sitic.megatron.filter.AttributeFilter
23 | filter.attributeFilter.attributeName=countryCode
24 | filter.attributeFilter.includeRegExp=SE|NU
25 |
26 | # Line expression
27 | parser.lineRegExp=^$asn,$countryCode,$ipAddress,$url
28 |
29 | # Send abuse to web hotel and above
30 | general.highPriorityNotification.threshold=15
31 | filter.priorityFilter.includeIntervals=15-
32 |
33 | # Turn off quarantine
34 | mail.ipQuarantinePeriod=0
35 |
36 | # Mail templates
37 | mail.subjectTemplate=Webbserver er ert nät medverkar i DDoS-attacker [CERT-SE #$rtirId]
38 | mail.headerFile=brobot_header.txt
39 | mail.rowFile=brobot_row.txt
40 |
--------------------------------------------------------------------------------
/conf/job-type/brobot2.properties:
--------------------------------------------------------------------------------
1 | # Config for Brobot file (sent by an organisation that do not want to be
2 | # disclosed, but not the same organisation as in brobot.properties).
3 | #
4 | # Example line:
5 | # 83.223.8.110,42318,SE,FASTBIT-AS Fastbit AB,adventurelovers.se,http://adventurelovers.se/tmp/modo.php,
6 | #
7 | # Expanded reg-exp:
8 | # ^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|),(\d*),(\w{0,2}),.*?,.*?,https{0,1}://(.*)
9 | #
10 | # Test file: brobot2.log
11 |
12 | # Skip file if same as previous file
13 | general.fileAlreadyProcessedAction=skip
14 |
15 | # Exclude first line
16 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.LineNumberFilter
17 | filter.lineNumberFilter.excludeIntervals=1-1
18 |
19 | # Extract hostname from URL, and then add IP, ASN, and country code.
20 | decorator.classNames.0=se.sitic.megatron.decorator.UrlToHostnameDecorator
21 | decorator.classNames.1=se.sitic.megatron.decorator.CombinedDecorator
22 |
23 | # Rewrite malicious links (http --> hxxp and https --> hxxps)
24 | export.rewriters.0=url:(?i)(h)tt(ps{0,1}://.+)-->$1xx$2
25 |
26 | # Include only log records with countryCode=SE|NU
27 | filter.preDecorator.classNames.0=se.sitic.megatron.filter.AttributeFilter
28 | filter.attributeFilter.attributeName=countryCode
29 | filter.attributeFilter.includeRegExp=SE|NU
30 |
31 | # Line expression: exclude ASN description and domain.
32 | parser.lineRegExp=^$ipAddress,$asn,$countryCode,.*?,.*?,$url
33 |
34 | # Send abuse to web hotel and above
35 | general.highPriorityNotification.threshold=15
36 | filter.priorityFilter.includeIntervals=15-
37 |
38 | # Turn off quarantine
39 | mail.ipQuarantinePeriod=0
40 |
41 | # Mail templates
42 | mail.subjectTemplate=Webbserver er ert nät medverkar i DDoS-attacker [CERT-SE #$rtirId]
43 | mail.headerFile=brobot_header.txt
44 | mail.rowFile=brobot_row.txt
45 |
--------------------------------------------------------------------------------
/conf/job-type/chaley-ssh-dict.properties:
--------------------------------------------------------------------------------
1 | # Config file for blacklist of SSH scanning hosts maintained by Charles B. Haley.
2 | # URL: http://www.the-haleys.com/chaley/ssh_dico_attack_hdeny_format.php/hostsdeny.txt
3 | #
4 | # Example lines:
5 | # ALL : 12.107.249.169
6 | # ALL : 12.108.0.252
7 | #
8 | # Expanded reg-exp:
9 | # [^\s]+ : (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)
10 | #
11 | # Test file: chaley-ssh-dict.log
12 |
13 | # Skip file if same as previous file
14 | general.fileAlreadyProcessedAction=skip
15 |
16 | # Filter out old entries by diffing file in previous job
17 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
18 |
19 | # Filter out header and comments
20 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
21 | filter.regExpLineFilter.excludeRegExp=^#
22 |
23 | # Filter: keep IPs that matches an organization in contact-db plus swedish IPs.
24 | # Note: Entries are decorated *after* filter (too many foreign IPs to do reverse lookup for).
25 | filter.preDecorator.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
26 | filter.organizationFilter.matchIpAddress=true
27 | filter.organizationFilter.matchHostname=false
28 | filter.organizationFilter.matchAsn=false
29 | filter.countryCodeFilter.includeCountryCodes=SE, NU
30 |
31 | # Line expression.
32 | parser.lineRegExp=[^\s]+ : $ipAddress
33 |
34 | # TODO
35 | # Mail templates
36 | #mail.headerFile=chaley-ssh-dict_header.txt
37 | #mail.rowFile=chaley-ssh-dict_row.txt
38 |
--------------------------------------------------------------------------------
/conf/job-type/ctir-abuse.properties:
--------------------------------------------------------------------------------
1 | # Config for abuse mails from CTIR .
2 | #
3 | # Example lines:
4 | # 2010/01/30 14:03:38 GMT-02:00 81.235.2.13 63B2A32EA51 TROJ_DROPR.VEN UPS Delivery Problem NR 90342.
5 | # 2010/01/30 14:19:01 GMT-02:00 81.235.2.13 996DC22F8B TROJ_DROPR.VEN UPS Delivery Problem NR 18752.
6 | #
7 | # Expanded reg-exp:
8 | # ^(\d{4}/\d{2}/\d{2} \d{1,2}:\d{2}:\d{2} GMT-\d{2}:\d{2})\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|).*
9 | #
10 | # Test file: ctir-abuse.log
11 |
12 | # Include only log lines, which starts with a timestamp.
13 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
14 | filter.regExpLineFilter.includeRegExp=^\d{4}/\d{2}/\d{2} \d{1,2}:\d{2}:\d{2}
15 |
16 | # Timestamp: 2010/01/30 14:03:38 GMT-02:00
17 | parser.item.logTimestamp=\d{4}/\d{2}/\d{2} \d{1,2}:\d{2}:\d{2} GMT-\d{2}:\d{2}
18 | parser.timestampFormat=yyyy/MM/dd HH:mm:ss z
19 |
20 | # Additional items
21 | parser.item.additionalItem.ports=[\d,]+
22 |
23 | # Line expression. Skips the following fields: SMTP ID, INCIDENT, SUBJECT
24 | parser.lineRegExp=^$logTimestamp\s+$ipAddress.*
25 |
26 | # Mail templates
27 | # TODO Write mail templates
28 |
--------------------------------------------------------------------------------
/conf/job-type/danger-rulez.properties:
--------------------------------------------------------------------------------
1 | # This configuration handles Danger Rulez blocklist:
2 | # http://danger.rulez.sk/projects/bruteforceblocker/blist.php
3 | #
4 | # Example line:
5 | # # IP # Last Reported Count ID
6 | # 218.56.61.114 # 2010-03-07 07:59:27 126 431
7 | #
8 | # Expanded reg-exp: ^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)\s+# (\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2})\s+\d+\s+\d+
9 |
10 | # Filter out old entries by diffing file in previous job
11 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
12 |
13 | # Skip file if same as previous file
14 | general.fileAlreadyProcessedAction=skip
15 |
16 | # Filter out header and comments
17 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
18 | filter.regExpLineFilter.excludeRegExp=^#
19 |
20 | # Filter: keep IPs that matches an organization in contact-db plus swedish IPs.
21 | # Note: Entries are decorated *after* filter.
22 | filter.preDecorator.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
23 | filter.organizationFilter.matchIpAddress=true
24 | filter.organizationFilter.matchHostname=false
25 | filter.organizationFilter.matchAsn=false
26 | filter.countryCodeFilter.includeCountryCodes=SE, NU
27 |
28 | # Example: 2009-06-08 01:36:06
29 | parser.timestampFormat=yyyy-MM-dd HH:mm:ss
30 | parser.item.logTimestamp=\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2}
31 |
32 | # Default TZ for Danger Rules is CET, but it can be specified in the
33 | # URL, e.g. .
34 | # CET, GMT, EST and MST is supported, but not UTC.
35 | parser.defaultTimeZone=CET
36 |
37 | # Line expression
38 | parser.lineRegExp=^$ipAddress\s+# $logTimestamp\s+\d+\s+\d+
39 |
40 | # Mail templates
41 | mail.headerFile=danger-rulez_header.txt
42 | mail.rowFile=danger-rulez_row.txt
43 |
--------------------------------------------------------------------------------
/conf/job-type/dnschanger-isp.properties:
--------------------------------------------------------------------------------
1 | # Config for DNSChanger log entries that have been exported from the database.
2 | # Want to send all "comhem" lines to Comhem, "Tre" to Tre, and so on.
3 | #
4 | # Example line:
5 | # 2012-03-26 07:49:04|80.217.171.115|c80-217-171-115.bredband.comhem.se|61395|85.255.115.116|comhem
6 | # 2012-03-30 04:30:22|2.69.62.160|2.69.62.160.mobile.tre.se|56862|85.255.116.105|Tre
7 | #
8 | # Expanded reg-exp:
9 | # ^\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2}\|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)\|.*?\|.*?\|.*?\|.+
10 | #
11 | # Test file: dnschanger-isp.log
12 |
13 |
14 | # Exclude first line
15 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.LineNumberFilter
16 | filter.lineNumberFilter.excludeIntervals=1-1
17 |
18 | # Adds ASN from IP
19 | decorator.classNames.0=se.sitic.megatron.decorator.AsnDecorator
20 |
21 | # Only interested in the IP address, which will match ISP using ASN.
22 | parser.lineRegExp=^\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2}\|$ipAddress\|.*?\|.*?\|.*?\|.+
23 |
24 | # Mail templates
25 | mail.headerFile=dnschanger-isp_header.txt
26 | mail.rowFile=dnschanger-isp_row.txt
27 |
--------------------------------------------------------------------------------
/conf/job-type/dronebl.properties:
--------------------------------------------------------------------------------
1 | # Config file for Drone-BL files: http://dronebl.org/buildzone.do
2 | #
3 | # Example lines:
4 | # 192.121.218.90
5 | #
6 | # Expanded reg-exp:
7 | # ^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)(?: .*|)
8 | #
9 | # Test file:
10 | # dronebl.log
11 |
12 | # Filter out old entries by diffing file in previous job
13 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
14 |
15 | # Skip file if same as previous file
16 | general.fileAlreadyProcessedAction=skip
17 |
18 | # Filter out header and comments
19 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
20 | filter.regExpLineFilter.excludeRegExp=^#|^\$|^\!|^\:|^127\.0\.0\.
21 |
22 | # Filter: keep IPs that matches an organization in contact-db plus swedish IPs.
23 | # Note: Entries are decorated *after* filter.
24 | filter.preDecorator.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
25 | filter.organizationFilter.matchIpAddress=true
26 | filter.organizationFilter.matchHostname=false
27 | filter.organizationFilter.matchAsn=false
28 | filter.countryCodeFilter.includeCountryCodes=SE, NU
29 |
30 | # Line expression
31 | # Note: Ignore sections in file which categorize the ip, e.g. ":3:IRC spam drone (litmus/sdbot/fyle)".
32 | parser.lineRegExp=^$ipAddress(?: .*|)
33 |
34 | # TODO
35 | # Mail templates
36 | #mail.headerFile=dronebl_header.txt
37 | #mail.rowFile=dronebl_row.txt
38 |
--------------------------------------------------------------------------------
/conf/job-type/dshield.properties:
--------------------------------------------------------------------------------
1 | # Config for Dshield files: https://secure.dshield.org/asdetailsascii.html
2 | #
3 | # Example lines:
4 | # # source IP Reports Targets First Seen Last Seen Updated
5 | # 024.032.144.092 6 1 2009-10-15 2009-10-15 2009-10-15 16:20:12
6 | #
7 | # Expanded reg-exp:
8 | # ^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)\s+(\d+)\s+\d+\s+(?:\d{4}-\d{2}-\d{2}|)\s+(?:\d{4}-\d{2}-\d{2}|)\s+(\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2})
9 | #
10 | # Test file: dshield.log
11 |
12 | # Filter out old entries by diffing file in previous job
13 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
14 |
15 | # Skip file if same as previous file
16 | general.fileAlreadyProcessedAction=skip
17 |
18 | # Exclude comment line
19 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
20 | filter.regExpLineFilter.excludeRegExp=^#
21 |
22 | # Filter: keep IPs that matches an organization in contact-db plus swedish IPs.
23 | # Note: Entries are decorated *before* filter.
24 | filter.preStorage.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
25 | filter.organizationFilter.matchIpAddress=true
26 | filter.organizationFilter.matchHostname=true
27 | filter.organizationFilter.matchAsn=true
28 | filter.countryCodeFilter.includeCountryCodes=SE, NU
29 |
30 | # Timestamp: 2009-10-15 16:20:12
31 | parser.item.logTimestamp=\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2}
32 | parser.timestampFormat=yyyy-MM-dd HH:mm:ss
33 |
34 | # Additional items
35 | parser.item.additionalItem.noOfReports=\d+
36 |
37 | # Line expression
38 | parser.lineRegExp=^$ipAddress\s+$additionalItem_noOfReports\s+\d+\s+(?:\d{4}-\d{2}-\d{2}|)\s+(?:\d{4}-\d{2}-\d{2}|)\s+$logTimestamp
39 |
--------------------------------------------------------------------------------
/conf/job-type/emerging-compromised.properties:
--------------------------------------------------------------------------------
1 | # Config file for the emerging-compromised.rules from Emerging Threats.
2 | # http://rules.emergingthreats.net/blockrules/emerging-compromised.rules
3 | #
4 | # Note: The file is pre-processed by a script so it just a list of IPs, but it
5 | # should be no problem handling the original data (see "ip-flowing.properties").
6 | #
7 | # Example line:
8 | # 110.164.183.230
9 | # 110.234.96.196
10 | #
11 | # Expanded reg-exp:
12 | # ^\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)\s*$
13 | #
14 | # Test file: emerging-compromised.log
15 |
16 | # Skip file if same as previous file
17 | general.fileAlreadyProcessedAction=skip
18 |
19 | # Filter out old entries by diffing file in previous job
20 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
21 |
22 | # Filter: Entries are decorated *before* filter.
23 | filter.preStorage.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
24 | filter.organizationFilter.matchIpAddress=true
25 | filter.organizationFilter.matchHostname=true
26 | filter.organizationFilter.matchAsn=true
27 | filter.countryCodeFilter.includeCountryCodes=SE, NU
28 |
29 | # Space ignored
30 | parser.lineRegExp=^\s*$ipAddress\s*$
31 |
32 | # Mail templates
33 | mail.headerFile=emerging-compromised_header.txt
34 | mail.rowFile=emerging-compromised_row.txt
35 |
--------------------------------------------------------------------------------
/conf/job-type/epoch-test.properties:
--------------------------------------------------------------------------------
1 | # Test of different timestamp formats: epochInSec, epochInMs, and windowsEpoch.
2 | #
3 | # More information:
4 | # * https://groups.google.com/forum/#!topic/megatron-hacking/YEqw6Ux_RVA
5 | # * http://www.epochconverter.com/
6 | #
7 | # Test file: epoch-test.log
8 |
9 | decorator.classNames.0=
10 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
11 |
12 | # epochInSec (e.g. 1263002826)
13 | #filter.regExpLineFilter.includeRegExp=^\d{10}\s+.*
14 | #parser.timestampFormat=epochInSec
15 | #parser.item.logTimestamp=\d+
16 | #parser.lineRegExp=^$logTimestamp\s+$ipAddress
17 |
18 | # epochInMs (e.g. 1263002826000)
19 | #filter.regExpLineFilter.includeRegExp=^\d{13}\s+.*
20 | #parser.timestampFormat=epochInMs
21 | #parser.item.logTimestamp=\d+
22 | #parser.lineRegExp=^$logTimestamp\s+$ipAddress
23 |
24 | # windowsEpoch (e.g. 130426376470000000)
25 | filter.regExpLineFilter.includeRegExp=^\d{18}\s+.*
26 | parser.timestampFormat=windowsEpoch
27 | parser.item.logTimestamp=\d+
28 | parser.lineRegExp=^$logTimestamp\s+$ipAddress
29 |
--------------------------------------------------------------------------------
/conf/job-type/ikyon.properties:
--------------------------------------------------------------------------------
1 | # Config for Ikyon files: http://sakrare.ikyon.se/?cert=true
2 | #
3 | # Format:
4 | # Type, First seen (UTC), Last checked or active (UTC), Active? (true|false), IP address, ASN, URL, Port, Abuse addresses (separated by space), Log URL
5 | #
6 | # Example lines:
7 | # "Serp-hijacking","2012-03-22 05:45:53","2012-03-22 06:40:21","false","212.97.132.133","AS9120","http://swebook.se/","80","abuse@surf-town.net","http://sakrare.ikyon.se/log.php?id=30393"
8 | # "Malware","2012-03-20 05:59:15","2012-03-22 08:40:50","true","178.21.72.133","AS41175","http://tjusttak.se/","80","abuse@admax.se","http://sakrare.ikyon.se/log.php?id=30213"
9 | #
10 | # Expanded reg-exp:
11 | # ^"(.+?)","(.+?)","(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})","(.+?)","(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)","AS(\d*)","(.*)","(\d*)",".+?",".+?"
12 | #
13 | # Test file: ikyon.log
14 |
15 | # Skip file if same as previous file
16 | general.fileAlreadyProcessedAction=skip
17 |
18 | # Filter out old entries by diffing file in previous job
19 | fileProcessor.classNames.0=se.sitic.megatron.fileprocessor.DiffProcessor
20 |
21 | # Exclude first line
22 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.LineNumberFilter
23 | filter.lineNumberFilter.excludeIntervals=1-1
24 |
25 | # Example: 2012-03-22 05:45:53
26 | parser.timestampFormat=yyyy-MM-dd HH:mm:ss
27 | parser.item.logTimestamp=\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
28 |
29 | # Additional items
30 | parser.item.additionalItem.type=.+?
31 | parser.item.additionalItem.firstSeen=.+?
32 | parser.item.additionalItem.active=.+?
33 |
34 | # Ignore abuse address, Ikyon URL
35 | parser.lineRegExp=^"$additionalItem_type","$additionalItem_firstSeen","$logTimestamp","$additionalItem_active","$ipAddress","AS$asn","$url","$port",".+?",".+?"
36 |
37 | # Mail templates
38 | # TODO
39 | #mail.headerFile=ikyon_header.txt
40 | #mail.rowFile=ikyon_row.txt
41 |
--------------------------------------------------------------------------------
/conf/job-type/infiltrated-net-blacklist.properties:
--------------------------------------------------------------------------------
1 | # Config file for blacklist maintained by Jesus Oquendo: http://www.infiltrated.net/blacklisted
2 | #
3 | # Example lines:
4 | # 98.142.221.10
5 | # 98.142.215.184 AS14141
6 | #
7 | # Expanded reg-exp:
8 | # ^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|).*
9 | #
10 | # Test file: infiltrated-net-blacklist.log
11 |
12 | # Skip file if same as previous file
13 | general.fileAlreadyProcessedAction=skip
14 |
15 | # Filter out old entries by diffing file in previous job
16 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
17 |
18 | # Filter out header and comments
19 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
20 | filter.regExpLineFilter.excludeRegExp=^#
21 |
22 | # Filter: keep IPs that matches an organization in contact-db plus swedish IPs.
23 | # Note: Entries are decorated *after* filter (too many foreign IPs to do reverse lookup for).
24 | filter.preDecorator.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
25 | filter.organizationFilter.matchIpAddress=true
26 | filter.organizationFilter.matchHostname=false
27 | filter.organizationFilter.matchAsn=false
28 | filter.countryCodeFilter.includeCountryCodes=SE, NU
29 |
30 | # Line expression. Ignore ASN.
31 | parser.lineRegExp=^$ipAddress.*
32 |
33 | # TODO
34 | # Mail templates
35 | #mail.headerFile=infiltrated-net-blacklist_header.txt
36 | #mail.rowFile=infiltrated-net-blacklist_row.txt
37 |
--------------------------------------------------------------------------------
/conf/job-type/inteco-cert-fast-flux-old.properties:
--------------------------------------------------------------------------------
1 | # Config for INTECO-CERTs fast flux reports.
2 | #
3 | # Format:
4 | # [Timestamp] [IP] [Domain] [ASN] [Country] [AS_Name]
5 | #
6 | # Timestamp format is dd/mm/yyyy hh:mm:ss GMT+1**
7 | #
8 | # Example lines:
9 | # 19/1/2010 2:10:31 85.228.196.78 cycloro.com 2119 SE TELENOR-NEXTEL Telenor Business Solutions AS
10 | # 19/1/2010 1:52:23 130.235.244.112 frostep.com 2846 SE SUNET-LU
11 | #
12 | # Expanded reg-exp:
13 | # ^(\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2})\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)\s+([^\s]+)\s+(\d*)\s+(\w{0,2})\s+.+
14 | #
15 | # Test file: intego-cert-fast-flux.log
16 |
17 | # Timestamp: 19/1/2010 2:10:31 (in GMT+01)
18 | parser.item.logTimestamp=\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2}
19 | parser.timestampFormat=dd/MM/yyyy HH:mm:ss
20 | parser.defaultTimeZone=GMT+01:00
21 |
22 | # Additional items
23 | parser.item.additionalItem.fastFluxDomain=[^\s]+
24 |
25 | # Line expression
26 | parser.lineRegExp=^$logTimestamp\s+$ipAddress\s+$additionalItem_fastFluxDomain\s+$asn\s+$countryCode\s+.+
27 |
--------------------------------------------------------------------------------
/conf/job-type/inteco-cert-fast-flux.properties:
--------------------------------------------------------------------------------
1 | # Config for INTECO-CERTs fast flux reports.
2 | #
3 | # Format:
4 | # [Timestamp] [IP] [Domain] [Country] [ASN]
5 | # Separator: tab
6 | #
7 | # Timestamp format is dd/mm/yyyy hh:mm:ss GMT+1**
8 | #
9 | # Example lines:
10 | # 11/11/2010 16:56:27 81.228.148.241 chatting4free.com SE AS3301
11 | # 11/08/2010 07:01:02 85.228.105.145 bilreal.com SE AS2119
12 | #
13 | # Expanded reg-exp:
14 | # ^(\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2})\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)\s+([^\s]+)\s+(\w{0,2})\s+AS(\d*)
15 | #
16 | # Test file: intego-cert-fast-flux.log
17 |
18 | # Timestamp: 19/1/2010 2:10:31 (in GMT+01)
19 | parser.item.logTimestamp=\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2}
20 | parser.timestampFormat=dd/MM/yyyy HH:mm:ss
21 | parser.defaultTimeZone=GMT+01:00
22 |
23 | # Additional items
24 | parser.item.additionalItem.fastFluxDomain=[^\s]+
25 |
26 | # Line expression
27 | parser.lineRegExp=^$logTimestamp\s+$ipAddress\s+$additionalItem_fastFluxDomain\s+$countryCode\s+AS$asn
28 |
29 | # TODO
30 | # Mail templates
31 | # mail.headerFile=inteco-cert-fast-flux_header.txt
32 | # mail.rowFile=inteco-cert-fast-flux_row.txt
33 |
--------------------------------------------------------------------------------
/conf/job-type/ip-flowing-fast.properties:
--------------------------------------------------------------------------------
1 | # As "ip-flowing.properties", but without DNS lookups and organization matching.
2 | # Will output IP address, ASN, AS name, and country code.
3 | #
4 | # Example line:
5 | # 193.44.6.118 | 193.44.6.134 | 192.44.242.18 | 192.44.243.18
6 | #
7 | # Expanded reg-exp:
8 | # (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
9 |
10 | # Split line; one line for each IP address entry. Test file: multiple-ips-per-line.log
11 | lineProcessor.className=se.sitic.megatron.lineprocessor.LineSplitter
12 | lineProcessor.splitter.itemRegExp=.*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
13 |
14 | # Split line; one line for each IP address entry. Test file: multiple-ips-per-line2.log
15 | #lineProcessor.className=se.sitic.megatron.lineprocessor.LineSplitter
16 | #lineProcessor.splitter.separatorRegExp=\t
17 |
18 | # Adds ASN + CC
19 | decorator.classNames.0=se.sitic.megatron.decorator.AsnGeoIpDecorator
20 | decorator.classNames.1=se.sitic.megatron.decorator.CountryCodeDecorator
21 |
22 | # No organization matching
23 | filter.organizationFilter.matchIpAddress=false
24 | filter.organizationFilter.matchHostname=false
25 | filter.organizationFilter.matchAsn=false
26 |
27 | # Add AS number and name as additional items
28 | decorator.asnGeoIpDecorator.useAsnInLogEntry=false
29 | decorator.asnGeoIpDecorator.addAsName=true
30 |
31 | # Definition in globals properties allows empty value, which do not work if spaces exist
32 | # before or after the IP-address.
33 | parser.item.ipAddress=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
34 |
35 | # Line expression
36 | parser.lineRegExp=$ipAddress
37 |
38 | # Export
39 | export.headerFile=whois-short_header.txt
40 | export.rowFile=whois-short_row.txt
41 |
--------------------------------------------------------------------------------
/conf/job-type/malc0de.properties:
--------------------------------------------------------------------------------
1 | # Config file for malc0de files in CSV-format.
2 | # URL:
3 | # - http://malc0de.com/database/?&page=
4 | # - http://malc0de.com/database/index.php?search=SE&CC=on
5 | #
6 | # Example:
7 | # 2011-01-17,www.parkour.reunis.fr/xx.exe,88.191.227.212
8 | # 2011-01-17,http://www.zuihouyi.com/l/setup4.exe,58.55.127.16
9 | #
10 | # Expanded regexp:
11 | # ^(\d{4}-\d{2}-\d{2}),(.+),(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)
12 |
13 |
14 | # Filter out old entries by diffing file in previous job
15 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
16 |
17 | # Skip file if same as previous file
18 | general.fileAlreadyProcessedAction=skip
19 |
20 | # Extract hostname from URL, and then add IP, ASN, and country code.
21 | decorator.classNames.0=se.sitic.megatron.decorator.UrlToHostnameDecorator
22 | decorator.classNames.1=se.sitic.megatron.decorator.CombinedDecorator
23 |
24 | # Filter: Entries are decorated *before* filter.
25 | filter.preStorage.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
26 | filter.organizationFilter.matchIpAddress=true
27 | filter.organizationFilter.matchHostname=true
28 | filter.organizationFilter.matchAsn=true
29 | filter.countryCodeFilter.includeCountryCodes=SE, NU
30 |
31 | # Date format
32 | # Example: 2011-01-17
33 | parser.timestampFormat=yyyy-MM-dd
34 | parser.item.logTimestamp=\d{4}-\d{2}-\d{2}
35 |
36 | # The URL-field
37 | parser.item.url=.+
38 |
39 | parser.lineRegExp=^$logTimestamp,$url,$ipAddress
40 |
41 | # Lower notification threshold; send notification email for all saved entries.
42 | general.highPriorityNotification.threshold=10
43 |
44 | # TODO
45 | # Mail templates
46 | # mail.headerFile=malc0de_header.txt
47 | # mail.rowFile=malc0de_row.txt
48 |
--------------------------------------------------------------------------------
/conf/job-type/rbl-bogusmx.properties:
--------------------------------------------------------------------------------
1 | # Handles a bogusmx file from .
2 | #
3 | # Example line:
4 | #-nscd.fresserve.co.uk IN A 127.0.0.8
5 | # IN TXT "Domain has demonstrably bogus MX records"
6 | #
7 | # Expanded reg-exp: ^(.*)\s+?IN A.*?IN TXT "(.*)"
8 | #
9 | # Test file: bogusmx.rfc-ignorant.org.log
10 |
11 | # Merge line
12 | lineProcessor.className=se.sitic.megatron.lineprocessor.LineMerger
13 | lineProcessor.merger.startRegExp=^.*?\s+?IN A\s+?127\.
14 | lineProcessor.merger.endRegExp=^\s+?IN TXT "
15 |
16 | # Filter: keep only valid lines
17 | filter.preParser.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
18 | filter.regExpLineFilter.includeRegExp=^(.*)\s+?IN A.*?IN TXT "
19 |
20 | parser.item.freeText.0=.*
21 | parser.lineRegExp=^$hostname\s+?IN A.*?IN TXT "$freeText0"
22 |
23 | # Mail templates
24 | mail.headerFile=rbl_header.txt
25 | mail.rowFile=rbl_row.txt
26 |
--------------------------------------------------------------------------------
/conf/job-type/rbl-fulldom.properties:
--------------------------------------------------------------------------------
1 | # Handles a fulldom file from .
2 | #
3 | # Example line:
4 | # 0-cash.com IN A 127.0.0.5
5 | # IN TXT "Inaccurate or missing WHOIS data"
6 | #
7 | # Expanded reg-exp: ^(.*)\s+?IN A.*?IN TXT "(.*)"
8 | #
9 | # Test file: fulldom.rfc-ignorant.org.log
10 |
11 | # Merge line
12 | lineProcessor.className=se.sitic.megatron.lineprocessor.LineMerger
13 | lineProcessor.merger.startRegExp=^.*?\s+?IN A\s+?127\.
14 | lineProcessor.merger.endRegExp=^\s+?IN TXT "
15 |
16 | # Filter: keep only valid lines. Allows no hostnames that starts with "*".
17 | filter.preParser.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
18 | filter.regExpLineFilter.includeRegExp=^[^\*]+?\s+?IN A.*?IN TXT "
19 |
20 | parser.item.freeText.0=.*
21 | parser.lineRegExp=^$hostname\s+?IN A.*?IN TXT "$freeText0"
22 |
23 | # Mail templates
24 | mail.headerFile=rbl_header.txt
25 | mail.rowFile=rbl_row.txt
26 |
--------------------------------------------------------------------------------
/conf/job-type/rbl-hostname.properties:
--------------------------------------------------------------------------------
1 | # Handles an RBL file with hostnames or domain names. File contains new and
2 | # existing entries, which DiffProcessor takes care of.
3 | #
4 | # Example lines:
5 | # 11.136.139.231.webkrew.com
6 | # 5starwebs.com
7 | # .sitic.se
8 | # *.sitic.se
9 | #
10 | # Expanded reg-exp: ^\s*(?:\*\.|\.){0,1}((?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,10})(?: .*|)
11 | #
12 | # Test file: rbl-hostname.log
13 |
14 | # Filter out old entries by diffing file in previous job
15 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
16 |
17 | # Skip file if same as previous file
18 | general.fileAlreadyProcessedAction=skip
19 |
20 | # Filter out header, comments, and invalid names that ends with dot.
21 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
22 | filter.regExpLineFilter.excludeRegExp=^#|^\$|^\!|^\:|^127\.0\.0\.|\.$
23 |
24 | # Filter: keep IPs that matches an organization in contact-db plus swedish IPs.
25 | # Note: Entries are decorated *after* filter.
26 | filter.preDecorator.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
27 | filter.organizationFilter.matchIpAddress=false
28 | filter.organizationFilter.matchHostname=true
29 | filter.organizationFilter.matchAsn=false
30 | filter.countryCodeFilter.includeCountryCodes=SE, NU
31 |
32 | # Spamhouse DBL contains many invalid hostnames
33 | parser.maxNoOfParseErrors=400
34 |
35 | # Valid letters in a hostname: a..z, A..Z, 0..9, -
36 | parser.item.hostname=(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,10}
37 |
38 | # Line expression
39 | parser.lineRegExp=^\s*(?:\*\.|\.){0,1}$hostname(?: .*|)
40 |
41 | # Mail templates
42 | mail.headerFile=rbl_header.txt
43 | mail.rowFile=rbl-hostname_row.txt
44 |
--------------------------------------------------------------------------------
/conf/job-type/rbl-ip-range.properties:
--------------------------------------------------------------------------------
1 | # Handles a RBL file with IP ranges. File contains new and existing entries,
2 | # which DiffProcessor takes care of.
3 | #
4 | # Example lines:
5 | # 41.205.145.0/24
6 | # 89.21.132.22
7 | # 201.47.239.101-201.47.239.150
8 | # 201.47.239.200-220
9 | #
10 | # Expanded reg-exp:
11 | # ^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:-\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|-\d{1,3}|/\d{1,2}){0,1})(?: .*|)
12 | #
13 | # Test file:
14 | # rbl-ip-range.log
15 |
16 | # Filter out old entries by diffing file in previous job
17 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
18 |
19 | # Skip file if same as previous file
20 | general.fileAlreadyProcessedAction=skip
21 |
22 | # Filter out header and comments
23 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
24 | filter.regExpLineFilter.excludeRegExp=^#|^\$|^\!|^\:|^127\.0\.0\.
25 |
26 | # Filter: keep IPs that matches an organization in contact-db plus swedish IPs.
27 | # Note: Entries are decorated *after* filter.
28 | filter.preDecorator.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
29 | filter.organizationFilter.matchIpAddress=true
30 | filter.organizationFilter.matchHostname=false
31 | filter.organizationFilter.matchAsn=false
32 | filter.countryCodeFilter.includeCountryCodes=SE, NU
33 |
34 | # Line expression
35 | parser.lineRegExp=^$ipRange(?: .*|)
36 |
37 | # Mail templates
38 | mail.headerFile=rbl_header.txt
39 | mail.rowFile=rbl_row.txt
40 |
--------------------------------------------------------------------------------
/conf/job-type/report-geolocation.properties:
--------------------------------------------------------------------------------
1 | # Config for geolocation XML and JSON reports, which are generated by using
2 | # the "--create-xml" switch. See GeolocationXmlReportGenerator and
3 | # GeolocationJsonReportGenerator for more information.
4 |
5 | # No. of weeks in reports
6 | report.geolocation.noOfWeeks=4
7 |
8 | # Generate internal report with e.g. IP addresses?
9 | report.geolocation.generateInternalReport=true
10 |
11 | # Comma separated list of jobs to exclude (use value in "job_type.name").
12 | report.geolocation.jobTypeKillList=default,ip-flowing,compromised-accounts
13 |
14 | # Comma separated list of organization types to exclude (use value in "prio.name").
15 | report.geolocation.organizationTypeKillList=Sitic, Parkerad med ingen prio, Diverse intressenter
16 |
17 | # Number of entries in the city report
18 | report.geolocation.noOfEntriesInCityReport=20
19 |
20 | # Converts organization type names
21 | report.geolocation.organizationTypeNameMapper.0=-=Övrig
22 | report.geolocation.organizationTypeNameMapper.1=Avsiktsförklarad intressent=Intressent till CERT-SE
23 |
24 | # Filter out all non SE entries
25 | geoIp.useCityDatabaseForCountryLookups=true
26 | filter.countryCodeFilter.includeCountryCodes=SE
27 |
28 | # Fields to add for GeoIP City-db lookup
29 | decorator.geolocationDecorator.fieldsToAdd=latitude, longitude, city
30 |
31 | # Result file charset
32 | export.charSet=UTF-8
33 |
34 | # Timestamp format in the result file
35 | export.timestampFormat=yyyy-MM-dd HH:mm:ss z
36 |
37 | # Note: Template filenames are hardcoded in the code.
38 |
--------------------------------------------------------------------------------
/conf/job-type/shadowserver-chargen.properties:
--------------------------------------------------------------------------------
1 | # Config file for the Shadowserver CharGen report:
2 | # https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-Chargen
3 | #
4 | # Example line:
5 | # "timestamp","ip","protocol","port","hostname","tag","size","asn","geo","region","city"
6 | # "2014-04-02 04:17:18","195.198.221.244","udp",19,"195-198-221-244.customer.telia.com","chargen",,3301,"SE","KRONOBERGS LAN","LESSEBO"
7 | #
8 | # Expanded reg-exp:
9 | # ^"(\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2})","(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)",(?:".*?"|""|),(\d*|""|),(".*?"|""|),(?:".*?"|""|),(\d*|),(\d*|""),"(\w{0,2})",(?:".*?"|""|),(?:".*?"|""|)
10 | #
11 | # Test file: 2014-04-02-chargen-report-se.log
12 |
13 | # Exclude first line
14 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.LineNumberFilter
15 | filter.lineNumberFilter.excludeIntervals=1-1
16 |
17 | # IP, ASN and country code exists already in file. Add hostname when missing.
18 | decorator.classNames.0=se.sitic.megatron.decorator.HostnameDecorator
19 |
20 | # Timestamp: 2014-04-02 04:17:18 (utc)
21 | parser.timestampFormat=yyyy-MM-dd HH:mm:ss
22 | parser.item.logTimestamp=\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2}
23 |
24 | # Remove enclosing "", e.g. from hostname.
25 | parser.removeEnclosingCharsFromValue="
26 |
27 | # ASN and port may be an integer or ""
28 | parser.item.asn=\d*|""
29 | parser.item.port=\d*|""|
30 |
31 | # Hostname may be a string, "", or empty
32 | parser.item.hostname=".*?"|""|
33 |
34 | # Size of result, e.g. "8473".
35 | parser.item.additionalItem.size=\d*|
36 |
37 | # Skips the following fields: protocol, tag, region, and city.
38 | parser.lineRegExp=^"$logTimestamp","$ipAddress",(?:".*?"|""|),$port,$hostname,(?:".*?"|""|),$additionalItem_size,$asn,"$countryCode",(?:".*?"|""|),(?:".*?"|""|)
39 |
40 | # Mail templates
41 | mail.headerFile=shadowserver-chargen_header.txt
42 | mail.rowFile=shadowserver_row.txt
43 |
--------------------------------------------------------------------------------
/conf/job-type/shadowserver-conficker-http-drone.properties:
--------------------------------------------------------------------------------
1 | # Config file for shadowserver-conficker-http-drone jobs.
2 | #
3 | # Example line:
4 | # "Drone","ASN","Geo","HTTP Cmd","HTTP Agent","Type","TOR"
5 | # "62.13.8.194",8434,"SE","GET http://205.188.161.4/search?q=286 HTTP/1.1","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727)","B",0
6 | #
7 | # Expanded reg-exp:
8 | # ^"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)",(\d*),"(\w{0,2})",".*",".*",".*",\d
9 | #
10 | # Test file: 2009-12-22-conficker-http-drone-report-se.log
11 | #
12 | # More info: http://www.shadowserver.org/wiki/pmwiki.php/Services/Conficker-Drone
13 |
14 | # Exclude first line
15 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.LineNumberFilter
16 | filter.lineNumberFilter.excludeIntervals=1-1
17 |
18 | # IP, ASN and country code exists already in file, but not hostname.
19 | decorator.classNames.0=se.sitic.megatron.decorator.HostnameDecorator
20 |
21 | # Skips the following fields: HTTP Cmd, HTTP Agent, Type, TOR
22 | parser.lineRegExp=^"$ipAddress",$asn,"$countryCode",".*",".*",".*",\d
23 |
24 | # Mail templates
25 | mail.headerFile=shadowserver-conficker-http-drone_header.txt
26 | mail.rowFile=shadowserver-conficker_row.txt
27 |
--------------------------------------------------------------------------------
/conf/job-type/shadowserver-ddos.properties:
--------------------------------------------------------------------------------
1 | # Config file for shadowserver-ddos jobs.
2 | #
3 | # Example line:
4 | # "Date","Time","C&C","C&C Port","C&C ASN","C&C Geo","C&C DNS","Channel","Command","TGT","TGT ASN","TGT Geo","TGT DNS"
5 | # "2009-03-23","00:06:14","58.140.106.232",7777,10036,"KR","","##akill##",".ddos.udpflood","62.116.241.32",16117,"SE",""
6 | #
7 | # Expanded reg-exp:
8 | # ^("\d{4}-\d{2}-\d{2}","\d{1,2}:\d{2}:\d{2}"),"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)",(\d*|""),(\d*|""),"(\w{0,2})","(.*)","(.*?)","(.*?)","(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)",(\d*|""),"(\w{0,2})","(.*)"
9 | #
10 | # Test file: 2009-03-23-ddos-report-se.log
11 | #
12 | # More info: http://www.shadowserver.org/wiki/pmwiki.php/Services/Reports
13 |
14 | # Exclude first line
15 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.LineNumberFilter
16 | filter.lineNumberFilter.excludeIntervals=1-1
17 |
18 | # IP, ASN and country code exists already in file, but hostname is sometimes missing.
19 | decorator.classNames.0=se.sitic.megatron.decorator.HostnameDecorator
20 |
21 | # Example: "2009-03-23","00:06:14"
22 | parser.timestampFormat="yyyy-MM-dd","HH:mm:ss"
23 |
24 | parser.item.logTimestamp="\d{4}-\d{2}-\d{2}","\d{1,2}:\d{2}:\d{2}"
25 | # ASN and port may be an integer or ""
26 | parser.item.asn=\d*|""
27 | parser.item.asn2=\d*|""
28 | parser.item.port=\d*|""
29 | # Additional item
30 | parser.item.additionalItem.ircChannel=.*?
31 | parser.item.additionalItem.command=.*?
32 |
33 | parser.lineRegExp=^$logTimestamp,"$ipAddress",$port,$asn,"$countryCode","$hostname","$additionalItem_ircChannel","$additionalItem_command","$ipAddress2",$asn2,"$countryCode2","$hostname2"
34 |
35 | # Mail templates
36 | mail.headerFile=shadowserver-ddos_header.txt
37 | mail.rowFile=shadowserver_row.txt
38 |
--------------------------------------------------------------------------------
/conf/job-type/shadowserver-drone.properties:
--------------------------------------------------------------------------------
1 | # Config file for shadowserver-drone jobs.
2 | #
3 | # Example line:
4 | # "Timestamp","Drone","ASN","Geo","Hostname","RBL","C&C","C&C ASN","C&C Geo","C&C DNS","C&C Port","Infection"
5 | # "2009-06-08 01:36:06","85.227.202.199",2119,"SE","85.227.202.199","","69.16.172.40",12989,"US","irc.undernet.org",6667,""
6 | #
7 | # Expanded reg-exp:
8 | # ^"(\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2})","(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)",(\d*|""),"(\w{0,2})","(.*)","(.*?)","(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)",(\d*|""),"(\w{0,2})","(.*)",(\d*),"(.*?)"
9 | #
10 | # Test file: 2009-06-08-drone-report-se.log
11 | #
12 | # More info: http://www.shadowserver.org/wiki/pmwiki.php/Services/Reports
13 |
14 | # Exclude first line
15 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.LineNumberFilter
16 | filter.lineNumberFilter.excludeIntervals=1-1
17 |
18 | # IP, ASN and country code exists already in file, but hostname is sometimes missing.
19 | decorator.classNames.0=se.sitic.megatron.decorator.HostnameDecorator
20 |
21 | # Example: 2009-06-08 01:36:06
22 | parser.timestampFormat=yyyy-MM-dd HH:mm:ss
23 |
24 | parser.item.logTimestamp=\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2}
25 | parser.item.additionalItem.rbl=.*?
26 | parser.item.additionalItem.infection=.*?
27 | # ASN may be an integer or ""
28 | parser.item.asn=\d*|""
29 | parser.item.asn2=\d*|""
30 |
31 | parser.lineRegExp=^"$logTimestamp","$ipAddress",$asn,"$countryCode","$hostname","$additionalItem_rbl","$ipAddress2",$asn2,"$countryCode2","$hostname2",$port2,"$additionalItem_infection"
32 |
33 | # Mail templates
34 | mail.headerFile=shadowserver-drone_header.txt
35 | mail.rowFile=shadowserver-drone_row.txt
36 |
--------------------------------------------------------------------------------
/conf/job-type/shadowserver-proxy.properties:
--------------------------------------------------------------------------------
1 | # Config file for shadowserver-proxy jobs.
2 | #
3 | # Example line:
4 | # "Date","PXY","PXY ASN","PXY Geo","PXY Port","PXY DNS","RBL","Type","Count","Test","Password","C&C","C&C Port","C&C ASN","C&C Geo","C&C DNS"
5 | # "2010-01-17 17:26:00","85.230.254.68",2119,"SE",11825,"c-44fee655.18-6-64736c10.cust.bredbandsbolaget.se","","SOCKS5",1,"Proactive Open Proxy Monitor","","0.0.0.0",0,"","",""
6 | #
7 | # Expanded reg-exp:
8 | # ^"(\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2})","(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)",(\d*|""),"(\w{0,2})",(\d*|""),"(.*)",".*",".*",\d,".*",".*","(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)",(\d*|""),(\d*|""),"(\w{0,2})","(.*)"
9 | #
10 | # Test file: 2010-01-17-proxy-report-se.log
11 | #
12 | # More info: http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-Proxy
13 |
14 | # Exclude first line
15 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.LineNumberFilter
16 | filter.lineNumberFilter.excludeIntervals=1-1
17 |
18 | # IP, ASN, country code, and hostname exists already in file.
19 | #decorator.classNames.0=se.sitic.megatron.decorator.HostnameDecorator
20 | decorator.classNames.0=
21 |
22 | # Timestamp: 2010-01-17 17:26:00
23 | parser.timestampFormat=yyyy-MM-dd HH:mm:ss
24 | parser.item.logTimestamp=\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2}
25 |
26 | # ASN and port may be an integer or ""
27 | parser.item.asn=\d*|""
28 | parser.item.asn2=\d*|""
29 | parser.item.port=\d*|""
30 | parser.item.port2=\d*|""
31 |
32 | # Skips the following fields: "RBL","Type","Count","Test","Password"
33 | parser.lineRegExp=^"$logTimestamp","$ipAddress",$asn,"$countryCode",$port,"$hostname",".*",".*",\d,".*",".*","$ipAddress2",$port2,$asn2,"$countryCode2","$hostname2"
34 |
35 | # Mail templates
36 | mail.headerFile=shadowserver-proxy_header.txt
37 | mail.rowFile=shadowserver_row.txt
38 |
--------------------------------------------------------------------------------
/conf/job-type/shadowserver-sandbox-url.properties:
--------------------------------------------------------------------------------
1 | # Config file for shadowserver-sandbox-url jobs.
2 | #
3 | # This config file illustrates how to use UrlToHostnameDecorator, which set the
4 | # hostname field from an URL. The Shadowserver file contains a "host" field,
5 | # making the use UrlToHostnameDecorator unnecessary. But in many other cases
6 | # only an URL is available.
7 | #
8 | # Example line:
9 | # "md5hash","url","asn","geo","user_agent","host","method"
10 | # "01d5815222d173c6f4fd4a3309044494","http://kavkaz.tv/",33837,"SE","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)","kavkaz.tv","get"
11 | #
12 | # Expanded reg-exp: ^".*","(.*)",(\d*|""),"(\w{0,2})",".*",".*",".*"
13 | #
14 | # Test file: 2010-01-20-sandbox-url-report-se.log
15 | #
16 | # More info: http://www.shadowserver.org/wiki/pmwiki.php/Services/Sandbox-URL
17 |
18 | # Exclude first line
19 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.LineNumberFilter
20 | filter.lineNumberFilter.excludeIntervals=1-1
21 |
22 | # Extract hostname from URL, and then add IP, ASN, and country code if missing.
23 | decorator.classNames.0=se.sitic.megatron.decorator.UrlToHostnameDecorator
24 | decorator.classNames.1=se.sitic.megatron.decorator.CombinedDecorator
25 |
26 | # ASN may be an integer or ""
27 | parser.item.asn=\d*|""
28 |
29 | # Skips the following fields: "md5hash","user_agent","host","method"
30 | parser.lineRegExp=^".*","$url",$asn,"$countryCode",".*",".*",".*"
31 |
32 | # Test: parse only URL and let decorators add IP, ASN, and country code.
33 | #parser.lineRegExp=^".*","$url",(?:\d*|""),".*",".*",".*",".*"
34 |
35 | # Mail templates
36 | # TODO Write mail templates
37 |
--------------------------------------------------------------------------------
/conf/job-type/shadowserver-scan.properties:
--------------------------------------------------------------------------------
1 | # Config file for shadowserver-scan jobs.
2 | #
3 | # This Shadowserver files shows an IP-range that have been scanned by a botnet.
4 | # Primary organisation is the scanned victim and secondary organisation is the
5 | # C&C server.
6 | #
7 | # Example line:
8 | # "Date","Time","C&C","C&C Port","C&C ASN","C&C Geo","Channel","TGT","TGT ASN","TGT Geo","Command"
9 | # "2008-07-13","19:52:00","208.98.63.145",1863,30058,"US","#.wanous.#","213.46.x.x",6830,"NL","!advscan"
10 | #
11 | # Expanded reg-exp:
12 | # ^("\d{4}-\d{2}-\d{2}","\d{1,2}:\d{2}:\d{2}"),"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)",(\d*),(\d*|""),"(\w{0,2})",".*","(\d{1,3}\.(?:\d{1,3}|[xX])\.(?:\d{1,3}|[xX])\.(?:\d{1,3}|[xX])(?:-\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|-\d{1,3}|/\d{1,2}){0,1})",(\d*|""),"(\w{0,2})",".*"
13 | #
14 | # Test file: 2009-11-29-scan-report-nl.log
15 | #
16 | # More info: http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-Scan
17 |
18 | # Exclude first line
19 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.LineNumberFilter
20 | filter.lineNumberFilter.excludeIntervals=1-1
21 |
22 | # Wildcards zero octets exists in file, e.g. "202.131.0.0" will be expanded to "202.131.0.0/16".
23 | parser.expandIpRangeWithZeroOctets=true
24 |
25 | # Timestamp: "2008-07-13","19:52:00"
26 | parser.timestampFormat="yyyy-MM-dd","HH:mm:ss"
27 | parser.item.logTimestamp="\d{4}-\d{2}-\d{2}","\d{1,2}:\d{2}:\d{2}"
28 |
29 | # ASN and port may be an integer or ""
30 | parser.item.asn=\d*|""
31 | parser.item.asn2=\d*|""
32 | parser.item.port=\d*|""
33 |
34 | # Skips the following fields: "Channel", "Command"
35 | parser.lineRegExp=^$logTimestamp,"$ipAddress2",$port2,$asn2,"$countryCode2",".*","$ipRange",$asn,"$countryCode",".*"
36 |
37 | # Mail templates
38 | # TODO Write mail templates
39 |
--------------------------------------------------------------------------------
/conf/job-type/sshbl.properties:
--------------------------------------------------------------------------------
1 | # Handles the SSH black list from sshbl.org: http://www.sshbl.org/lists/date.txt
2 | # URL moved: http://www.openbl.org/lists/date.txt
3 | # File contains new and existing entries, which DiffProcessor takes care of.
4 | #
5 | # Example lines:
6 | # # source ip date
7 | # 219.148.37.154 1263250024
8 | #
9 | # Expanded reg-exp:
10 | # ^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)\s+\d+
11 | #
12 | # Test file: sshbl.log
13 |
14 | # Filter out old entries by diffing file in previous job
15 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
16 |
17 | # Skip file if same as previous file
18 | general.fileAlreadyProcessedAction=skip
19 |
20 | # Filter out header and comments
21 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
22 | filter.regExpLineFilter.excludeRegExp=^#
23 |
24 | # Filter: keep IPs that matches an organization in contact-db plus swedish IPs.
25 | # Note: Entries are decorated *after* filter.
26 | filter.preDecorator.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
27 | filter.organizationFilter.matchIpAddress=true
28 | filter.organizationFilter.matchHostname=false
29 | filter.organizationFilter.matchAsn=false
30 | filter.countryCodeFilter.includeCountryCodes=SE, NU
31 |
32 | # Timestamp: 1263002826 (epoch)
33 | parser.timestampFormat=epochInSec
34 | parser.item.logTimestamp=\d+
35 |
36 | # Line expression
37 | parser.lineRegExp=^$ipAddress\s+$logTimestamp
38 |
39 | # Mail templates
40 | # TODO Write mail templates
41 |
--------------------------------------------------------------------------------
/conf/job-type/sunet-portscan.properties:
--------------------------------------------------------------------------------
1 | # Config for Sunet portscan reports.
2 | #
3 | # Example lines:
4 | # 190.9.14.45 2010-01-14.21.55.11 139
5 | # 193.128.17.98 2010-01-14.21.01.25 137,139
6 | #
7 | # Expanded reg-exp:
8 | # ^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)\s+(\d{4}-\d{2}-\d{2}\.\d{1,2}\.\d{2}\.\d{2})\s+([\d,]+)
9 | #
10 | # Test file: sunet-portscan.log
11 |
12 | # Include only scan lines. Format: ip date port(s)
13 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
14 | filter.regExpLineFilter.includeRegExp=^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+\d{4}-\d{2}-\d{2}\.\d{1,2}\.\d{2}\.\d{2}\s+[\d,]+
15 |
16 | # Timestamp: 2010-01-14.21.55.11
17 | parser.item.logTimestamp=\d{4}-\d{2}-\d{2}\.\d{1,2}\.\d{2}\.\d{2}
18 | parser.timestampFormat=yyyy-MM-dd.HH.mm.ss
19 |
20 | # Additional items
21 | parser.item.additionalItem.ports=[\d,]+
22 |
23 | # Line expression
24 | parser.lineRegExp=^$ipAddress\s+$logTimestamp\s+$additionalItem_ports
25 |
--------------------------------------------------------------------------------
/conf/job-type/surfcert-ids.properties:
--------------------------------------------------------------------------------
1 | # Config file for reports created by SURFcert IDS: http://ids.surfnet.nl/wiki/doku.php?id=home
2 | #
3 | # Example lines:
4 | # sensor18 189.25.215.234 24-10-2011 06:15:54 http://189.25.215.234:7858/nppjj
5 | # sensor18 189.25.215.234 24-10-2011 06:16:12 3284fad8a6238205829d812a26a608ff
6 | #
7 | # Expanded reg-exp:
8 | # ^sensor\d+\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)\s+(\d{2}-\d{2}-\d{4} \d{2}:\d{2}:\d{2})\s+(.*)
9 | #
10 | # Test file: surfcert-ids.log
11 |
12 | # Skip file if same as previous file
13 | general.fileAlreadyProcessedAction=skip
14 |
15 | # No diffing; all files are unique.
16 |
17 | # Filter out header and comments
18 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
19 | filter.regExpLineFilter.includeRegExp=^sensor\d+
20 |
21 | # Filter: Entries are decorated *before* filter.
22 | filter.preStorage.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
23 | filter.organizationFilter.matchIpAddress=true
24 | filter.organizationFilter.matchHostname=true
25 | filter.organizationFilter.matchAsn=true
26 | filter.countryCodeFilter.includeCountryCodes=SE, NU
27 |
28 | # Example: 24-10-2011 06:15:54 (is in UTC)
29 | parser.timestampFormat=dd-MM-yyyy HH:mm:ss
30 | parser.item.logTimestamp=\d{2}-\d{2}-\d{4} \d{2}:\d{2}:\d{2}
31 |
32 | # Cannot use the URL-field in log entry; can be an URL or a MD5 hash.
33 | parser.item.additionalItem.urlOrMd5=.*
34 |
35 | # Line expression. Ignore sensor-id but include url.
36 | parser.lineRegExp=^sensor\d+\s+$ipAddress\s+$logTimestamp\s+$additionalItem_urlOrMd5
37 |
38 | # TODO
39 | # Mail templates
40 | #mail.headerFile=surfcert-ids_header.txt
41 | #mail.rowFile=surfcert-ids_row.txt
42 |
--------------------------------------------------------------------------------
/conf/job-type/syslog-ip-plus-host.properties:
--------------------------------------------------------------------------------
1 | # Handles a syslog file with an optional field (hostname).
2 | #
3 | # Example lines:
4 | # Aug 28 00:49:06 ns2 rc.honeypot.pl[997]: honeypot connect [122.139.20.241]
5 | # Aug 28 00:49:08 ns2 rc.honeypot.pl[997]: honeypot connect pool-96-250-175-217.nycmny.fios.verizon.net [96.250.175.217]
6 | #
7 | # Expanded reg-exp:
8 | # ^(\w{3}\s+\d{1,2} \d\d:\d\d:\d\d).*?connect ([^\s\[]* |)\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)\]
9 | #
10 | # Test file:
11 | # syslog-ip-plus-host.log
12 |
13 | # Filter out syslog comment
14 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
15 | filter.regExpLineFilter.excludeRegExp=last message repeated
16 |
17 | # Timestamp: Aug 28 00:49:06
18 | parser.item.logTimestamp=\w{3}\s+\d{1,2} \d\d:\d\d:\d\d
19 | parser.timestampFormat=MMM dd HH:mm:ss
20 | #parser.defaultTimeZone=CEST
21 |
22 | # No DNS lookups; hostname and IP exists already in file.
23 | decorator.classNames.0=se.sitic.megatron.decorator.CountryCodeFromHostnameDecorator
24 | decorator.classNames.1=se.sitic.megatron.decorator.CountryCodeDecorator
25 | decorator.classNames.2=se.sitic.megatron.decorator.AsnDecorator
26 |
27 | # Hostname is optional (may be empty). Contains not space and not "[".
28 | parser.item.hostname=[^\s\[]* |
29 |
30 | # Remove space from hostname
31 | parser.trimValue=true
32 |
33 | # Remove trailing spaces
34 | parser.removeTrailingSpaces=true
35 |
36 | # Line expression
37 | parser.lineRegExp=^$logTimestamp.*?connect $hostname\[$ipAddress\]
38 |
--------------------------------------------------------------------------------
/conf/job-type/timestamp-plus-ip.properties:
--------------------------------------------------------------------------------
1 | # Log file with time-stamp plus ip-address (one log entry per line).
2 | #
3 | # Example line:
4 | # 2009-04-24 21:01:01 194.103.189.24
5 | #
6 | # Expanded reg-exp:
7 | # ^(\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2}) (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$
8 |
9 | parser.item.logTimestamp=\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2}
10 |
11 | parser.timestampFormat=yyyy-MM-dd HH:mm:ss
12 |
13 | parser.lineRegExp=^$logTimestamp $ipAddress$
14 |
--------------------------------------------------------------------------------
/conf/job-type/turk-h.properties:
--------------------------------------------------------------------------------
1 | # Config file for turk-h files in CSV-format.
2 | # URL: http://www.turk-h.org/onhold/
3 | # File is downloaded and preprocessed by a Python-script.
4 | #
5 | # Example:
6 | # forumstar.net/,http://www.turk-h.org/defacement/view/384383/forumstar.net/
7 | #
8 | # Expanded regexp:
9 | # ^([^,]+),([\w:\.\-/~#]+)
10 |
11 |
12 | # Filter out old entries by diffing file in previous job
13 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
14 |
15 | # Skip file if same as previous file
16 | general.fileAlreadyProcessedAction=skip
17 |
18 | # Extract hostname from URL, and then add IP, ASN, and country code.
19 | decorator.classNames.0=se.sitic.megatron.decorator.UrlToHostnameDecorator
20 | decorator.classNames.1=se.sitic.megatron.decorator.CombinedDecorator
21 |
22 | # Filter: Entries are decorated *before* filter.
23 | filter.preStorage.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
24 | filter.organizationFilter.matchIpAddress=true
25 | filter.organizationFilter.matchHostname=true
26 | filter.organizationFilter.matchAsn=true
27 | filter.countryCodeFilter.includeCountryCodes=SE, NU
28 |
29 | # The URL-field contains most of the time a hostname but sometimes a trailing slash is present, e.g. "unicorn33.com/".
30 | # Uses UrlToHostnameDecorator to extract the hostname.
31 | parser.item.url=[^,]+
32 |
33 | # Additional item, mirror url
34 | parser.item.additionalItem.mirror=[\w:\.\-/~#]+
35 |
36 | parser.lineRegExp=^$url,$additionalItem_mirror
37 |
38 | # Lower notification threshold; send notification email for all saved entries.
39 | general.highPriorityNotification.threshold=10
40 |
41 |
42 | # TODO
43 | # Mail templates
44 | # mail.headerFile=turk-h_header.txt
45 | # mail.rowFile=turk-h_row.txt
46 |
--------------------------------------------------------------------------------
/conf/job-type/vs-db.properties:
--------------------------------------------------------------------------------
1 | # Config file for vs-db files in CSV-format.
2 | # URL: http://feeds.feedburner.com/VulnerableSitesDatabase?format=xml
3 | # More info: http://www.vs-db.info/
4 | #
5 | # Example:
6 | # Sun, 29 Aug 2010 11:26:35 +0000,www.plr.org,http://feedproxy.google.com/~r/VulnerableSitesDatabase/~3/yPgflvJq_Sc/
7 | #
8 | # Expanded regexp:
9 | # ^"(\w{3},\s\d{1,2}\s\w{3}\s\d{4}\s\d{2}:\d{2}:\d{2}\s[\+|-]\d{4})",([\w\.\-]+),([\w:\.\-/~#]+)
10 |
11 |
12 | # Filter out old entries by diffing file in previous job
13 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
14 |
15 | # Skip file if same as previous file
16 | general.fileAlreadyProcessedAction=skip
17 |
18 | # Add IP, ASN, and country code from hostname.
19 | decorator.classNames.0=se.sitic.megatron.decorator.CombinedDecorator
20 |
21 | # Filter: Entries are decorated *before* filter.
22 | filter.preStorage.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
23 | filter.organizationFilter.matchIpAddress=true
24 | filter.organizationFilter.matchHostname=true
25 | filter.organizationFilter.matchAsn=true
26 | filter.countryCodeFilter.includeCountryCodes=SE, NU
27 |
28 | # Timestamp: Sun, 29 Aug 2010 11:26:35 +0000
29 | parser.item.logTimestamp=\w{3},\s\d{1,2}\s\w{3}\s\d{4}\s\d{2}:\d{2}:\d{2}\s[\+|-]\d{4}
30 | parser.timestampFormat=EEE, d MMM yyyy HH:mm:ss Z
31 |
32 | # Hostname
33 | parser.item.hostname=[\w\.\-]+
34 |
35 | # Additional item, mirror url
36 | parser.item.additionalItem.mirror=[\w:\.\-/~#]+
37 |
38 | parser.lineRegExp=^"$logTimestamp",$hostname,$additionalItem_mirror
39 |
40 | # Lower notification threshold; send notification email for all saved entries.
41 | general.highPriorityNotification.threshold=10
42 |
43 |
44 | # TODO
45 | # Mail templates
46 | # mail.headerFile=vs-db_header.txt
47 | # mail.rowFile=vs-db_row.txt
48 |
--------------------------------------------------------------------------------
/conf/job-type/web-apache.properties:
--------------------------------------------------------------------------------
1 | # Config for an Apache web log in syslog format. This config demonstrates how to use additional items.
2 | #
3 | # Example line:
4 | # Jul 4 23:31:07 sweb01 root: 213.100.86.182 - - [04/Jul/2009:23:31:07 +0000] "GET /publikationer/namnvart/skydd-mot-sql-injektion/ HTTP/1.1" 200 26594 "http://www.google.se/search?hl=sv&q=sql+injektioner&btnG=S%C3%B6k&meta=" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)"
5 | #
6 | # Expanded reg-exp:
7 | # ^\w{3}\s+\d+ \d{2}:\d{2}:\d{2} (\w+) root: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) - - \[(\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4})\] "(\w+) (.+?) (.+?)" (\d+) (\d+) "(.+?)" "(.+?)" $
8 | #
9 | # Test file: web-apache-syslog.log
10 |
11 | # Exclude comment line
12 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
13 | filter.regExpLineFilter.excludeRegExp=: logfile turned over$
14 |
15 | # Example: 04/Jul/2009:23:31:07 +0000
16 | parser.timestampFormat=dd/MMM/yyyy:HH:mm:ss Z
17 |
18 | parser.item.ipAddress=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
19 | parser.item.url=.+?
20 | parser.item.logTimestamp=\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4}
21 |
22 | parser.item.additionalItem.webServerHost=\w+
23 | parser.item.additionalItem.httpMethod=\w+
24 | parser.item.additionalItem.httpVersion=.+?
25 | parser.item.additionalItem.httpStatusCode=\d+
26 | parser.item.additionalItem.size=\d+
27 | parser.item.additionalItem.referer=.+?
28 | parser.item.additionalItem.userAgent=.+?
29 |
30 | parser.lineRegExp=^\w{3}\s+\d+ \d{2}:\d{2}:\d{2} $additionalItem_webServerHost root: $ipAddress - - \[$logTimestamp\] "$additionalItem_httpMethod $url $additionalItem_httpVersion" $additionalItem_httpStatusCode $additionalItem_size "$additionalItem_referer" "$additionalItem_userAgent" $
31 |
32 | export.rowFile=web-apache_row.txt
33 |
--------------------------------------------------------------------------------
/conf/job-type/whois-cymru-timestamp-test.properties:
--------------------------------------------------------------------------------
1 | # Test of time zones.
2 | #
3 | # Example line:
4 | # 3301 | 193.44.157.68 | 193.44.0.0/15 | SE | ripencc | 1993-09-01 | 2009-06-01 12:00:02 CEST | TELIANET-SWEDEN TeliaNet Sweden
5 | #
6 | # Expanded reg-exp:
7 | # ^(\d*)\s*\|\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)\s*\|\s*.+\s*\|\s*(\w{0,2})\s*\|\s*.+\s*\|\s*(\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2} \S+)\s*\|\s*(.*)$
8 |
9 | # -- Filter comments
10 | # Include only lines that have a valid prefix
11 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
12 | filter.regExpLineFilter.includeRegExp=^\d+\s+\|
13 |
14 | parser.timestampFormat=yyyy-MM-dd HH:mm:ss z
15 |
16 | parser.item.logTimestamp=\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2} \S+
17 | parser.item.freeText.0=.*
18 |
19 | parser.lineRegExp=^$asn\s*\|\s*$ipAddress\s*\|\s*.+\s*\|\s*$countryCode\s*\|\s*.+\s*\|\s*$logTimestamp\s*\|\s*$freeText0$
20 |
21 | export.rowFile=whois_row.txt
22 |
--------------------------------------------------------------------------------
/conf/job-type/whois-cymru-verbose-with-timestamps.properties:
--------------------------------------------------------------------------------
1 | # Verbose whois-format with time-stamps. Used for example by .
2 | # More info: http://www.team-cymru.org/Services/ip-to-asn.html
3 | #
4 | # Example line:
5 | # 3301 | 193.180.228.186 | 193.180.228.0/24 | SE | ripencc | 1993-09-01 | 2009-04-24 13:23:01 GMT | TELIANET-SWEDEN TeliaNet Sweden
6 | #
7 | # Expanded reg-exp:
8 | # ^(\d+)\s*\|\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*\|\s*.+\s*\|\s*(\w{1,2})\s*\|\s*.+\s*\|\s*(\d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2} \w{2,3})\s*\|(.*)$
9 | #
10 | # The following fields are ignored: BGP Prefix, Registry, Allocated
11 |
12 | # Exclude comment line
13 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
14 | filter.regExpLineFilter.excludeRegExp=^Bulk mode
15 |
16 | parser.timestampFormat=yyyy-MM-dd HH:mm:ss z
17 |
18 | parser.item.logTimestamp=\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2} \w{2,3}
19 | parser.item.freeText.0=.*
20 |
21 | parser.lineRegExp=^$asn\s*\|\s*$ipAddress\s*\|\s*.+\s*\|\s*$countryCode\s*\|\s*.+\s*\|\s*$logTimestamp\s*\|\s*$freeText0$
22 |
--------------------------------------------------------------------------------
/conf/job-type/xssed.properties:
--------------------------------------------------------------------------------
1 | # Config file for xssed files in CSV-format.
2 | # URL: http://data.xssed.com/xss.rss
3 | # File is downloaded and preprocessed by a Python-script.
4 | #
5 | # Example:
6 | # "Sun, 24 Oct 2010 21:29:46 +0200",www.velociped.de,http://www.xssed.com/mirror/64288/
7 | #
8 | # Expanded regexp:
9 | # ^"(\w{3},\s\d{1,2}\s\w{3}\s\d{4}\s\d{2}:\d{2}:\d{2}\s[\+|-]\d{4})",([\w\.-]+),([\w:\./-~]+)
10 |
11 |
12 | # Filter out old entries by diffing file in previous job
13 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
14 |
15 | # Skip file if same as previous file
16 | general.fileAlreadyProcessedAction=skip
17 |
18 | # Add IP, ASN, and country code from hostname.
19 | decorator.classNames.0=se.sitic.megatron.decorator.CombinedDecorator
20 |
21 | # Filter: Entries are decorated *before* filter.
22 | filter.preStorage.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
23 | filter.organizationFilter.matchIpAddress=true
24 | filter.organizationFilter.matchHostname=true
25 | filter.organizationFilter.matchAsn=true
26 | filter.countryCodeFilter.includeCountryCodes=SE, NU
27 |
28 | # Timestamp: Sun, 24 Oct 2010 22:26:37 +0200
29 | parser.item.logTimestamp=\w{3},\s\d{1,2}\s\w{3}\s\d{4}\s\d{2}:\d{2}:\d{2}\s[\+|-]\d{4}
30 | parser.timestampFormat=EEE, d MMM yyyy HH:mm:ss Z
31 |
32 | # Hostname
33 | parser.item.hostname=[\w\.\-]+
34 |
35 | # Additional item, mirror url
36 | parser.item.additionalItem.mirror=[\w:\.\-/~#]+
37 |
38 | parser.lineRegExp=^"$logTimestamp",$hostname,$additionalItem_mirror
39 |
40 | # Lower notification threshold; send notification email for all saved entries.
41 | general.highPriorityNotification.threshold=10
42 |
43 |
44 | # TODO
45 | # Mail templates
46 | # mail.headerFile=xssed_header.txt
47 | # mail.rowFile=xssed_row.txt
48 |
--------------------------------------------------------------------------------
/conf/job-type/zeustracker-blocklist-domain.properties:
--------------------------------------------------------------------------------
1 | # This configuration handles ZeuS domain blocklist:
2 | # https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
3 | #
4 | # Example line:
5 | # 001.bladespoon.cn
6 | #
7 | # Expanded reg-exp: ^(\S+)(?: .*|)
8 | #
9 | # Test file: test-data/zeustracker-blocklist-domain.log
10 |
11 | # Filter out old entries by diffing file in previous job
12 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
13 |
14 | # Skip file if same as previous file
15 | general.fileAlreadyProcessedAction=skip
16 |
17 | # Filter out header and comments
18 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
19 | filter.regExpLineFilter.excludeRegExp=^#
20 |
21 | # Filter: keep IPs that matches an organization in contact-db plus swedish IPs.
22 | # Note: Entries are decorated *after* filter.
23 | filter.preDecorator.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
24 | filter.organizationFilter.matchIpAddress=false
25 | filter.organizationFilter.matchHostname=true
26 | filter.organizationFilter.matchAsn=false
27 | filter.countryCodeFilter.includeCountryCodes=SE, NU
28 |
29 | parser.item.hostname=\S+
30 |
31 | # Line expression
32 | parser.lineRegExp=^$hostname(?: .*|)
33 |
34 | # Mail templates
35 | # TODO
36 |
--------------------------------------------------------------------------------
/conf/job-type/zeustracker-blocklist-ip.properties:
--------------------------------------------------------------------------------
1 | # This configuration handles ZeuS IP blocklist:
2 | # https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
3 | #
4 | # Example line:
5 | # 109.123.70.97
6 | #
7 | # Expanded reg-exp: ^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|)(?: .*|)
8 | #
9 | # Test file: test-data/zeustracker-blocklist-ip.log
10 |
11 | # Filter out old entries by diffing file in previous job
12 | fileProcessor.className=se.sitic.megatron.fileprocessor.DiffProcessor
13 |
14 | # Skip file if same as previous file
15 | general.fileAlreadyProcessedAction=skip
16 |
17 | # Filter out header and comments
18 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
19 | filter.regExpLineFilter.excludeRegExp=^#
20 |
21 | # Filter: keep IPs that matches an organization in contact-db plus swedish IPs.
22 | # Note: Entries are decorated *after* filter.
23 | filter.preDecorator.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
24 | filter.organizationFilter.matchIpAddress=true
25 | filter.organizationFilter.matchHostname=false
26 | filter.organizationFilter.matchAsn=false
27 | filter.countryCodeFilter.includeCountryCodes=SE, NU
28 |
29 | # Line expression
30 | parser.lineRegExp=^$ipAddress(?: .*|)
31 |
32 | # Mail templates
33 | # TODO
34 |
--------------------------------------------------------------------------------
/conf/job-type/zeustracker-pushdo.properties:
--------------------------------------------------------------------------------
1 | # Config for Pushdo files, for example:
2 | # https://zeustracker.abuse.ch/pushdo/feed/20100127_pushdo.txt
3 | #
4 | # Example line:
5 | # Timestamp (UTC) | IP address | SRC port | Country | Counter | AS number | AS name
6 | # 2010-01-27 13:18:43 | 90.137.72.7 | 3196 | SE | 6 | 1257 | TELE2
7 | #
8 | # Expanded reg-exp:
9 | # ^(\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2}) \| (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|) \| \d* \| (\w{0,2}) \| \d* \| (\d*) \| .*
10 | #
11 | # Test file: 20100127_pushdo.log
12 |
13 | # Skip file if same as previous file
14 | general.fileAlreadyProcessedAction=skip
15 |
16 | # Exclude comment line
17 | filter.preLineProcessor.classNames.0=se.sitic.megatron.filter.RegExpLineFilter
18 | filter.regExpLineFilter.excludeRegExp=^#
19 |
20 | # Filter: keep IPs that matches an organization in contact-db plus swedish IPs.
21 | # Note: Entries are decorated *after* filter.
22 | filter.preDecorator.classNames.0=se.sitic.megatron.filter.OrganizationOrCountryCodeFilter
23 | filter.organizationFilter.matchIpAddress=true
24 | filter.organizationFilter.matchHostname=false
25 | filter.organizationFilter.matchAsn=false
26 | filter.countryCodeFilter.includeCountryCodes=SE, NU
27 |
28 | # Example: 2010-01-27 13:15:07
29 | parser.timestampFormat=yyyy-MM-dd HH:mm:ss
30 | parser.item.logTimestamp=\d{4}-\d{2}-\d{2} \d{1,2}:\d{2}:\d{2}
31 |
32 | # Ignored fields: SRC port, Counter, AS name
33 | parser.lineRegExp=^$logTimestamp \| $ipAddress \| \d* \| $countryCode \| \d* \| $asn \| .*
34 |
35 | # Mail templates
36 | mail.headerFile=zeustracker-pushdo_header.txt
37 | mail.rowFile=zeustracker-pushdo_row.txt
38 |
--------------------------------------------------------------------------------
/conf/template/export/ddos-amplification_header.txt:
--------------------------------------------------------------------------------
1 | # Time-stamp | src-IP ASN | src-IP | src-port | src-IP Country Code | target-IP | target-port
2 |
--------------------------------------------------------------------------------
/conf/template/export/ddos-amplification_row.txt:
--------------------------------------------------------------------------------
1 | $logTimestamp | $asn#padRight6 | $ipAddress#padRight15 | $port | $countryCode | $ipAddress2#padRight15 | $port2
2 |
--------------------------------------------------------------------------------
/conf/template/export/debug_footer.txt:
--------------------------------------------------------------------------------
1 | # ---- EOF ----
2 |
--------------------------------------------------------------------------------
/conf/template/export/debug_footer.xml:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/conf/template/export/debug_header.txt:
--------------------------------------------------------------------------------
1 | # Job Name: $jobName
2 | # Job Filename: $filename
3 | # Job File Hash: $fileHash
4 | # Job Started: $jobStarted
5 | # Export Started: $exportStarted
6 | # Export Filename: $exportFilename
7 | # Export Full Filename: $exportFullFilename
8 |
9 | # logTimestamp ipAddress hostname port asn countryCode ipAddress2 hostname2 port2 asn2 countryCode2 url freeTextList additionalItemList originalLogEntry
10 |
--------------------------------------------------------------------------------
/conf/template/export/debug_header.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
6 |
7 |
8 | $jobName
9 | $filename
10 | $fileHash
11 | $jobStarted
12 | $exportStarted
13 | $exportFilename
14 | $exportFullFilename
15 |
16 |
--------------------------------------------------------------------------------
/conf/template/export/debug_row.txt:
--------------------------------------------------------------------------------
1 | $logTimestamp $ipAddress $hostname $port $asn $countryCode $ipAddress2 $hostname2 $port2 $asn2 $countryCode2 $ipRangeStart $ipRangeEnd $url $freeTextList $additionalItemList $logEntryid $created $organizationName $organizationEmailAddresses $organizationName2 $organizationEmailAddresses2 $originalLogEntry
2 |
--------------------------------------------------------------------------------
/conf/template/export/debug_row.xml:
--------------------------------------------------------------------------------
1 |
2 | $logTimestamp
3 | $ipAddress
4 | $hostname
5 | $port
6 | $asn
7 | $countryCode
8 | $ipAddress2
9 | $hostname2
10 | $port2
11 | $asn2
12 | $countryCode2
13 | $ipRangeStart
14 | $ipRangeEnd
15 | $url
16 | $freeTextList
17 | $additionalItemList
18 | $logEntryid
19 | $created
20 | $organizationName
21 | $organizationEmailAddresses
22 | $organizationName2
23 | $organizationEmailAddresses2
24 | $originalLogEntry
25 |
26 |
--------------------------------------------------------------------------------
/conf/template/export/iis-to-apache_row.txt:
--------------------------------------------------------------------------------
1 | $ipAddress - - [$logTimestamp] "$additionalItem_httpMethod $url?$additionalItem_uriQuery HTTP/1.1" $additionalItem_httpStatusCode 1111 "-" "$additionalItem_userAgent"
2 |
--------------------------------------------------------------------------------
/conf/template/export/ip-flowing_header.txt:
--------------------------------------------------------------------------------
1 | # IP address Hostname ASN (BGP) ASN (MaxMind) AS Name Country City Organization Email addresses Location URL
2 |
--------------------------------------------------------------------------------
/conf/template/export/ip-flowing_row.txt:
--------------------------------------------------------------------------------
1 | $ipAddress $hostname $asn $additionalItem_asn $additionalItem_asName $countryCode $additionalItem_city $organizationName $organizationEmailAddresses http://maps.google.com/maps?q=$additionalItem_latitude+$additionalItem_longitude&hl=en
2 |
--------------------------------------------------------------------------------
/conf/template/export/web-apache_row.txt:
--------------------------------------------------------------------------------
1 | $logTimestamp $ipAddress $hostname $asn $countryCode $url $additionalItem_webServerHost $additionalItem_httpMethod $additionalItem_httpVersion $additionalItem_httpStatusCode $additionalItem_size $additionalItem_referer $additionalItem_userAgent
2 |
--------------------------------------------------------------------------------
/conf/template/export/whois-cymru-verbose_row.txt:
--------------------------------------------------------------------------------
1 | $asn#padRight8| $ipAddress#padRight17| $additionalItem_bgpPrefix#padRight19 | $countryCode | $additionalItem_registry#padRight8 | $additionalItem_allocated | $freeText0
2 |
--------------------------------------------------------------------------------
/conf/template/export/whois-short-with-hostname_header.txt:
--------------------------------------------------------------------------------
1 | IP | AS | CC | Hostname | AS Name
2 |
--------------------------------------------------------------------------------
/conf/template/export/whois-short-with-hostname_row.txt:
--------------------------------------------------------------------------------
1 | $ipAddress#padRight15 | $additionalItem_asn#padRight6 | $countryCode#padRight2 | $hostname#padRight45 | $additionalItem_asName#padRight45
2 |
--------------------------------------------------------------------------------
/conf/template/export/whois-short-with-orgname_header.txt:
--------------------------------------------------------------------------------
1 | IP | AS | CC | Hostname | AS Name | Organization
2 |
--------------------------------------------------------------------------------
/conf/template/export/whois-short-with-orgname_row.txt:
--------------------------------------------------------------------------------
1 | $ipAddress#padRight15 | $additionalItem_asn#padRight6 | $countryCode#padRight2 | $hostname#padRight45 | $additionalItem_asName#padRight45 | $organizationName
2 |
--------------------------------------------------------------------------------
/conf/template/export/whois-short_header.txt:
--------------------------------------------------------------------------------
1 | IP | AS | CC | AS Name
2 |
--------------------------------------------------------------------------------
/conf/template/export/whois-short_row.txt:
--------------------------------------------------------------------------------
1 | $ipAddress#padRight15 | $additionalItem_asn#padRight6 | $countryCode#padRight2 | $additionalItem_asName
2 |
--------------------------------------------------------------------------------
/conf/template/export/whois_row.txt:
--------------------------------------------------------------------------------
1 | $asn#padRight8| $ipAddress#padRight17| $countryCode | $logTimestamp | $freeTextList | $additionalItemList
2 |
--------------------------------------------------------------------------------
/conf/template/mail/attachment_header.txt:
--------------------------------------------------------------------------------
1 | # timestamp (UTC) ip hostname port asn cc ip2 hostname2 port2 asn2 cc2 url comment created (UTC) report
2 |
--------------------------------------------------------------------------------
/conf/template/mail/attachment_row.txt:
--------------------------------------------------------------------------------
1 | $logTimestamp $ipAddress $hostname $port $asn $countryCode $ipAddress2 $hostname2 $port2 $asn2 $countryCode2 $url $additionalItemList $created $jobTypeName
2 |
--------------------------------------------------------------------------------
/conf/template/mail/brobot_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har fått information om att en eller flera webbservrar i ert nät
2 | kan utnyttjats för att utföra tillgänglighetsattacker (DDoS-attacker).
3 |
4 | En angripare har lyckats ta sig in i webbservern och där planterat ett
5 | antal elakartade skript. Baserad på den information som finns
6 | tillgänglig tycks angriparen ha utnyttjat sårbarheter i ouppdaterade
7 | instick-moduler till plattformen Joomla.
8 |
9 | Obs! Om man öppnar den angivna adressen utan parametrar får man ett
10 | falsk felmeddelande ("404 Not Found"). Detta betyder alltså *inte* att
11 | de skadliga skripten saknas.
12 |
13 | Förutom skriptet i nedanstående URL finns troligen även andra skript såsom
14 | confgi.php, indx.php, inedx.php, saerch.php, error.php, stph-hack.php,
15 | stmdu.php och themess.php i samma katalog på webbservern.
16 |
17 | Vi ber er att snarast möjligt ser över det aktuella systemet. Detta
18 | innebär bland annat att:
19 |
20 | * Återställ systemet - installera om hela systemet (operativsystem och
21 | uppåt) är det säkraste alternativet
22 | * Uppdatera Joomla och alla dess insticksmoduler
23 | * Rensa bort insticksmoduler till Joomla som inte är i bruk
24 |
25 | Mer information om att säkra upp din Joomla-installation:
26 | http://docs.joomla.org/Security_Checklist
27 |
28 | Följande maskiner har hittats i ert nät:
29 |
30 |
--------------------------------------------------------------------------------
/conf/template/mail/brobot_row.txt:
--------------------------------------------------------------------------------
1 | URL: $url
2 | IP: $ipAddress
3 | ASN: $asn
4 | Tid: [Saknas från källan]
5 |
6 |
--------------------------------------------------------------------------------
/conf/template/mail/clean-mx-phishing_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som tyder på att en eller flera datorer i ert
2 | nätverk hyser webbsidor för nätfiske ("phishing").
3 |
4 | Om informationen stämmer bör sidorna stängas ner omedelbart och en utredning startas
5 | för att ta reda på hur intrånget gått till. Kontakta CERT-SE om ni behöver hjälp.
6 |
7 | CERT-SE har fått informationen från CLEAN MX:
8 | http://support.clean-mx.de/clean-mx/phishing.php
9 |
10 |
--------------------------------------------------------------------------------
/conf/template/mail/clean-mx-phishing_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Datornamn: $hostname
3 | URL: $url
4 | Tid: $logTimestamp
5 | Loggrad: $originalLogEntry
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/clean-mx-viruses_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som tyder på att en eller flera datorer i ert
2 | nätverk hyser webbsidor med skadlig kod.
3 |
4 | Om informationen stämmer bör sidorna stängas ner omedelbart och en utredning startas
5 | för att ta reda på hur intrånget gått till. Kontakta CERT-SE om ni behöver hjälp.
6 |
7 | CERT-SE har fått informationen från CLEAN MX:
8 | http://support.clean-mx.de/clean-mx/viruses.php
9 |
10 |
--------------------------------------------------------------------------------
/conf/template/mail/clean-mx-viruses_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Datornamn: $hostname
3 | URL: $url
4 | Tid: $logTimestamp
5 | Loggrad: $originalLogEntry
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/danger-rulez_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som tyder på att en eller flera datorer i ert
2 | nätverk har utfört lösenordsgissningsattacker mot ssh-servrar.
3 |
4 | Om informationen stämmer är det troligt att den eller de datorer som utfört attacken
5 | har infekterats med skadlig kod.
6 |
7 | CERT-SE har fått informationen från Bruteforceblocker:
8 | http://danger.rulez.sk/index.php/bruteforceblocker
9 |
10 |
--------------------------------------------------------------------------------
/conf/template/mail/danger-rulez_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Datornamn: $hostname
3 |
4 | Loggrad:
5 | $originalLogEntry
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/debug_footer.txt:
--------------------------------------------------------------------------------
1 | ---- EOF ----
2 |
--------------------------------------------------------------------------------
/conf/template/mail/debug_header.txt:
--------------------------------------------------------------------------------
1 | Job Name: $jobName
2 | Job Filename: $filename
3 | Job File Hash: $fileHash
4 | Job Started: $jobStarted
5 | Export Started: $exportStarted
6 | Export Filename: $exportFilename
7 | Export Full Filename: $exportFullFilename
8 |
9 |
10 |
--------------------------------------------------------------------------------
/conf/template/mail/debug_row.txt:
--------------------------------------------------------------------------------
1 | logTimestamp: $logTimestamp
2 | ipAddress: $ipAddress
3 | hostname: $hostname
4 | port: $port
5 | asn: $asn
6 | countryCode: $countryCode
7 | ipAddress2: $ipAddress2
8 | hostname2: $hostname2
9 | port2: $port2
10 | asn2: $asn2
11 | countryCode2: $countryCode2
12 | ipRangeStart: $ipRangeStart
13 | ipRangeEnd: $ipRangeEnd
14 | url: $url
15 | freeTextListList: $freeTextList
16 | additionalItemList: $additionalItemList
17 | logEntryid: $logEntryid
18 | created: $created
19 | organizationName: $organizationName
20 | organizationEmailAddresses: $organizationEmailAddresses
21 | organizationName2: $organizationName2
22 | organizationEmailAddresses2: $organizationEmailAddresses2
23 | originalLogEntry: $originalLogEntry
24 |
25 |
--------------------------------------------------------------------------------
/conf/template/mail/emerging-compromised_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har upptäckt att en eller flera datorer i ert nätverk förekommer i
2 | en Snort-regel över illasinnade eller komprometterade IP-adresser.
3 |
4 | Snort-regel ("Rules to block known hostile or compromised hosts."):
5 | http://rules.emergingthreats.net/blockrules/emerging-compromised.rules
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/emerging-compromised_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Datornamn: $hostname
3 | AS-nummer: $asn
4 | Tid: [Saknas från källan]
5 |
6 |
--------------------------------------------------------------------------------
/conf/template/mail/en/danger-rulez_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE has received information indicating that one or more computers in your network
2 | have been involved in password guessing attacks against servers running ssh.
3 |
4 | If this information is correct, the involved computers are likely infected with malware.
5 |
6 | CERT-SE has received this information from Bruteforceblocker:
7 | http://danger.rulez.sk/index.php/bruteforceblocker
8 |
9 |
--------------------------------------------------------------------------------
/conf/template/mail/en/danger-rulez_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Hostname: $hostname
3 |
4 | Log entry:
5 | $originalLogEntry
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/en/general_footer.txt:
--------------------------------------------------------------------------------
1 |
2 | Questions? Contact us or see our FAQ: https://www.cert.se/utskick-faq
3 |
4 | /CERT-SE
5 | --
6 | CERT-SE, Swedens national Computer Emergency Response Team
7 |
8 | MSB, Swedish Civil Contingencies Agency
9 | Fleminggatan 14
10 | SE-112 26 Stockholm
11 | Telefon: 08-678 57 99
12 | Mailto: cert@cert.se
13 | https://www.cert.se
14 |
15 | PGP: https://www.cert.se/cert_at_cert.se.asc
16 | 1D55 8101 59A6 6787 F37B 705A F892 9D9B AAAA A845
17 |
--------------------------------------------------------------------------------
/conf/template/mail/en/rbl-hostname_row.txt:
--------------------------------------------------------------------------------
1 | Domain: $hostname
2 | Timestamp: [Not available from source]
3 | Log entry: $originalLogEntry
4 |
5 |
--------------------------------------------------------------------------------
/conf/template/mail/en/rbl-with-timestamp_row.txt:
--------------------------------------------------------------------------------
1 | IP-block: $ipRangeStart-$ipRangeEnd
2 | Timestamp: $logTimestamp
3 | Log entry: $originalLogEntry
4 |
5 |
--------------------------------------------------------------------------------
/conf/template/mail/en/rbl_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE have found that one or more IP addresses in your network
2 | are present in a RBL list (realtime blacklist).
3 |
4 | There are several reasons why an IP address ends up in a RBL list. Spam may have been sent from the
5 | address or the e-mailserver may be misconfigured. Sometimes it might be an infected client that is part
6 | of a botnet, in more serious cases the e-mailserver may have been hijacked by spammers. It can also be
7 | caused by backscatter. See: http://en.wikipedia.org/wiki/Backscatter_%28e-mail%29.
8 |
9 | Several websites exists where an IP address can be checked against RBL lists. See:
10 | http://www.mxtoolbox.com/blacklists.aspx
11 | http://www.anti-abuse.org/multi-rbl-check/
12 |
13 |
--------------------------------------------------------------------------------
/conf/template/mail/en/rbl_row.txt:
--------------------------------------------------------------------------------
1 | IP-block: $ipRangeStart-$ipRangeEnd
2 | Timestamp: [Not available from source]
3 | Log entry: $originalLogEntry
4 |
5 |
--------------------------------------------------------------------------------
/conf/template/mail/en/shadowserver-conficker-http-drone_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE has received information indicating that one or more computers in
2 | your network are part of the botnet Conficker.
3 |
4 | CERT-SE has received this information from Shadowserver. For more information see:
5 | http://www.shadowserver.org/wiki/pmwiki.php/Services/Conficker-Drone
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/en/shadowserver-conficker_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Hostname: $hostname
3 | Time: [Not available from source]
4 |
5 | Log entry:
6 | $originalLogEntry
7 |
8 |
--------------------------------------------------------------------------------
/conf/template/mail/en/shadowserver-ddos_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE has received information indicating that one or more computers in your network
2 | are part of a botnet.
3 |
4 | CERT-SE has received this information from Shadowserver. For more information see:
5 | http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-DDoS
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/en/shadowserver-drone2_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE has received information indicating that one or more computers in your network
2 | are part of a botnet.
3 |
4 | CERT-SE has received this information from Shadowserver. For more information see:
5 | http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-Drone-Hadoop
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/en/shadowserver-drone2_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Hostname: $hostname
3 | Infection: $additionalItem_infection
4 | Timestamp: $logTimestamp
5 |
6 | Loggrad:
7 | Timestamp,IP,Port,ASN,Geo,Region,City,Hostname,Type,Infection,Url,Agent,CC,CC_port,CC_ASN,CC_geo,CC_DNS,Count,Proxy
8 | $originalLogEntry
9 |
10 |
--------------------------------------------------------------------------------
/conf/template/mail/en/shadowserver-drone_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE has received information indicating that one or more computers in your network
2 | are part of a botnet.
3 |
4 | CERT-SE has received this information from Shadowserver. For more information see:
5 | http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-Drone
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/en/shadowserver-drone_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Hostname: $hostname
3 | Infection: $additionalItem_infection
4 | Timestamp: $logTimestamp
5 |
6 | Log entry:
7 | "Timestamp","Drone","ASN","Geo","Hostname","RBL","C&C","C&C ASN","C&C Geo","C&C DNS","C&C Port","Infection"
8 | $originalLogEntry
9 |
10 |
--------------------------------------------------------------------------------
/conf/template/mail/en/shadowserver-proxy_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE has received information indicating that one or more computers in your network
2 | are part of a botnet.
3 |
4 | CERT-SE has received this information from Shadowserver. For more information see:
5 | http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-Proxy
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/en/shadowserver-sinkhole-http-drone_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE has received information indicating that one or more computers in your network
2 | are part of a botnet.
3 |
4 | CERT-SE has received this information from Shadowserver. For more information see:
5 | http://www.shadowserver.org/wiki/pmwiki.php/Services/Sinkhole-HTTP-Drone
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/en/shadowserver-sinkhole-http-drone_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Hostname: $hostname
3 | Infection: $additionalItem_type
4 | Timestamp: $logTimestamp
5 |
6 | Log entry:
7 | "timestamp","ip","asn","geo","url","type","http_agent","tor","src_port","p0f_genre","p0f_detail","hostname","dst_port","http_host","http_referer","http_referer_asn","http_referer_geo","http_referer_ip","dst_ip","dst_asn","dst_geo"
8 | $originalLogEntry
9 |
10 |
--------------------------------------------------------------------------------
/conf/template/mail/en/shadowserver_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Hostname: $hostname
3 | Timestamp: $logTimestamp
4 |
5 | Log entry:
6 | $originalLogEntry
7 |
8 |
--------------------------------------------------------------------------------
/conf/template/mail/en/zeustracker-pushdo_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE has received information indicating that one or more computers in your network
2 | are part of the botnet pushdo.
3 |
4 | CERT-SE has received this information from Zeustracker. For more information see:
5 | https://zeustracker.abuse.ch/
6 | http://www.iss.net/threats/pushdoSSLDDoS.html
7 |
8 |
--------------------------------------------------------------------------------
/conf/template/mail/en/zeustracker-pushdo_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Hostname: $hostname
3 |
4 | Log entry:
5 | $originalLogEntry
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/general_footer.txt:
--------------------------------------------------------------------------------
1 |
2 | Kontakta oss gärna vid frågor. Vanliga frågor och svar: https://www.cert.se/utskick-faq
3 |
4 | /CERT-SE
5 | --
6 | CERT-SE - Sveriges nationella Computer Emergency Response Team med uppgift
7 | att stödja samhället i arbetet med att hantera och förebygga IT-incidenter.
8 |
9 | MSB, Myndigheten för samhällsskydd och beredskap
10 | Fleminggatan 14
11 | SE-112 26 Stockholm
12 | Telefon: 08-678 57 99
13 | Mailto: cert@cert.se
14 | https://www.cert.se
15 |
16 | PGP: https://www.cert.se/cert_at_cert.se.asc
17 | 1D55 8101 59A6 6787 F37B 705A F892 9D9B AAAA A845
18 |
--------------------------------------------------------------------------------
/conf/template/mail/rbl-hostname_row.txt:
--------------------------------------------------------------------------------
1 | Domän: $hostname
2 | Tid: [Saknas från källan]
3 | Loggrad: $originalLogEntry
4 |
5 |
--------------------------------------------------------------------------------
/conf/template/mail/rbl-with-timestamp_row.txt:
--------------------------------------------------------------------------------
1 | IP-block: $ipRangeStart-$ipRangeEnd
2 | Tid: $logTimestamp
3 | Loggrad: $originalLogEntry
4 |
5 |
--------------------------------------------------------------------------------
/conf/template/mail/rbl_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har funnit att en eller flera datorer i ert nätverk finns med i en
2 | RBL-lista (realtime blacklist).
3 |
4 | En IP-adress kan hamna i en RBL-lista om skräppost (spam) har skickats från adressen
5 | eller om e-postservern är felkonfigurerad. I vissa fall rör det sig om infekterade
6 | klientdatorer som ingår i ett botnät, men i allvarligare fall kan e-postservern ha
7 | tagits över av "spammare". Det kan också röra sig om så kallat "backscatter" då även
8 | korrekt konfigurerade e-postservrar kan hamna i en RBL-lista. Mer info:
9 | http://en.wikipedia.org/wiki/Backscatter_%28e-mail%29.
10 |
11 | Det finns en antal webbplatser där en IP-adress kan kontrolleras mot ett flertal
12 | RBL-listor, exempelvis:
13 | http://www.mxtoolbox.com/blacklists.aspx
14 | http://www.anti-abuse.org/multi-rbl-check/
15 |
16 |
--------------------------------------------------------------------------------
/conf/template/mail/rbl_row.txt:
--------------------------------------------------------------------------------
1 | IP-block: $ipRangeStart-$ipRangeEnd
2 | Tid: [Saknas från källan]
3 | Loggrad: $originalLogEntry
4 |
5 |
--------------------------------------------------------------------------------
/conf/template/mail/report-organization_body.txt:
--------------------------------------------------------------------------------
1 | CERT-SE has received information about infected or abused machines in your
2 | network. Information about attached report:
3 |
4 | - Time period: $timePeriod (UTC)
5 | - No. of rows: $noOfLogEntries
6 |
7 |
8 | Fields in the attached report (tab separated):
9 |
10 | - timestamp: Time in log file from source (UTC)
11 | - ip: Source IP ("bad" machine in your network)
12 | - hostname: Source hostname (reverse DNS of the IP)
13 | - port: Source port
14 | - asn: Source ASN
15 | - cc: Source country-code
16 | - ip2: Destination IP, e.g. C&C server
17 | - hostname2: Destination hostname
18 | - port2: Destination port
19 | - asn2: Destination ASN
20 | - cc2: Destination country-code
21 | - url: URL, e.g. to C&C server
22 | - comment: Additional information, e.g. infection
23 | - created: Time processed by CERT-SE (UTC)
24 | - report: Name of report (see below)
25 |
26 | Note: All fields except timestamp, created, and report may be empty.
27 |
28 |
29 | Values in the report-field:
30 |
31 | - shadowserver-drone2
32 |
33 |
34 | - shadowserver-sinkhole-http-drone
35 |
36 |
37 | TODO Change on install: Add description for all job-types that are
38 | specified in "report.organization.jobTypes".
39 |
40 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-cc-ip_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som tyder på att en eller flera
2 | datorer i ert nätverk är s.k. "command and control"-servrar i ett botnät.
3 |
4 | CERT-SE har fått informationen från Shadowserver. För mer information:
5 | http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-CCIP
6 |
7 | OBS! Tyvärr saknas tidsstämpel från Shadowserver. Tidsstämpeln anger
8 | då CERT-SE processade loggraden.
9 |
10 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-cc-ip_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Datornamn: $hostname
3 | Tid: [Saknas från källan]
4 |
5 | Loggrad:
6 | "IP Address","Port","Channel","Country","Region","State","Domain","ASN","AS Name","AS Description"
7 | $originalLogEntry
8 |
9 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-chargen_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som visar att en eller flera maskiner i
2 | ert nätverk tycks erbjuda CHARGEN-tjänster.
3 |
4 | En CHARGEN-server kan utnyttjas för att förstärka en tillgänglighetsattack
5 | och bör därför undvikas. Mer information:
6 |
7 | * https://chargenscan.shadowserver.org/
8 | * https://www.us-cert.gov/ncas/alerts/TA14-017A
9 |
10 | CERT-SE har fått informationen från Shadowserver. För mer information:
11 | https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-Chargen
12 |
13 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-conficker-http-drone_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som tyder på att en eller flera datorer i ert
2 | nätverk ingår i botnätet Conficker.
3 |
4 | CERT-SE har fått informationen från Shadowserver. För mer information:
5 | http://www.shadowserver.org/wiki/pmwiki.php/Services/Conficker-Drone
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-conficker_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Datornamn: $hostname
3 | Tid: [Saknas från källan]
4 |
5 | Loggrad:
6 | $originalLogEntry
7 |
8 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-ddos_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som tyder på att en eller flera datorer i ert
2 | nätverk ingår i ett botnät.
3 |
4 | CERT-SE har fått informationen från Shadowserver. För mer information:
5 | http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-DDoS
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-drone2_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som tyder på att en eller flera datorer i ert
2 | nätverk ingår i ett botnät.
3 |
4 | CERT-SE har fått informationen från Shadowserver. För mer information:
5 | http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-Drone-Hadoop
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-drone2_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Datornamn: $hostname
3 | Virustyp: $additionalItem_infection
4 | Tid: $logTimestamp
5 |
6 | Loggrad:
7 | Timestamp,IP,Port,ASN,Geo,Region,City,Hostname,Type,Infection,Url,Agent,CC,CC_port,CC_ASN,CC_geo,CC_DNS,Count,Proxy
8 | $originalLogEntry
9 |
10 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-drone_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som tyder på att en eller flera datorer i ert
2 | nätverk ingår i ett botnät.
3 |
4 | CERT-SE har fått informationen från Shadowserver. För mer information:
5 | http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-Drone
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-drone_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Datornamn: $hostname
3 | Virustyp: $additionalItem_infection
4 | Tid: $logTimestamp
5 |
6 | Loggrad:
7 | "Timestamp","Drone","ASN","Geo","Hostname","RBL","C&C","C&C ASN","C&C Geo","C&C DNS","C&C Port","Infection"
8 | $originalLogEntry
9 |
10 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-microsoft-sinkhole_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som tyder på att en eller flera datorer i ert
2 | nätverk ingår i ett botnät.
3 |
4 | CERT-SE har fått informationen från Shadowserver. För mer information:
5 | https://www.shadowserver.org/
6 |
7 | Loggraden innehåller följande fält:
8 | "timestamp","ip","asn","geo","url","type","http_agent","tor","src_port","p0f_genre","p0f_detail","hostname","dst_port","http_host","http_referer","http_referer_asn","http_referer_geo","http_referer_ip","dst_ip","dst_asn","dst_geo"
9 |
10 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-netbios_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som visar att en eller flera maskiner i
2 | ert nätverk tycks vara öppna NetBIOS-servrar.
3 |
4 | En öppen NetBIOS-server är ett säkerhetsproblem av bl.a. följande anledningar:
5 |
6 | * Ökar attackytan för angriparen.
7 |
8 | * Kan utnyttjas för att förstärka en tillgänglighetsattack (DDoS).
9 |
10 | Mer information:
11 |
12 | - https://netbiosscan.shadowserver.org/
13 | - https://www.us-cert.gov/ncas/alerts/TA14-017A
14 |
15 | CERT-SE har fått informationen från Shadowserver. För mer information:
16 | https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-NetBIOS
17 |
18 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-openresolver_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som visar att en eller flera DNS-servrar i ert nätverk tycks
2 | vara öppna rekursiva namnservrar, vilka kan användas för att förstärka tillgänglighetsattacker.
3 | ISP:ar och webbhotell erbjuder rekursiva namnservrar till sina kunder men för övriga organisationer
4 | har dessa få legitima användningsområden och bör undvikas.
5 |
6 | För information om hur öppna rekursiva namnservrar kan användas i DDoS-attacker[1] samt för att
7 | verifiera om en namnserver är öppen och rekursiv[2], se länkarna nedan:
8 |
9 | [1] https://www.iis.se/domaner/teknik/rekursiva-resolvrar
10 | [2] http://dns.measurement-factory.com/surveys/openresolvers.html
11 |
12 | CERT-SE har fått informationen från Shadowserver. För mer information:
13 | https://www.shadowserver.org/wiki/pmwiki.php/Services/DNS-open-resolvers
14 |
15 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-proxy_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som tyder på att en eller flera datorer i ert
2 | nätverk ingår i ett botnät.
3 |
4 | CERT-SE har fått informationen från Shadowserver. För mer information:
5 | http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-Proxy
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-qotd_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som visar att en eller flera maskiner i
2 | ert nätverk tycks erbjuda QOTD-tjänster (Quote of the Day).
3 |
4 | En QOTD-server kan utnyttjas för att förstärka en tillgänglighetsattack
5 | och bör därför undvikas. Mer information:
6 |
7 | * https://qotdscan.shadowserver.org/
8 | * https://www.us-cert.gov/ncas/alerts/TA14-017A
9 |
10 | CERT-SE har fått informationen från Shadowserver. För mer information:
11 | https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-QOTD
12 |
13 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-sinkhole-http-drone_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som tyder på att en eller flera datorer i ert
2 | nätverk ingår i ett botnät.
3 |
4 | CERT-SE har fått informationen från Shadowserver. För mer information:
5 | http://www.shadowserver.org/wiki/pmwiki.php/Services/Sinkhole-HTTP-Drone
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-sinkhole-http-drone_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Datornamn: $hostname
3 | Virustyp: $additionalItem_type
4 | Tid: $logTimestamp
5 |
6 | Loggrad:
7 | "timestamp","ip","asn","geo","url","type","http_agent","tor","src_port","p0f_genre","p0f_detail","hostname","dst_port","http_host","http_referer","http_referer_asn","http_referer_geo","http_referer_ip","dst_ip","dst_asn","dst_geo"
8 | $originalLogEntry
9 |
10 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver-snmp_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som visar att en eller flera maskiner i
2 | ert nätverk tycks vara öppna SNMP-servrar.
3 |
4 | En öppen SNMP-server är ett säkerhetsproblem av följande anledningar:
5 |
6 | * Läcker information om systemet vilket en angripare kan utnyttja.
7 |
8 | * Kan utnyttjas för att förstärka en tillgänglighetsattack (DDoS).
9 |
10 | Mer information:
11 |
12 | - https://snmpscan.shadowserver.org/
13 | - https://www.us-cert.gov/ncas/alerts/TA14-017A
14 |
15 | CERT-SE har fått informationen från Shadowserver. För mer information:
16 | https://www.shadowserver.org/wiki/pmwiki.php/Services/Open-SNMP
17 |
18 |
--------------------------------------------------------------------------------
/conf/template/mail/shadowserver_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Datornamn: $hostname
3 | Tid: $logTimestamp
4 |
5 | Loggrad:
6 | $originalLogEntry
7 |
8 |
--------------------------------------------------------------------------------
/conf/template/mail/urlquery_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har fått information om att en webbserver i ert nät kan ha drabbats av ett
2 | intrång som angriparen använder för att sprida skadlig kod.
3 |
4 | Vi ber om er hjälp att stänga ner den skadliga webbsajten. Vi tar gärna
5 | emot loggar för att analysera intrånget. Det ger oss också möjlighet att
6 | se vilka som besökt webbplatsen och som kan vara infekterade. Observera
7 | att denna källa är ny för CERT-SE och det kan förekomma falska positiver.
8 |
9 | OBS! Du kan bli infekterad om URL:en besöks. Därför är URL:en omskriven:
10 |
11 |
--------------------------------------------------------------------------------
/conf/template/mail/urlquery_row.txt:
--------------------------------------------------------------------------------
1 | URL: hxxp://$url
2 | IP: $ipAddress
3 | ASN: $asn
4 | Tid: $logTimestamp
5 |
6 | Informationen kommer från urlQuery.net:
7 | http://$additionalItem_urlqueryUrl
8 |
9 |
--------------------------------------------------------------------------------
/conf/template/mail/zeustracker-pushdo_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som tyder på att en eller flera datorer i ert
2 | nätverk ingår i botnätet pushdo.
3 |
4 | CERT-SE har fått informationen från Zeustracker. För mer information:
5 | https://zeustracker.abuse.ch/
6 | http://www.iss.net/threats/pushdoSSLDDoS.html
7 |
8 |
--------------------------------------------------------------------------------
/conf/template/mail/zeustracker-pushdo_row.txt:
--------------------------------------------------------------------------------
1 | IP: $ipAddress
2 | Datornamn: $hostname
3 |
4 | Loggrad:
5 | $originalLogEntry
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/mail/zone-h_header.txt:
--------------------------------------------------------------------------------
1 | CERT-SE har tagit del av information som tyder på att en eller flera webbsidor tillhörande er organisation
2 | har förvanskats. Informationen som bifogas innehåller tidsstämpel för när förvanskningen rapporterats till
3 | zone-h.org, länk till den förvanskade sidan samt en länk till en kopia av den förvanskade sidan.
4 | (För närvarande kan ett fel i logghanteringen resultera i duplicerade loggrader nedan, vi jobbar på att lösa det.)
5 |
6 | Följande websidor har ändrats:
7 |
--------------------------------------------------------------------------------
/conf/template/mail/zone-h_row.txt:
--------------------------------------------------------------------------------
1 | Loggrad: $originalLogEntry
2 |
--------------------------------------------------------------------------------
/conf/template/report/array-begin_header.json:
--------------------------------------------------------------------------------
1 | [
--------------------------------------------------------------------------------
/conf/template/report/array-end_footer.json:
--------------------------------------------------------------------------------
1 | ]
--------------------------------------------------------------------------------
/conf/template/report/array-in-dict-end_footer.json:
--------------------------------------------------------------------------------
1 | ]
2 | }
3 |
--------------------------------------------------------------------------------
/conf/template/report/geolocation-city_footer.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/conf/template/report/geolocation-city_header.json:
--------------------------------------------------------------------------------
1 | {
2 | "fileGenerated":"$header_reportStarted",
3 | "startDate":"$header_startDate",
4 | "endDate":"$header_endDate",
5 | "timePeriodLabel":"$header_timePeriodLabel",
6 | "noOfBadHostsWithGeolocation":"$header_noOfBadHostsWithGeolocation",
7 | "noOfBadHostsWithoutGeolocation":"$header_noOfBadHostsWithoutGeolocation",
8 | "noOfBadHostsWithOrganization":"$header_noOfBadHostsWithOrganization",
9 | "noOfBadHostsWithoutOrganization":"$header_noOfBadHostsWithoutOrganization",
10 | "cityEntries":[
--------------------------------------------------------------------------------
/conf/template/report/geolocation-city_header.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | $header_startDate
8 | $header_endDate
9 | $header_timePeriodLabel
10 |
11 |
12 |
13 | $header_noOfBadHostsWithGeolocation
14 | $header_noOfBadHostsWithoutGeolocation
15 | $header_noOfBadHostsWithOrganization
16 | $header_noOfBadHostsWithoutOrganization
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/conf/template/report/geolocation-city_row.json:
--------------------------------------------------------------------------------
1 | {
2 | "rowId":"$logEntryid",
3 | "city":"$additionalItem_city",
4 | "uniqueNoOfBadHosts":"$additionalItem_uniqueNoOfBadHosts",
5 | "totalNoOfBadHosts":"$additionalItem_totalNoOfBadHosts"
6 | }
--------------------------------------------------------------------------------
/conf/template/report/geolocation-city_row.xml:
--------------------------------------------------------------------------------
1 |
2 | $logEntryid
3 | $additionalItem_city
4 | $additionalItem_uniqueNoOfBadHosts
5 | $additionalItem_totalNoOfBadHosts
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/report/geolocation-entries-city-internal_row.json:
--------------------------------------------------------------------------------
1 | {
2 | "id":"$logEntryid",
3 | "dbId":"$additionalItem_dbId",
4 | "ipAddress":"$ipAddress",
5 | "port":"$port",
6 | "hostname":"$hostname",
7 | "asn":"$asn",
8 | "firstSeen":"$logTimestamp",
9 | "lastSeen":"$additionalItem_lastSeen",
10 | "timesSeen":"$additionalItem_timesSeen",
11 | "prioName":"$additionalItem_prioName",
12 | "infection":"$additionalItem_infection"
13 | }
--------------------------------------------------------------------------------
/conf/template/report/geolocation-entries-city_row.json:
--------------------------------------------------------------------------------
1 | {
2 | "id":"$logEntryid",
3 | "ipAddress":"$additionalItem_ipAddressMasked",
4 | "firstSeen":"$logTimestamp",
5 | "lastSeen":"$additionalItem_lastSeen",
6 | "timesSeen":"$additionalItem_timesSeen",
7 | "prioName":"$additionalItem_prioName",
8 | "infection":"$additionalItem_infection"
9 | }
--------------------------------------------------------------------------------
/conf/template/report/geolocation-entries-internal_footer.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/conf/template/report/geolocation-entries-internal_row.xml:
--------------------------------------------------------------------------------
1 |
2 | $logEntryid
3 | $additionalItem_dbId
4 | $ipAddress
5 | $port
6 | $hostname
7 | $asn
8 | $logTimestamp
9 | $additionalItem_lastSeen
10 | $additionalItem_timesSeen
11 | $additionalItem_prioName
12 | $additionalItem_infection
13 | $additionalItem_latitude
14 | $additionalItem_longitude
15 | $additionalItem_city
16 | http://maps.google.com/maps?q=$additionalItem_latitude+$additionalItem_longitude&hl=en
17 |
18 |
--------------------------------------------------------------------------------
/conf/template/report/geolocation-entries-overview_row.json:
--------------------------------------------------------------------------------
1 | {
2 | "city":"$additionalItem_city",
3 | "citySlug":"$additionalItem_citySlug",
4 | "latitude":"$additionalItem_latitude",
5 | "longitude":"$additionalItem_longitude",
6 | "timesSeen":$additionalItem_timesSeen
7 | }
--------------------------------------------------------------------------------
/conf/template/report/geolocation-entries_footer.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/conf/template/report/geolocation-entries_header.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | $header_startDate
8 | $header_endDate
9 | $header_timePeriodLabel
10 |
11 |
12 |
13 |
14 | id
15 | ID
16 |
17 |
18 | firstSeen
19 | Första förekomst
20 |
21 |
22 | lastSeen
23 | Sista förekomst
24 |
25 |
26 | timesSeen
27 | Antal förekomster
28 |
29 |
30 | latitude
31 | Latitud
32 |
33 |
34 | longitude
35 | Longitud
36 |
37 |
38 | longitude
39 | Longitud
40 |
41 |
42 | city
43 | Stad
44 |
45 |
46 |
47 |
48 |
--------------------------------------------------------------------------------
/conf/template/report/geolocation-entries_row.xml:
--------------------------------------------------------------------------------
1 |
2 | $logEntryid
3 | $logTimestamp
4 | $additionalItem_lastSeen
5 | $additionalItem_timesSeen
6 | $additionalItem_prioName
7 | $additionalItem_infection
8 | $additionalItem_latitude
9 | $additionalItem_longitude
10 | $additionalItem_city
11 | http://maps.google.com/maps?q=$additionalItem_latitude+$additionalItem_longitude&hl=en
12 |
13 |
--------------------------------------------------------------------------------
/conf/template/report/geolocation-organization_footer.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/conf/template/report/geolocation-organization_header.json:
--------------------------------------------------------------------------------
1 | {
2 | "fileGenerated":"$header_reportStarted",
3 | "startDate":"$header_startDate",
4 | "endDate":"$header_endDate",
5 | "timePeriodLabel":"$header_timePeriodLabel",
6 | "noOfBadHostsWithGeolocation":"$header_noOfBadHostsWithGeolocation",
7 | "noOfBadHostsWithoutGeolocation":"$header_noOfBadHostsWithoutGeolocation",
8 | "noOfBadHostsWithOrganization":"$header_noOfBadHostsWithOrganization",
9 | "noOfBadHostsWithoutOrganization":"$header_noOfBadHostsWithoutOrganization",
10 | "organizationTypeEntries":[
--------------------------------------------------------------------------------
/conf/template/report/geolocation-organization_header.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | $header_startDate
8 | $header_endDate
9 | $header_timePeriodLabel
10 |
11 |
12 |
13 | $header_noOfBadHostsWithGeolocation
14 | $header_noOfBadHostsWithoutGeolocation
15 | $header_noOfBadHostsWithOrganization
16 | $header_noOfBadHostsWithoutOrganization
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/conf/template/report/geolocation-organization_row.json:
--------------------------------------------------------------------------------
1 | {
2 | "rowId":"$logEntryid",
3 | "organizationTypeName":"$additionalItem_prioName",
4 | "uniqueNoOfBadHosts":"$additionalItem_uniqueNoOfBadHosts",
5 | "totalNoOfBadHosts":"$additionalItem_totalNoOfBadHosts"
6 | }
--------------------------------------------------------------------------------
/conf/template/report/geolocation-organization_row.xml:
--------------------------------------------------------------------------------
1 |
2 | $logEntryid
3 | $additionalItem_prioName
4 | $additionalItem_uniqueNoOfBadHosts
5 | $additionalItem_totalNoOfBadHosts
6 |
7 |
--------------------------------------------------------------------------------
/conf/template/report/geolocation-summary-internal_header.json:
--------------------------------------------------------------------------------
1 | {
2 | "fileGenerated":"$header_reportStarted",
3 | "startDate":"$header_startDate",
4 | "endDate":"$header_endDate",
5 | "timePeriodLabel":"$header_timePeriodLabel",
6 | "days":[$header_dayLabels],
7 | "noOfBadHostsWithGeolocation":"$header_noOfBadHostsWithGeolocation",
8 | "noOfBadHostsWithoutGeolocation":"$header_noOfBadHostsWithoutGeolocation",
9 | "noOfBadHostsWithOrganization":"$header_noOfBadHostsWithOrganization",
10 | "noOfBadHostsWithoutOrganization":"$header_noOfBadHostsWithoutOrganization",
11 | "infoLabels":
12 | {
13 | "id":"ID",
14 | "dbId":"Databas-ID",
15 | "ipAddress":"IP-adress",
16 | "port":"Port",
17 | "hostname":"Datornamn",
18 | "asn":"ASN",
19 | "firstSeen":"Första träff",
20 | "lastSeen":"Sista träff",
21 | "timesSeen":"Antal träffar",
22 | "latitude":"Latitud",
23 | "longitude":"Longitud",
24 | "city":"Stad",
25 | "prioName":"Organisationstyp",
26 | "infection":"Infektion"
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/conf/template/report/geolocation-summary_header.json:
--------------------------------------------------------------------------------
1 | {
2 | "fileGenerated":"$header_reportStarted",
3 | "startDate":"$header_startDate",
4 | "endDate":"$header_endDate",
5 | "timePeriodLabel":"$header_timePeriodLabel",
6 | "days":[$header_dayLabels],
7 | "noOfBadHostsWithGeolocation":"$header_noOfBadHostsWithGeolocation",
8 | "noOfBadHostsWithoutGeolocation":"$header_noOfBadHostsWithoutGeolocation",
9 | "noOfBadHostsWithOrganization":"$header_noOfBadHostsWithOrganization",
10 | "noOfBadHostsWithoutOrganization":"$header_noOfBadHostsWithoutOrganization",
11 | "infoLabels":
12 | {
13 | "id":"ID",
14 | "ipAddress":"IP-adress",
15 | "firstSeen":"Första träff",
16 | "lastSeen":"Sista träff",
17 | "timesSeen":"Antal träffar",
18 | "latitude":"Latitud",
19 | "longitude":"Longitud",
20 | "city":"Stad"
21 | }
22 | }
23 |
--------------------------------------------------------------------------------
/lib-src/commons-net-src.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib-src/commons-net-src.zip
--------------------------------------------------------------------------------
/lib-src/dnsjava-src.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib-src/dnsjava-src.zip
--------------------------------------------------------------------------------
/lib-src/geoip-src.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib-src/geoip-src.zip
--------------------------------------------------------------------------------
/lib-src/jdom-src.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib-src/jdom-src.zip
--------------------------------------------------------------------------------
/lib-src/joda-time-src.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib-src/joda-time-src.zip
--------------------------------------------------------------------------------
/lib-src/log4j-src.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib-src/log4j-src.zip
--------------------------------------------------------------------------------
/lib-src/rome-src.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib-src/rome-src.zip
--------------------------------------------------------------------------------
/lib/activation.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/activation.jar
--------------------------------------------------------------------------------
/lib/antlr-2.7.6.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/antlr-2.7.6.jar
--------------------------------------------------------------------------------
/lib/commons-collections-3.2.1.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/commons-collections-3.2.1.jar
--------------------------------------------------------------------------------
/lib/commons-net.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/commons-net.jar
--------------------------------------------------------------------------------
/lib/dnsjava.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/dnsjava.jar
--------------------------------------------------------------------------------
/lib/dom4j-1.6.1.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/dom4j-1.6.1.jar
--------------------------------------------------------------------------------
/lib/geoip.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/geoip.jar
--------------------------------------------------------------------------------
/lib/hibernate3.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/hibernate3.jar
--------------------------------------------------------------------------------
/lib/javassist.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/javassist.jar
--------------------------------------------------------------------------------
/lib/jdom.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/jdom.jar
--------------------------------------------------------------------------------
/lib/joda-time.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/joda-time.jar
--------------------------------------------------------------------------------
/lib/jta-1.1.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/jta-1.1.jar
--------------------------------------------------------------------------------
/lib/log4j.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/log4j.jar
--------------------------------------------------------------------------------
/lib/mail.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/mail.jar
--------------------------------------------------------------------------------
/lib/mysql-connector.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/mysql-connector.jar
--------------------------------------------------------------------------------
/lib/rome.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/rome.jar
--------------------------------------------------------------------------------
/lib/slf4j-api-1.5.6.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/slf4j-api-1.5.6.jar
--------------------------------------------------------------------------------
/lib/slf4j-log4j12-1.5.6.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/lib/slf4j-log4j12-1.5.6.jar
--------------------------------------------------------------------------------
/lib/version.txt:
--------------------------------------------------------------------------------
1 | geoip.jar:
2 | Version: 1.0.1 (compiled from source in GeoIPJava-1.2.5)
3 |
4 | log4j.jar:
5 | Version: 1.2.15
6 | Original Name: log4j-1.2.15.jar
7 |
8 | mysql-connector.jar
9 | Version: 5.1.6
10 | Original Name: mysql-connector-java-5.1.7-bin.jar
11 |
12 | rome.jar
13 | Version: 0.9
14 | Original Name: rome-0.9.jar
15 |
16 | jdom.jar:
17 | Version: 1.1
18 | Required by: rome.jar
19 |
20 | joda-time.jar
21 | Version: 1.5.2
22 | Original Name: joda-time-1.5.2.jar
23 |
24 | mail.jar:
25 | Version: 1.4.1
26 | Original Name: mail.jar
27 |
28 | activation.jar:
29 | Version: 1.1.1
30 | Original Name: activation.jar
31 | Required by: mail.jar
32 |
33 | dnsjava.jar:
34 | Version: 2.1.3
35 | Original Name: dnsjava-2.1.3.jar
36 |
37 | commons-net.jar:
38 | Version: 2.0
39 | Original Name: commons-net-2.0.jar
40 |
--------------------------------------------------------------------------------
/megatron-dev.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | # Executes Megatron in dev.
4 | # All paths are relative to the installation directory.
5 |
6 | #export SITIC_JAVA=/usr/local/jre-1.5.0/bin/java
7 | export SITIC_JAVA=java
8 | #export SITIC_JAVA_OPTIONS="-server -Xmx512M"
9 | export SITIC_JAVA_OPTIONS=
10 | #export SITIC_JCONSOLE_OPTIONS="-Dcom.sun.management.jmxremote.port=51010 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
11 | export SITIC_JCONSOLE_OPTIONS=
12 | export SITIC_LIB=lib
13 | export SITIC_DIST=dist
14 | export SITIC_CONF=conf/dev:conf/hibernate-mapping
15 | export SITIC_HIBERNATE_CLASSPATH=$SITIC_CONF:$SITIC_LIB/hibernate3.jar:$SITIC_LIB/activation.jar:$SITIC_LIB/slf4j-api-1.5.6.jar:$SITIC_LIB/antlr-2.7.6.jar:$SITIC_LIB/commons-collections-3.2.1.jar:$SITIC_LIB/dom4j-1.6.1.jar:$SITIC_LIB/javassist.jar:$SITIC_LIB/jta-1.1.jar:$SITIC_LIB/slf4j-log4j12-1.5.6.jar
16 | export SITIC_CLASSPATH=$SITIC_HIBERNATE_CLASSPATH:$SITIC_DIST/sitic-megatron.jar:$SITIC_LIB/log4j.jar:$SITIC_LIB/mysql-connector.jar:$SITIC_LIB/geoip.jar:$SITIC_LIB/mail.jar:$SITIC_LIB/rome.jar:$SITIC_LIB/jdom.jar:$SITIC_LIB/dnsjava.jar:$SITIC_LIB/joda-time.jar:$SITIC_LIB/commons-net.jar
17 | echo `date`: Megatron Starts.
18 | $SITIC_JAVA $SITIC_JAVA_OPTIONS $SITIC_JCONSOLE_OPTIONS -cp $SITIC_CLASSPATH -Dmegatron.configfile=conf/dev/megatron-globals.properties Megatron $*
19 | echo `date`: "Megatron Finished."
20 |
--------------------------------------------------------------------------------
/megatron.bat:
--------------------------------------------------------------------------------
1 | @echo off & setlocal ENABLEDELAYEDEXPANSION
2 |
3 | set MEGATRON_HOME=%~p0
4 | cd %MEGATRON_HOME%
5 |
6 | set MEGATRON_JAVA=java
7 | set MEGATRON_JAVA_OPTIONS=-Xmx256M -showversion
8 | REM set MEGATRON_CLASSPATH=classes-eclipse;conf/dev;conf/hibernate-mapping
9 | set MEGATRON_CLASSPATH=dist/sitic-megatron.jar;conf/dev;conf/hibernate-mapping
10 | for %%1 in (lib\*.jar) do set MEGATRON_CLASSPATH=!MEGATRON_CLASSPATH!;%%1
11 |
12 | echo %date% %time% :: Megatron Starts.
13 | %MEGATRON_JAVA% %MEGATRON_JAVA_OPTIONS% -cp %MEGATRON_CLASSPATH% -Dmegatron.configfile=conf/dev/megatron-globals.properties Megatron %*
14 | echo %date% %time% :: Megatron Finished.
15 |
--------------------------------------------------------------------------------
/script/generate-org-reports.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #
3 | # This script creates Megatron organization reports (emails abuse reports).
4 |
5 | export MEGATRON_LOCK_FILE=/var/megatron/megatron.pid
6 |
7 | i=0
8 | while [ $i -lt 5 ]
9 | do
10 | i=`expr $i + 1`
11 | if test -f $MEGATRON_LOCK_FILE ; then
12 | echo `date`: "Megatron already started; sleeping... (lock-file" $MEGATRON_LOCK_FILE "exists)."
13 | sleep 600
14 | fi
15 | done
16 |
17 | if test -f $MEGATRON_LOCK_FILE ; then
18 | echo `date`: "Lock-file still present; aborting (generate organization reports)..."
19 | else
20 | echo `date`: "Megatron Starts to Generate Organization Reports."
21 | /usr/local/megatron/bin/megatron.sh --create-report se.sitic.megatron.report.OrganizationReportGenerator
22 | MEGATRON_EXIT_CODE=${?}
23 | if [ $MEGATRON_EXIT_CODE -eq "0" ] ; then
24 | echo `date`: "Megatron Finished Successfully; organization reports generated"
25 | else
26 | echo `date`: "Megatron Finished with Errors. Exit-code:" $MEGATRON_EXIT_CODE
27 | fi
28 | fi
29 |
--------------------------------------------------------------------------------
/script/generate-reports.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #
3 | # This script creates Megatron reports (--create-reports) and using a semaphore
4 | # file to signal when it is safe to copy the generated files.
5 |
6 | export SEMAPHORE_FILE=/var/megatron/flash-xml/reports-generated-successfully
7 |
8 | if test -f /var/megatron/megatron.pid ; then
9 | echo `date`: "Megatron already started; aborting... (lock-file '/var/megatron/megatron.pid' exists)."
10 | else
11 | echo `date`: "Megatron Starts to Generate Reports."
12 |
13 | if test -f $SEMAPHORE_FILE ; then
14 | rm $SEMAPHORE_FILE
15 | fi
16 |
17 | /usr/local/megatron/bin/megatron.sh --create-reports
18 | MEGATRON_EXIT_CODE=${?}
19 | if [ $MEGATRON_EXIT_CODE -eq "0" ] ; then
20 | echo `date`: "Megatron Finished Successfully; reports generated"
21 | echo "Reports created:" `date` > $SEMAPHORE_FILE
22 | else
23 | echo `date`: "Megatron Finished with Errors; no reports generated. Exit-code:" $MEGATRON_EXIT_CODE
24 | fi
25 | fi
26 |
--------------------------------------------------------------------------------
/script/remove-stale-lock.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | # Checks if lock-file for Megatron exists and removes it if it's stale.
4 | # Execute this script before Megatron is called from cron during nights
5 | # and weekends.
6 |
7 | if test -f /var/megatron/megatron.pid ; then
8 | # check if there is a java process running, if not the lockfile is probably stale
9 | MEGATRON_RUNNING=`ps auxwww|grep ".*java.*Megatron.*"|grep -v grep| wc -l | sed 's/ //g'`
10 | if [ $MEGATRON_RUNNING = 0 ]; then
11 | echo "Removing stale lock-file '/var/megatron/megatron.pid'."
12 | rm /var/megatron/megatron.pid
13 | else
14 | echo "Keeping lock-file '/var/megatron/megatron.pid'; Megatron seems to be running (a Megatron-process exists)."
15 | fi
16 | fi
17 |
--------------------------------------------------------------------------------
/sql/select-count-plus-max.sql:
--------------------------------------------------------------------------------
1 | -- Retrieves number of rows and max id value for each table.
2 | -- Handy util script when creating a history database.
3 |
4 | select 'free_text', count(*), max(log_entry_id) from free_text;
5 |
6 | select 'additional_item', count(*), max(log_entry_id) from additional_item;
7 |
8 | select 'mail_job_log_entry_mapping', count(*), max(id), max(mail_job_id), max(log_entry_id) from mail_job_log_entry_mapping;
9 |
10 | select 'mail_job', count(*), max(id), max(job_id) from mail_job;
11 |
12 | select 'job', count(*), max(id) from job;
13 |
14 | select 'log_entry', count(*), max(id), max(original_log_entry_id) from log_entry;
15 |
16 | select 'original_log_entry', count(*), max(id) from original_log_entry;
17 |
18 | select 'entry_type', count(*), max(id) from entry_type;
19 |
20 | select 'job_type', count(*), max(id) from job_type;
21 |
22 | select 'organization', count(*), max(id) from organization;
23 |
24 | select 'prio', count(*), max(id) from prio;
25 |
26 | select 'asn', count(*), max(id) from asn;
27 |
28 | select 'domain_name', count(*), max(id) from domain_name;
29 |
30 | select 'ip_range', count(*), max(id) from ip_range;
31 |
32 | select 'asn_lookup', count(*) from asn_lookup;
33 |
--------------------------------------------------------------------------------
/src-test/se/sitic/megatron/core/TimePeriodTest.java:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/src-test/se/sitic/megatron/core/TimePeriodTest.java
--------------------------------------------------------------------------------
/src-test/se/sitic/megatron/rss/RssManagerTest.java:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/src-test/se/sitic/megatron/rss/RssManagerTest.java
--------------------------------------------------------------------------------
/src-test/se/sitic/megatron/util/FileUtilTest.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.util;
2 |
3 | import java.io.File;
4 |
5 | import junit.framework.Assert;
6 |
7 | import org.junit.Test;
8 |
9 |
10 | /**
11 | * JUnit test.
12 | */
13 | public class FileUtilTest {
14 | private static final String TMP_DIR = "tmp-junit";
15 |
16 |
17 | @Test
18 | public void characterEncoding() throws Exception {
19 | File tmpDir = new File(TMP_DIR);
20 | tmpDir.mkdir();
21 |
22 | String charSet = Constants.ISO8859;
23 | String writeContent = "Test Line: \u00e5\u00e4\u00f6\u00c5\u00c4\u00d6X";
24 |
25 | File file = new File(tmpDir, "test-" + charSet + ".txt");
26 | FileUtil.writeFile(file, writeContent, charSet);
27 | String readContent = FileUtil.readFile(file, charSet);
28 | readContent = StringUtil.removeLineBreaks(readContent, "");
29 | Assert.assertEquals(writeContent, readContent);
30 | }
31 |
32 | }
33 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/core/CommandLineParseException.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.core;
2 |
3 |
4 | /**
5 | * Thrown if parsing of command line arguments fails.
6 | */
7 | public class CommandLineParseException extends MegatronException {
8 | private static final long serialVersionUID = 1L;
9 |
10 | public static final int NO_ACTION = 0;
11 | public static final int SHOW_USAGE_ACTION = 1;
12 | public static final int SHOW_VERSION_ACTION = 2;
13 |
14 | private int action = NO_ACTION;
15 |
16 |
17 | /**
18 | * Constructs instance with an action, which means that no error
19 | * have occured but usage or version should be displayed.
20 | */
21 | public CommandLineParseException(int action) {
22 | this(null);
23 | this.action = action;
24 | }
25 |
26 |
27 | public CommandLineParseException(String msg) {
28 | super(msg);
29 | }
30 |
31 |
32 | public CommandLineParseException(String msg, Throwable cause) {
33 | super(msg, cause);
34 | }
35 |
36 |
37 | public int getAction() {
38 | return action;
39 | }
40 |
41 | }
42 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/core/ConversionException.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.core;
2 |
3 |
4 | /**
5 | * Thrown when a conversion fails, e.g. IP as a string to a long.
6 | */
7 | public class ConversionException extends MegatronException {
8 | private static final long serialVersionUID = 1L;
9 |
10 |
11 | public ConversionException(String msg) {
12 | super(msg);
13 | }
14 |
15 |
16 | public ConversionException(String msg, Throwable cause) {
17 | super(msg, cause);
18 | }
19 |
20 | }
21 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/core/MegatronException.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.core;
2 |
3 |
4 | /**
5 | * General exception in the Megatron application.
6 | *
7 | * Use this class as a super-class for more specific exception in Megatron.
8 | */
9 | public class MegatronException extends Exception {
10 | private static final long serialVersionUID = 1L;
11 |
12 |
13 | public MegatronException(String msg) {
14 | super(msg);
15 | }
16 |
17 | public MegatronException(String msg, Throwable cause) {
18 | super(msg, cause);
19 | }
20 |
21 | }
22 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/db/DbException.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.db;
2 |
3 | import se.sitic.megatron.core.MegatronException;
4 |
5 | /**
6 | * Thrown if DB handling fails.
7 | */
8 | public class DbException extends MegatronException {
9 | private static final long serialVersionUID = 1L;
10 |
11 |
12 | public DbException(String msg) {
13 | super(msg);
14 | }
15 |
16 |
17 | public DbException(String msg, Throwable cause) {
18 | super(msg, cause);
19 | }
20 |
21 | }
--------------------------------------------------------------------------------
/src/se/sitic/megatron/decorator/IDecorator.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.decorator;
2 |
3 | import se.sitic.megatron.core.JobContext;
4 | import se.sitic.megatron.core.MegatronException;
5 | import se.sitic.megatron.entity.LogEntry;
6 |
7 |
8 | /**
9 | * Decorates a LogEntry-object with data. Data may be added to a LogEntry-object, or existing
10 | * data may be modified. Example: if hostname is missing but ip-address exists, a decorator
11 | * does a reverse lookup and adds hostname to the LogEntry.
12 | */
13 | public interface IDecorator {
14 |
15 | public void init(JobContext jobContext) throws MegatronException;
16 |
17 | public void execute(LogEntry logEntry) throws MegatronException;
18 |
19 | public void close() throws MegatronException;
20 |
21 | }
22 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/entity/ASNumber.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.entity;
2 |
3 | import se.sitic.megatron.entity.base.BaseASNumber;
4 |
5 |
6 |
7 | public class ASNumber extends BaseASNumber {
8 | private static final long serialVersionUID = 1L;
9 |
10 | /*[CONSTRUCTOR MARKER BEGIN]*/
11 | public ASNumber () {
12 | super();
13 | }
14 |
15 | /**
16 | * Constructor for primary key
17 | */
18 | public ASNumber (java.lang.Integer id) {
19 | super(id);
20 | }
21 |
22 | /**
23 | * Constructor for required fields
24 | */
25 | public ASNumber (
26 | java.lang.Integer id,
27 | java.lang.Integer organizationId,
28 | java.lang.Long number) {
29 |
30 | super (
31 | id,
32 | organizationId,
33 | number);
34 | }
35 | /*[CONSTRUCTOR MARKER END]*/
36 |
37 | public ASNumber (java.lang.Long asn) {
38 | super();
39 | this.setNumber(asn);
40 | }
41 |
42 | @Override
43 | public int compareTo(Object obj) {
44 |
45 | int result = 0;
46 | if (this.getNumber() == ((ASNumber)obj).getNumber()) {
47 | result = 0;
48 | }
49 | else if (this.getNumber() < ((ASNumber)obj).getNumber()) {
50 | result = -1;
51 | }
52 | else {
53 | return 1;
54 | }
55 | return result;
56 | }
57 |
58 |
59 | }
--------------------------------------------------------------------------------
/src/se/sitic/megatron/entity/Contact.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.entity;
2 |
3 | import se.sitic.megatron.entity.base.BaseContact;
4 |
5 | public class Contact extends BaseContact {
6 | private static final long serialVersionUID = 1L;
7 |
8 | /* [CONSTRUCTOR MARKER BEGIN] */
9 | public Contact() {
10 | super();
11 | }
12 |
13 | /**
14 | * Constructor for primary key
15 | */
16 | public Contact(java.lang.Integer id) {
17 | super(id);
18 | }
19 |
20 | /**
21 | * Constructor for required fields
22 | */
23 | public Contact(
24 |
25 | java.lang.Integer id, java.lang.String firstName,
26 | java.lang.String lastName, java.lang.String comment,
27 | java.lang.String emailAddress, java.lang.String emailType,
28 | java.lang.String phoneNumber, java.lang.String role,
29 | java.lang.String externalReference,
30 | java.lang.Integer organizationId, boolean enabled,
31 | java.lang.Long created, java.lang.Long lastModified,
32 | java.lang.String modifiedBy, boolean autoUpdateEmail) {
33 |
34 | super(id, firstName, lastName, comment, emailAddress, emailType,
35 | phoneNumber, role, externalReference, organizationId, enabled,
36 | created, lastModified, modifiedBy, autoUpdateEmail);
37 | }
38 |
39 | /* [CONSTRUCTOR MARKER END] */
40 |
41 | @Override
42 | public int compareTo(Object obj) {
43 |
44 | return this.getEmailAddress().compareToIgnoreCase(((Contact)obj).getEmailAddress());
45 | }
46 | }
47 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/entity/DomainName.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.entity;
2 |
3 | import se.sitic.megatron.entity.base.BaseDomainName;
4 |
5 |
6 |
7 | public class DomainName extends BaseDomainName {
8 | private static final long serialVersionUID = 1L;
9 |
10 | /*[CONSTRUCTOR MARKER BEGIN]*/
11 | public DomainName () {
12 | super();
13 | }
14 |
15 | /**
16 | * Constructor for primary key
17 | */
18 | public DomainName (java.lang.Integer id) {
19 | super(id);
20 | }
21 |
22 | /**
23 | * Constructor for required fields
24 | */
25 | public DomainName (
26 | java.lang.Integer id,
27 | java.lang.Integer organizationId,
28 | java.lang.String name) {
29 |
30 | super (
31 | id,
32 | organizationId,
33 | name);
34 | }
35 |
36 | /*[CONSTRUCTOR MARKER END]*/
37 |
38 | public DomainName(String name) {
39 | super();
40 | this.setName(name);
41 | }
42 |
43 | @Override
44 | public int compareTo(Object obj) {
45 |
46 | return this.getName().compareToIgnoreCase(((DomainName)obj).getName());
47 |
48 | }
49 |
50 | // Added to trim the domain name
51 | @Override
52 | public void setName (java.lang.String name) {
53 | super.setName(name.trim());
54 | }
55 |
56 | }
--------------------------------------------------------------------------------
/src/se/sitic/megatron/entity/EntryType.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.entity;
2 |
3 | import se.sitic.megatron.entity.base.BaseEntryType;
4 |
5 |
6 |
7 | public class EntryType extends BaseEntryType {
8 | private static final long serialVersionUID = 1L;
9 |
10 | /*[CONSTRUCTOR MARKER BEGIN]*/
11 | public EntryType () {
12 | super();
13 | }
14 |
15 | /**
16 | * Constructor for primary key
17 | */
18 | public EntryType (java.lang.Integer id) {
19 | super(id);
20 | }
21 |
22 | /**
23 | * Constructor for required fields
24 | */
25 | public EntryType (
26 | java.lang.Integer id,
27 | java.lang.String name) {
28 |
29 | super (
30 | id,
31 | name);
32 | }
33 |
34 | /*[CONSTRUCTOR MARKER END]*/
35 |
36 |
37 | }
--------------------------------------------------------------------------------
/src/se/sitic/megatron/entity/IpRange.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.entity;
2 |
3 | import se.sitic.megatron.entity.base.BaseIpRange;
4 |
5 |
6 |
7 | public class IpRange extends BaseIpRange {
8 | private static final long serialVersionUID = 1L;
9 |
10 | /*[CONSTRUCTOR MARKER BEGIN]*/
11 | public IpRange () {
12 | super();
13 | }
14 |
15 | /**
16 | * Constructor for primary key
17 | */
18 | public IpRange (java.lang.Integer id) {
19 | super(id);
20 | }
21 |
22 | /**
23 | * Constructor for required fields
24 | */
25 | public IpRange (
26 | java.lang.Integer id,
27 | java.lang.Integer organizationId,
28 | java.lang.Long startAddress,
29 | java.lang.Long endAddress) {
30 |
31 | super (
32 | id,
33 | organizationId,
34 | startAddress,
35 | endAddress);
36 | }
37 |
38 | /*[CONSTRUCTOR MARKER END]*/
39 |
40 | @Override
41 | public int compareTo(Object obj) {
42 |
43 | int result = 0;
44 | if (this.getStartAddress() == ((IpRange)obj).getStartAddress()) {
45 | result = 0;
46 | }
47 | else if (this.getStartAddress() < ((IpRange)obj).getStartAddress()) {
48 | result = -1;
49 | }
50 | else {
51 | return 1;
52 | }
53 | return result;
54 | }
55 |
56 |
57 |
58 |
59 | }
--------------------------------------------------------------------------------
/src/se/sitic/megatron/entity/Job.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.entity;
2 |
3 | import se.sitic.megatron.entity.base.BaseJob;
4 |
5 |
6 |
7 | public class Job extends BaseJob {
8 | private static final long serialVersionUID = 1L;
9 |
10 | /*[CONSTRUCTOR MARKER BEGIN]*/
11 | public Job () {
12 | super();
13 | }
14 |
15 | /**
16 | * Constructor for primary key
17 | */
18 | public Job (java.lang.Long id) {
19 | super(id);
20 | }
21 |
22 | /**
23 | * Constructor for required fields
24 | */
25 | public Job (
26 | java.lang.Long id,
27 | java.lang.String name,
28 | java.lang.String filename,
29 | java.lang.String fileHash,
30 | java.lang.Long fileSize,
31 | java.lang.Long started) {
32 |
33 | super (
34 | id,
35 | name,
36 | filename,
37 | fileHash,
38 | fileSize,
39 | started);
40 | }
41 |
42 | /*[CONSTRUCTOR MARKER END]*/
43 |
44 |
45 | }
--------------------------------------------------------------------------------
/src/se/sitic/megatron/entity/JobType.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.entity;
2 |
3 | import se.sitic.megatron.entity.base.BaseJobType;
4 |
5 |
6 |
7 | public class JobType extends BaseJobType {
8 | private static final long serialVersionUID = 1L;
9 |
10 | /*[CONSTRUCTOR MARKER BEGIN]*/
11 | public JobType () {
12 | super();
13 | }
14 |
15 | /**
16 | * Constructor for primary key
17 | */
18 | public JobType (java.lang.Integer id) {
19 | super(id);
20 | }
21 |
22 | /**
23 | * Constructor for required fields
24 | */
25 | public JobType (
26 | java.lang.Integer id,
27 | java.lang.String name,
28 | boolean enabled) {
29 |
30 | super (
31 | id,
32 | name,
33 | enabled);
34 | }
35 |
36 | /*[CONSTRUCTOR MARKER END]*/
37 |
38 |
39 | }
--------------------------------------------------------------------------------
/src/se/sitic/megatron/entity/LogEntry.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.entity;
2 |
3 | import se.sitic.megatron.entity.base.BaseLogEntry;
4 |
5 |
6 |
7 | public class LogEntry extends BaseLogEntry {
8 | private static final long serialVersionUID = 1L;
9 |
10 |
11 | /*[CONSTRUCTOR MARKER BEGIN]*/
12 | public LogEntry () {
13 | super();
14 | }
15 |
16 | /**
17 | * Constructor for primary key
18 | */
19 | public LogEntry (java.lang.Long id) {
20 | super(id);
21 | }
22 |
23 | /**
24 | * Constructor for required fields
25 | */
26 | public LogEntry (
27 | java.lang.Long id,
28 | java.lang.Long created,
29 | java.lang.Long logTimestamp) {
30 |
31 | super (
32 | id,
33 | created,
34 | logTimestamp);
35 | }
36 |
37 | /*[CONSTRUCTOR MARKER END]*/
38 |
39 | @Override
40 | public int compareTo(Object obj) {
41 |
42 | int result = 0;
43 |
44 | if (this.getId() == 0 || ((LogEntry)obj).getId() == 0) {
45 | // Assert that only objects that have been persited are used.
46 | throw new java.lang.AssertionError("LogEntry ID is undefined (0)");
47 | }
48 |
49 | if (this.getId() == ((LogEntry)obj).getId()) {
50 | result = 0;
51 | }
52 | else if (this.getId() < ((LogEntry)obj).getId()) {
53 | result = -1;
54 | }
55 | else {
56 | return 1;
57 | }
58 | return result;
59 | }
60 |
61 | }
62 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/entity/MailJob.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.entity;
2 |
3 | import se.sitic.megatron.entity.base.BaseMailJob;
4 |
5 |
6 |
7 | public class MailJob extends BaseMailJob {
8 | private static final long serialVersionUID = 1L;
9 |
10 | /*[CONSTRUCTOR MARKER BEGIN]*/
11 | public MailJob () {
12 | super();
13 | }
14 |
15 | /**
16 | * Constructor for primary key
17 | */
18 | public MailJob (java.lang.Long id) {
19 | super(id);
20 | }
21 |
22 | /**
23 | * Constructor for required fields
24 | */
25 | public MailJob (
26 | java.lang.Long id,
27 | boolean usePrimaryOrg,
28 | java.lang.Long started) {
29 |
30 | super (
31 | id,
32 | usePrimaryOrg,
33 | started);
34 | }
35 |
36 | /*[CONSTRUCTOR MARKER END]*/
37 |
38 | }
--------------------------------------------------------------------------------
/src/se/sitic/megatron/entity/OriginalLogEntry.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.entity;
2 |
3 | import se.sitic.megatron.entity.base.BaseOriginalLogEntry;
4 |
5 |
6 |
7 | public class OriginalLogEntry extends BaseOriginalLogEntry {
8 | private static final long serialVersionUID = 1L;
9 |
10 | /*[CONSTRUCTOR MARKER BEGIN]*/
11 | public OriginalLogEntry () {
12 | super();
13 | }
14 |
15 | /**
16 | * Constructor for primary key
17 | */
18 | public OriginalLogEntry (java.lang.Long id) {
19 | super(id);
20 | }
21 |
22 | /**
23 | * Constructor for required fields
24 | */
25 | public OriginalLogEntry (
26 | java.lang.Long id,
27 | java.lang.Long created,
28 | java.lang.String entry) {
29 |
30 | super (
31 | id,
32 | created,
33 | entry);
34 | }
35 |
36 | /*[CONSTRUCTOR MARKER END]*/
37 |
38 |
39 | }
--------------------------------------------------------------------------------
/src/se/sitic/megatron/entity/Priority.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.entity;
2 |
3 | import se.sitic.megatron.entity.base.BasePriority;
4 |
5 |
6 |
7 | public class Priority extends BasePriority {
8 | private static final long serialVersionUID = 1L;
9 |
10 | /*[CONSTRUCTOR MARKER BEGIN]*/
11 | public Priority () {
12 | super();
13 | }
14 |
15 | /**
16 | * Constructor for primary key
17 | */
18 | public Priority (java.lang.Integer id) {
19 | super(id);
20 | }
21 |
22 | /**
23 | * Constructor for required fields
24 | */
25 | public Priority (
26 | java.lang.Integer id,
27 | java.lang.String name,
28 | java.lang.Integer prio) {
29 |
30 | super (
31 | id,
32 | name,
33 | prio);
34 | }
35 |
36 | /*[CONSTRUCTOR MARKER END]*/
37 |
38 |
39 | }
--------------------------------------------------------------------------------
/src/se/sitic/megatron/fileprocessor/IFileProcessor.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.fileprocessor;
2 |
3 | import java.io.File;
4 |
5 | import se.sitic.megatron.core.JobContext;
6 | import se.sitic.megatron.core.MegatronException;
7 |
8 |
9 | /**
10 | * A file processor handles a whole file, e.g. executes an OS-command to
11 | * transform the input file.
12 | */
13 | public interface IFileProcessor {
14 |
15 | public void init(JobContext jobContext) throws MegatronException;
16 |
17 |
18 | /**
19 | * Processes the specified file, and returns the result file.
20 | */
21 | public File execute(File inputFile) throws MegatronException;
22 |
23 |
24 | public void close(boolean jobSuccessful) throws MegatronException;
25 |
26 | }
27 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/filter/ILineFilter.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.filter;
2 |
3 | import se.sitic.megatron.core.JobContext;
4 | import se.sitic.megatron.core.MegatronException;
5 |
6 |
7 | /**
8 | * Filter a log line. This filter can be used before a line is parsed.
9 | */
10 | public interface ILineFilter {
11 |
12 |
13 | public void init(JobContext jobContext) throws MegatronException;
14 |
15 |
16 | /**
17 | * Tests whether or not the specified line should be included.
18 | *
19 | * @return true if line should be included.
20 | */
21 | public boolean accept(String line) throws MegatronException;
22 |
23 |
24 | public void close() throws MegatronException;
25 |
26 | }
27 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/filter/ILogEntryFilter.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.filter;
2 |
3 | import se.sitic.megatron.core.JobContext;
4 | import se.sitic.megatron.core.MegatronException;
5 | import se.sitic.megatron.entity.LogEntry;
6 |
7 |
8 | /**
9 | * Filter a LogEntry-object. This filter can be used after a line have been parsed.
10 | */
11 | public interface ILogEntryFilter {
12 |
13 |
14 | public void init(JobContext jobContext) throws MegatronException;
15 |
16 |
17 | /**
18 | * Tests whether or not the specified log entry should be included.
19 | *
20 | * @return true if line should be included.
21 | */
22 | public boolean accept(LogEntry logEntry) throws MegatronException;
23 |
24 |
25 | public void close() throws MegatronException;
26 |
27 | }
28 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/geoip/As.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.geoip;
2 |
3 |
4 | /**
5 | * Entity class for an AS. Contains AS number and AS name.
6 | */
7 | public class As {
8 | private long asNumber;
9 | private String asName;
10 |
11 |
12 | public As(long asNumber, String asName) {
13 | this.asNumber = asNumber;
14 | this.asName = asName;
15 | }
16 |
17 |
18 | public long getAsNumber() {
19 | return asNumber;
20 | }
21 |
22 |
23 | public String getAsName() {
24 | return asName;
25 | }
26 |
27 |
28 | @Override
29 | public String toString() {
30 | StringBuffer result = new StringBuffer(64);
31 |
32 | result.append("AS");
33 | result.append(asNumber);
34 | result.append(" (");
35 | result.append(asName);
36 | result.append(")");
37 | return result.toString();
38 | }
39 |
40 | }
41 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/lineprocessor/ILineProcessor.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.lineprocessor;
2 |
3 | import java.util.List;
4 |
5 | import se.sitic.megatron.core.JobContext;
6 | import se.sitic.megatron.core.MegatronException;
7 |
8 |
9 | /**
10 | * A line processor merges or splits a line, and can be one of the following
11 | * two types:
12 | * - Merger: Serveral lines are merged into a single line.
13 | *
- Splitter: One line is split to several lines.
14 | *
15 | */
16 | public interface ILineProcessor {
17 |
18 |
19 | public void init(JobContext jobContext) throws MegatronException;
20 |
21 |
22 | /**
23 | * Merges or splits specified line. If a line is merged, null is returned
24 | * at least one time.
25 | */
26 | public List execute(String line) throws MegatronException;
27 |
28 |
29 | public void close() throws MegatronException;
30 |
31 | }
32 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/mail/MailException.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.mail;
2 |
3 | import se.sitic.megatron.core.MegatronException;
4 |
5 |
6 | /**
7 | * Thrown if mail sending fails.
8 | */
9 | public class MailException extends MegatronException {
10 | private static final long serialVersionUID = 1L;
11 |
12 |
13 | public MailException(String msg) {
14 | super(msg);
15 | }
16 |
17 |
18 | public MailException(String msg, Throwable cause) {
19 | super(msg, cause);
20 | }
21 |
22 | }
23 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/parser/IParser.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.parser;
2 |
3 | import se.sitic.megatron.core.JobContext;
4 | import se.sitic.megatron.core.MegatronException;
5 | import se.sitic.megatron.entity.LogEntry;
6 |
7 |
8 | /**
9 | * Parses a log line to a LogEntry-object. Implementing classes may use for
10 | * example regular expression or an XML-parser.
11 | */
12 | public interface IParser {
13 |
14 | public void init(JobContext jobContext) throws MegatronException;
15 |
16 | public LogEntry parse(String logLine) throws MegatronException;
17 |
18 | public void close() throws MegatronException;
19 |
20 | }
21 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/parser/InvalidExpressionException.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.parser;
2 |
3 | import se.sitic.megatron.core.MegatronException;
4 |
5 |
6 | /**
7 | * Thrown when a line expression is invalid.
8 | */
9 | public class InvalidExpressionException extends MegatronException {
10 | private static final long serialVersionUID = 1L;
11 |
12 |
13 | public InvalidExpressionException(String msg) {
14 | super(msg);
15 | }
16 |
17 |
18 | public InvalidExpressionException(String msg, Throwable cause) {
19 | super(msg, cause);
20 | }
21 |
22 | }
23 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/parser/ParseException.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.parser;
2 |
3 | import se.sitic.megatron.core.MegatronException;
4 |
5 |
6 | /**
7 | * Thrown when parsing of a log record fails.
8 | */
9 | public class ParseException extends MegatronException {
10 | private static final long serialVersionUID = 1L;
11 |
12 |
13 | public ParseException(String msg) {
14 | super(msg);
15 | }
16 |
17 |
18 | public ParseException(String msg, Throwable cause) {
19 | super(msg, cause);
20 | }
21 |
22 | }
23 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/report/IReportGenerator.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.report;
2 |
3 | import se.sitic.megatron.core.MegatronException;
4 |
5 |
6 | /**
7 | * Creates report files, e.g. XML files for Flash or JavaScript graphs.
8 | */
9 | public interface IReportGenerator {
10 |
11 |
12 | public void init() throws MegatronException;
13 |
14 |
15 | public void createFiles() throws MegatronException;
16 |
17 | }
18 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/rss/IRssChannel.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.rss;
2 |
3 | import java.util.Date;
4 | import java.util.List;
5 |
6 |
7 | /**
8 | * Represents an channel-tag in a RSS file (or feed-tag in an Atom file).
9 | * This is the top-level object for a feed file.
10 | */
11 | public interface IRssChannel {
12 |
13 | public List getItems();
14 |
15 | public void setItems(List items);
16 |
17 | public boolean removeItem(IRssItem item);
18 |
19 | public String getTitle();
20 |
21 | public void setTitle(String title);
22 |
23 | public String getDescription();
24 |
25 | public void setDescription(String description);
26 |
27 | public List getLinks();
28 |
29 | public void setLinks(List links);
30 |
31 | public List getCategories();
32 |
33 | public void setCategories(List categories);
34 |
35 | public List getSupportedRssFormats();
36 |
37 | public String getRssFormat();
38 |
39 | public void setRssFormat(String rssFormat);
40 |
41 | public Date getPublicationDate();
42 |
43 | public void setPublicationDate(Date date);
44 |
45 | public List getAuthors();
46 |
47 | public void setAuthors(List authors);
48 |
49 | public String getCopyright();
50 |
51 | public void setCopyright(String copyright);
52 |
53 | }
54 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/rss/IRssFactory.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.rss;
2 |
3 |
4 | /**
5 | * Creates objects that handle parsing, building, and saving RSS feeds.
6 | */
7 | public interface IRssFactory {
8 |
9 | public IRssParser createRssParser();
10 |
11 | public IRssChannel createRssChannel();
12 |
13 | public IRssItem createRssItem(IRssChannel parentChannel);
14 |
15 | public IRssWriter createRssWriter();
16 |
17 | }
18 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/rss/IRssItem.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.rss;
2 |
3 | import java.util.Date;
4 | import java.util.List;
5 |
6 |
7 | /**
8 | * Represents an item-tag in a RSS file (or entry-tag in an Atom file).
9 | */
10 | public interface IRssItem {
11 |
12 | public IRssChannel getParentChannel();
13 |
14 | public String getTitle();
15 |
16 | public void setTitle(String title);
17 |
18 | public String getDescription();
19 |
20 | public void setDescription(String description);
21 |
22 | public List getLinks();
23 |
24 | public void setLinks(List links);
25 |
26 | public List getCategories();
27 |
28 | public void setCategories(List categories);
29 |
30 | public Date getPublicationDate();
31 |
32 | public void setPublicationDate(Date date);
33 |
34 | public Date getUpdatedDate();
35 |
36 | public void setUpdatedDate(Date date);
37 |
38 | public List getAuthors();
39 |
40 | public void setAuthors(List authors);
41 |
42 | // TODO Support for enclosures. Add the wrapper interface IRssEnclosure
43 | // public List getEnclosures();
44 | // public void setEnclosures(List enclosures);
45 |
46 | }
47 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/rss/IRssParser.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.rss;
2 |
3 | import java.io.IOException;
4 | import java.io.InputStream;
5 |
6 |
7 | /**
8 | * Parser for RSS feeds.
9 | */
10 | public interface IRssParser {
11 |
12 | /**
13 | * Parses specified RSS feed.
14 | *
15 | * @param in input stream to parse.
16 | * @param encoding encoding for stream. May be null.
17 | *
18 | * @return parsed RSS feed.
19 | */
20 | public IRssChannel parseRss(InputStream in, String encoding) throws RssParseException, IOException;
21 |
22 | }
23 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/rss/IRssWriter.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.rss;
2 |
3 | import java.io.IOException;
4 | import java.io.Writer;
5 |
6 |
7 | /**
8 | * Writer for RSS feeds.
9 | */
10 | public interface IRssWriter {
11 |
12 | /**
13 | * Saves specified RSS feed.
14 | *
15 | * @param rssChannel feed to write.
16 | */
17 | public void writeRss(Writer out, IRssChannel rssChannel) throws RssException, IOException;
18 |
19 | }
20 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/rss/RssException.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.rss;
2 |
3 |
4 | /**
5 | * Thrown if RSS processing fails.
6 | */
7 | public class RssException extends Exception {
8 | private static final long serialVersionUID = 1L;
9 |
10 |
11 | public RssException(String msg) {
12 | super(msg);
13 | }
14 |
15 |
16 | public RssException(String msg, Throwable cause) {
17 | super(msg, cause);
18 | }
19 |
20 | }
21 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/rss/RssParseException.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.rss;
2 |
3 |
4 | /**
5 | * Thrown if parsing of RSS fails.
6 | */
7 | public class RssParseException extends RssException {
8 | private static final long serialVersionUID = 1L;
9 |
10 |
11 | public RssParseException(String msg) {
12 | super(msg);
13 | }
14 |
15 |
16 | public RssParseException(String msg, Throwable cause) {
17 | super(msg, cause);
18 | }
19 |
20 | }
21 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/rss/rome/RomeRssFactory.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.rss.rome;
2 |
3 | import se.sitic.megatron.core.TypedProperties;
4 | import se.sitic.megatron.rss.IRssChannel;
5 | import se.sitic.megatron.rss.IRssFactory;
6 | import se.sitic.megatron.rss.IRssItem;
7 | import se.sitic.megatron.rss.IRssParser;
8 | import se.sitic.megatron.rss.IRssWriter;
9 |
10 |
11 | /**
12 | * Implements IRssFactory using Rome,
13 | * https://rome.dev.java.net/
14 | */
15 | public class RomeRssFactory implements IRssFactory {
16 | private TypedProperties props;
17 |
18 |
19 | /**
20 | * Constructor.
21 | */
22 | public RomeRssFactory(TypedProperties props) {
23 | this.props = props;
24 | }
25 |
26 |
27 | @Override
28 | public IRssParser createRssParser() {
29 | return new RomeRssParser(props);
30 | }
31 |
32 |
33 | @Override
34 | public IRssChannel createRssChannel() {
35 | return new RomeRssChannel(props);
36 | }
37 |
38 |
39 | @Override
40 | public IRssItem createRssItem(IRssChannel parentChannel) {
41 | return new RomeRssItem(props, (RomeRssChannel)parentChannel);
42 | }
43 |
44 |
45 | @Override
46 | public IRssWriter createRssWriter() {
47 | return new RomeRssWriter(props);
48 | }
49 |
50 | }
51 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/rss/rome/RomeRssWriter.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.rss.rome;
2 |
3 | import java.io.IOException;
4 | import java.io.Writer;
5 |
6 | import org.apache.log4j.Logger;
7 |
8 | import se.sitic.megatron.core.TypedProperties;
9 | import se.sitic.megatron.rss.IRssChannel;
10 | import se.sitic.megatron.rss.IRssWriter;
11 | import se.sitic.megatron.rss.RssException;
12 |
13 | import com.sun.syndication.feed.synd.SyndFeed;
14 | import com.sun.syndication.io.FeedException;
15 | import com.sun.syndication.io.SyndFeedOutput;
16 |
17 |
18 | /**
19 | * Implements IRssWriter using Rome.
20 | */
21 | public class RomeRssWriter implements IRssWriter {
22 | private static final Logger log = Logger.getLogger(RomeRssWriter.class);
23 |
24 | // UNUSED: private TypedProperties props;
25 |
26 |
27 | /**
28 | * Constructor.
29 | */
30 | public RomeRssWriter(TypedProperties props) {
31 | // UNUSED: this.props = props;
32 | }
33 |
34 |
35 | @Override
36 | public void writeRss(Writer out, IRssChannel rssChannel) throws RssException, IOException {
37 | SyndFeed syndFeed = ((RomeRssChannel)rssChannel).getSyndFeed();
38 | SyndFeedOutput syndFeedOutput = new SyndFeedOutput();
39 | try {
40 | syndFeedOutput.output(syndFeed, out);
41 | } catch (FeedException e) {
42 | String msg = "Cannot write RSS feed.";
43 | log.error(msg, e);
44 | throw new RssException(msg, e);
45 | }
46 | }
47 |
48 | }
49 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/tickethandler/ITicketHandler.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.tickethandler;
2 |
3 |
4 | import java.util.Map;
5 |
6 | import se.sitic.megatron.core.MegatronException;
7 |
8 | public interface ITicketHandler {
9 |
10 | public void init() throws MegatronException;
11 |
12 | /**
13 | * The method getNewTicketId returns a new ticket-ID from the ticketing
14 | * system. It takes a key/value map with the necessary input parameters.
15 | *
16 | * @param values
17 | * @return
18 | */
19 |
20 | public String getNewTicketId(Map values);
21 |
22 | public void updateTicketStatus(String status, String ticketId);
23 |
24 | }
25 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/util/Constants.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.util;
2 |
3 |
4 | /**
5 | * Constants in the application.
6 | */
7 | public abstract class Constants {
8 |
9 | /** Line break in files etc. */
10 | public static final String LINE_BREAK = "\n";
11 |
12 | /** UTF-8 character-set in Java core API. */
13 | public static final String UTF8 = "UTF-8";
14 |
15 | /** ISO-8859 character-set in Java core API. */
16 | public static final String ISO8859 = "ISO-8859-1";
17 |
18 | /** MIME-type for plain text. */
19 | public static final String MIME_TEXT_PLAIN = "text/plain";
20 |
21 | /** Comments in config files starts with this string. */
22 | public static final String CONFIG_COMMENT_PREFIX = "#";
23 |
24 | /** Hash algoritm to use. */
25 | public static final String DIGEST_ALGORITHM = "md5";
26 |
27 | /** Job type name to use when name is missing in the job_type table. */
28 | public static final String DEFAULT_JOB_TYPE = "default";
29 |
30 | // Values for the property filter.countryCodeFilter.organizationToFilter
31 | // and filter.asnFilter.organizationToFilter
32 | public static final String ORGANIZATION_PRIMARY = "primary";
33 | public static final String ORGANIZATION_SECONDARY = "secondary";
34 | public static final String ORGANIZATION_BOTH = "both";
35 |
36 | // Additional format strings for parser.timestampFormat.
37 | public static final String TIME_STAMP_FORMAT_EPOCH_IN_SEC = "epochInSec";
38 | public static final String TIME_STAMP_FORMAT_EPOCH_IN_MS = "epochInMs";
39 | public static final String TIME_STAMP_FORMAT_WINDOWS_EPOCH = "windowsEpoch";
40 |
41 | }
42 |
--------------------------------------------------------------------------------
/src/se/sitic/megatron/util/SqlUtil.java:
--------------------------------------------------------------------------------
1 | package se.sitic.megatron.util;
2 |
3 | import java.util.Date;
4 |
5 |
6 | /**
7 | * Contains static utility-methods for SQL stuff.
8 | */
9 | public abstract class SqlUtil {
10 | // UNUSED: private static final Logger log = Logger.getLogger(SqlUtil.class);
11 |
12 |
13 | /**
14 | * Converts specified timestamp in seconds to a Date.
15 | */
16 | public static Date convertTimestamp(long timestampInSec) {
17 | return new Date(timestampInSec * 1000L);
18 | }
19 |
20 |
21 | /**
22 | * Converts specified timestamp in milliseconds to seconds.
23 | */
24 | public static long convertTimestampToSec(long timestampInMs) {
25 | return Math.round(timestampInMs / 1000d);
26 | }
27 |
28 |
29 | /**
30 | * Converts specified timestamp to seconds.
31 | */
32 | public static long convertTimestamp(Date timestamp) {
33 | return Math.round(timestamp.getTime() / 1000d);
34 | }
35 |
36 | }
37 |
--------------------------------------------------------------------------------
/test-data/2009-11-29-scan-report-nl.log:
--------------------------------------------------------------------------------
1 | "Date","Time","C&C","C&C Port","C&C ASN","C&C Geo","Channel","TGT","TGT ASN","TGT Geo","Command"
2 | "2009-11-29","08:16:45","202.111.158.169",93,4837,"CN","#db#","88.159.0.0",39309,"NL","88.159.0.0"
3 | "2009-11-29","08:55:47","202.111.158.169",93,4837,"CN","#db#","89.251.0.0","","NL","89.251.0.0"
4 | "2009-11-29","08:55:48","202.111.158.169",93,4837,"CN","#db#","89.146.0.0",28685,"NL","89.146.0.0"
5 | "2009-11-29","08:55:54","202.111.158.169",93,4837,"CN","#db#","89.99.0.0",6830,"NL","89.99.0.0"
6 |
7 | "2008-07-13","19:52:00","208.98.63.145",1863,30058,"US","#.wanous.#","213.46.x.x",6830,"NL","!advscan"
8 | "2008-07-13","19:52:00","208.98.63.145",1863,30058,"US","#.wanous.#","213.46.x.x",6830,"NL","213.46.x.x"
9 | "2008-07-13","19:52:00","208.98.63.145",1863,30058,"US","#.wanous.#","213.46.x.x",6830,"NL","213.46.x.x"
10 | "2008-07-13","20:13:57","208.98.63.145",1863,30058,"US","#.wanous.#","62.234.x.x",5390,"NL","!advscan"
11 | "2008-07-13","20:13:58","208.98.63.145",1863,30058,"US","#.wanous.#","62.234.x.x",5390,"NL","62.234.x.x"
12 | "2008-07-13","20:13:58","208.98.63.145",1863,30058,"US","#.wanous.#","62.234.x.x",5390,"NL","62.234.x.x"
13 |
14 | "2010-01-27","20:59:00","208.98.63.145",1864,"","","#.wanous.#","192.121.x.x","","","192.121.x.x"
15 |
--------------------------------------------------------------------------------
/test-data/2010-01-17-proxy-report-se.log:
--------------------------------------------------------------------------------
1 | "Date","PXY","PXY ASN","PXY Geo","PXY Port","PXY DNS","RBL","Type","Count","Test","Password","C&C","C&C Port","C&C ASN","C&C Geo","C&C DNS"
2 | "2010-01-17 17:26:00","85.230.254.68",2119,"SE",11825,"c-44fee655.18-6-64736c10.cust.bredbandsbolaget.se","","SOCKS5",1,"Proactive Open Proxy Monitor","","0.0.0.0",0,"","",""
3 | "2010-01-17 20:14:00","85.230.161.20",2119,"SE",59870,"c-14a1e655.147-500-64736c11.cust.bredbandsbolaget.se","","SOCKS4",1,"Proactive Open Proxy Monitor","","0.0.0.0",0,"","",""
4 | "2010-01-17 20:14:00","85.230.161.20",2119,"SE",59870,"c-14a1e655.147-500-64736c11.cust.bredbandsbolaget.se","","SOCKS4",1,"Proactive Open Proxy Monitor","","83.251.101.254",80,39651,"SE",""
5 |
--------------------------------------------------------------------------------
/test-data/2014-04-02-netbios-report-se.log:
--------------------------------------------------------------------------------
1 | "timestamp","ip","protocol","port","hostname","tag","mac_address","asn","geo","region","city","workgroup","machine_name","username"
2 | "2014-04-02 00:13:29","80.85.127.36","udp",137,,"netbios","00-0C-29-31-A1-E8",1257,"SE","VASTRA GOTALAND","NOSSEBRO","WORKGROUP","ELVIRAWEB",
3 | "2014-04-02 00:13:34","85.24.219.62","udp",137,,"netbios","00-00-00-00-00-00",8473,"SE","STOCKHOLMS LAN","STOCKHOLM","WORKGROUP","DS212J","DS212J"
4 | "2014-04-02 00:13:34","37.199.74.227","udp",137,"m37-199-74-227.cust.tele2.se","netbios","00-A0-C6-00-00-00",1257,"SE","STOCKHOLMS LAN","KISTA",,,
5 | "2014-04-02 00:13:34","130.239.72.59","udp",137,"sivlc.fysbot.umu.se","netbios","00-00-00-00-00-00",2833,"SE","VASTERBOTTENS LAN","UMEA",,"SIVLC",
6 | "2014-04-02 00:13:34","109.225.118.246","udp",137,"h109-225-118-246.dynamic.se.alltele.net","netbios","74-D0-2B-9C-B1-4D",44581,"SE","OSTERGOTLANDS LAN","LINKOPING","WORKGROUP","JKP2",
7 | "2014-04-02 00:13:35","194.47.25.105","udp",137,,"netbios","84-2B-2B-43-E2-B7",1653,"SE","SKANE LAN","KRISTIANSTAD","HKR","AGRESSOSQL",
8 | "2014-04-02 00:13:36","89.221.247.10","udp",137,,"netbios","00-16-3E-DB-04-A9",3301,"SE","SKANE LAN","HELSINGBORG","WORKGROUP","U8621285-01",
9 | "2014-04-02 00:13:36","46.246.123.2","udp",137,,"netbios",,42708,"SE","STOCKHOLMS LAN","STOCKHOLM",,,
10 | "2014-04-02 00:13:38","217.72.57.65","udp",922,,"netbios","00-00-00-00-00-00",15782,"SE","STOCKHOLMS LAN","STOCKHOLM","WORKGROUP","OSTRANDSTC",
11 |
12 | "2014-04-13 00:42:10","88.131.192.250","udp",137,"tla-ups1.stg.se.ip.tdc.net","netbios",00,3292,"SE","STOCKHOLMS LAN","SOLLENTUNA",,,
13 | "2014-04-13 01:03:53","62.20.1.4","udp",137,,"netbios",00,3301,"SE","SKANE LAN","MALMOE",,,
14 |
--------------------------------------------------------------------------------
/test-data/2014-04-02-snmp-report-se.log:
--------------------------------------------------------------------------------
1 | "timestamp","ip","protocol","port","hostname","sysdesc","sysname","asn","geo","region","city","version"
2 | "2014-04-02 04:13:59","84.243.52.117","udp",161,"tmnet.se","Cisco Internetwork Operating System Software IOS (tm) C3550 Software (C3550-I9Q3L2-M) Version 12.1(20)EA1a RELEASE SOFTWARE (fc1)Copyright (c) 1986-2004 by cisco Systems Inc.Compiled Mon 19-Apr-04 21:42 by yenanh",,31677,"SE","STOCKHOLMS LAN","STOCKHOLM",2
3 | "2014-04-02 04:14:00","62.101.35.236","udp",161,"lid-sheab.lidero.net","ExtremeXOS version 12.0.3.16 v1203b16 by release-manager on Tue Apr 8 01:08:39 PDT 2008","router1",13189,"SE","UPPSALA LAN","ENKOPING",2
4 | "2014-04-02 04:14:01","193.12.37.34","udp",161,"s193-12-37-34.cust.tele2.se","NDS CORE SNMP Agent","NDS_ Ltd..",1257,"SE","STOCKHOLMS LAN","KISTA",2
5 | "2014-04-02 04:14:01","213.67.82.8","udp",161,,"DSL-320B","tc",3301,"SE","STOCKHOLMS LAN","STOCKHOLM",2
6 | "2014-04-02 04:14:02","213.64.16.172","udp",161,,"DSL-320B","tc",3301,"SE","STOCKHOLMS LAN","STOCKHOLM",2
7 | "2014-04-02 04:14:03","82.115.151.18","udp",161,,,,30795,"SE","GOTLANDS LAN","VISBY",2
8 |
9 | "2014-04-13 04:19:34","217.142.154.62","udp",161,,"3Com Switch 4210 9-Port Software Version 3.10 Release 2212",4210,16253,"SE","UPPSALA LAN","UPPSALA",2
10 | "2014-04-13 04:33:12","62.63.240.170","udp",161,"s240h170o3tcn2.dyn.tyfon.se","Apple AirPort - Apple Inc. 2006-2012. All rights Reserved.",55123,21250,"SE","STOCKHOLMS LAN","SOEDERTAELJE",2
11 | "2014-04-13 04:58:30","212.105.84.79","udp",161,"212-105-84-79.ki.telenor.se","Videoconferencing Device",1,2119,"SE","STOCKHOLMS LAN","STOCKHOLM",2
12 | "2014-04-13 05:27:15","217.142.128.83","udp",161,,"3Com Switch 4210 9-Port Software Version 3.10 Release 2212",4210,16253,"SE","UPPSALA LAN","UPPSALA",2
13 |
--------------------------------------------------------------------------------
/test-data/abuse.rfc-ignorant.org.log:
--------------------------------------------------------------------------------
1 | $SOA 3600 ns0.rfc-ignorant.org admin.rfc-ignorant.org 2009032402 1800 900 1209600 3600
2 | $NS 3600 rbldnsd.a.rbl-auth.sr.sonic.net rbldnsd.b.rbl-auth.sr.sonic.net ns4.tamu.edu ns5.tamu.edu rfci.bl.xs4all.nl rbldns.cns.mcbone.net
3 | :127.0.0.4:Not supporting abuse@domain
4 | 0-cash.com
5 | *.0-cash.com
6 | 0.cz
7 | *.0.cz
8 | 00-44.com
9 | *.00-44.com
10 | 000domains.com
11 | *.000domains.com
12 | 000watch.com
13 | *.000watch.com
14 | 001.me.uk
15 | *.001.me.uk
16 | 001isp.com
17 | *.001isp.com
18 | 007-ride.com
19 | *.007-ride.com
20 | 007.sh
21 | *.007.sh
22 | 00753.com
23 | *.00753.com
24 | 007mundo.com
25 | *.007mundo.com
26 |
--------------------------------------------------------------------------------
/test-data/brobot.log:
--------------------------------------------------------------------------------
1 | 3301,SE,78.69.165.236,http://78.69.165.236/martine/article5.class.php
2 | 3301,SE,78.69.165.236,http://wolfisland.se/exemples/objectmodel.1.php
3 | 8473,SE,85.24.157.123,http://ritab.se//tmp/imge.php
4 | 8473,SE,85.24.157.123,http://ritab.se/tmp/imge.php
5 | 21503,SE,94.136.79.42,http://www.xn--fritidsmssan-ncb.se/appointmentcinema/index.inc.php
6 | 35041,SE,83.168.226.152,http://www.citykyrkan.nu/administrator/index3.class.php
7 | 35041,SE,83.168.226.152,http://www.citykyrkan.nu/administrator/index3.inc.php
8 | 1836,CH,82.195.224.135,http://www.bcfenerbahce.ch/plugins/system/dvmessages/dvmessages.php
9 | 1955,HU,193.6.130.46,http://italdeb.unideb.hu/administrator/templates/bluestork/confgic.php
10 | 39570,SE,194.9.95.197,http://www.protosell.se/plugins/system/dvmessages/dvmessages.php
11 | 41175,SE,178.21.72.177,http://www.realgroup.se/administrator/index.inc.php
12 | 41175,SE,178.21.72.177,http://www.realgroup.se/components/Address10.inc.php
13 | 41528,SE,195.74.38.120,http://hurricanevasteras.se/administrator/index2.inc.php
14 | 4589,ES,213.139.8.104,http://www.cervoles.com/_notes/define.inc.php
15 | 5089,GB,86.9.41.73,http://mail.ctechn.com/components/article5.class.php
16 | 41528,SE,195.74.38.17,http://tshirtdesigns.se/cgi-bin/define.inc.php
17 | 41528,SE,195.74.38.17,http://tshirtdesigns.se/cgi-bin/news2.class.1.php
18 | 41528,SE,195.74.38.17,http://xn--hlsotrappan-l8a.se/plugins/system/dvmessages/dvmessages.php
19 | 41528,SE,195.74.38.69,http://www.nss.nu/adress/process.bak.php
20 | 51949,NU,193.93.174.247,http://ilovemybusiness.nl/wp-includes/js/plupload/LICENCE.php
21 |
22 | 51949,NU,193.93.174.247,https://ilovemybusiness.nl/wp-includes/js/plupload/LICENCE.php
23 | 51949,NU,193.93.174.247,HTTP://ilovemybusiness.nl/wp-includes/js/plupload/LICENCE.php
24 | 51949,NU,193.93.174.247,HTTPS://ilovemybusiness.nl/wp-includes/js/plupload/LICENCE.php
25 |
--------------------------------------------------------------------------------
/test-data/brobot2.log:
--------------------------------------------------------------------------------
1 | First line is a comment
2 | 83.223.8.110,42318,SE,FASTBIT-AS Fastbit AB,adventurelovers.se,http://adventurelovers.se/tmp/modo.php,
3 | 87.237.215.205,3301,SE,TELIANET-SWEDEN TeliaSonera AB,alfafonster.se,http://alfafonster.se//images/stories/kabe.php,
4 | 195.74.38.17,41528,SE,ALEBORG-AS Binero AB,www.amningsnytt.se,http://www.amningsnytt.se/joomla2//images/stories/semi.php,
5 | 193.14.177.105,1257,SE,TELE2,www.wackfelts.com,http://www.wackfelts.com/tmp/settinq.php,
6 |
--------------------------------------------------------------------------------
/test-data/certa-rfi-hosts.log:
--------------------------------------------------------------------------------
1 | 130.244.197.28;Sweden;AS1257;TELE2;home.tele2.at;http://home.tele2.at/wmaster/2.txt
2 | 195.35.82.155;Sweden;AS8434;Telenor Sweden;ebook-store.se;http://ebook-store.se/Web/id1.txt
3 | 195.35.82.155;Sweden;AS8434;Telenor Sweden;zclub.nu;http://zclub.nu//nuke/albums/id1.txt
4 | 195.84.182.98;Sweden;AS3292;TDC Data Networks;www.inflightservice.se;http://www.inflightservice.se/images/left.jpg
5 | 212.78.206.150;Sweden;AS12832;Lycos Europe GmbH;www.nimoa.org;http://www.nimoa.org/pics/whitepinguin
6 | 213.115.231.24;Sweden;AS2119;T.net;www.arvikajsk.net;http://www.arvikajsk.net/rfi.txt
7 | 80.83.90.50;Sweden;AS16245;NetGroup DataCenter A/S - ngdc.net;www.sydmaskiner.se;http://www.sydmaskiner.se/od.txt
8 | 87.96.215.9;Sweden;AS12552;IP-Only;www.earnest.se;http://www.earnest.se/components/com_extcalendar/ec.txt
9 | 91.191.133.8;Sweden;AS21202;DCS.net;hallandistockholm.org;http://hallandistockholm.org//include/inc_ext/spaw/dialogs/main.txt
10 |
--------------------------------------------------------------------------------
/test-data/chaley-ssh-dict.log:
--------------------------------------------------------------------------------
1 | # IP addresses launching SSH dictionary attacks. As of Thu, 27 Oct 2011 07:31:04 +0100
2 | ALL : 1.85.2.246
3 | ALL : 1.226.82.81
4 | ALL : 1.226.83.188
5 | ALL : 4.78.144.6
6 | ALL : 8.2.208.2
7 | ALL : 8.3.52.54
8 | ALL : 12.0.42.58
9 | ALL : 12.2.202.132
10 | ALL : 222.249.138.252
11 | ALL : 222.249.240.20
12 | ALL : 222.251.133.8
13 | ALL : 222.252.28.112
14 | ALL : 222.255.8.126
15 | ALL : 222.255.13.9
16 | ALL : 222.255.15.123
17 | ALL : 222.255.236.12
18 | ALL : 223.4.12.15
19 | ALL : 223.27.145.71
20 | ALL : 223.203.192.37
21 | ALL : 83.241.222.192
22 | ALL : 192.36.171.154
23 | ALL : 192.71.238.76
24 | ALL : 194.198.255.0
25 |
--------------------------------------------------------------------------------
/test-data/compromised-accounts.log:
--------------------------------------------------------------------------------
1 | # List of compromised email addresses
2 | foo@example.com
3 | bar@sunet.se
4 | foo@mp.se
5 | bar@mp.se
6 | foo@centern.se
7 | foo@192.71.238.76
8 |
9 | foo@geo.uu.se
10 | foo@geo.uu.se
11 | bar@student.uu.se
12 | bar@student.uu.se
13 |
14 | # included
15 | foo@i.nu
16 | foo@nu
17 | foo@.nu
18 | hubba@www.visitsweden.se
19 | hubba@www.visitsweden.com
20 | hubba@binero.com
21 | hubba@google.se
22 | hubba@yahoo.se
23 | bubba@yahoo.se
24 | foobar@yahoo.se
25 |
26 | # excluded
27 | foo@n
28 | foo@n.n
29 | foo@bar.info
30 | foo@bar.pro
31 | foo@
32 | foo
33 | foo@hotmail.com
34 | foo@asaasasasasx.com
35 | hubba@google.com
36 | foo@8.8.8.8
37 |
--------------------------------------------------------------------------------
/test-data/dnschanger-isp.log:
--------------------------------------------------------------------------------
1 | FROM_UNIXTIME(log_entry.log_timestamp)|INET_NTOA(ip_address)|hostname|port|INET_NTOA(ip_address2)|name
2 | 2012-04-02 16:01:42|148.160.131.69|host131-69.bornet.net|50469|85.255.115.45|Borås elnät
3 | 2012-03-26 02:17:20|83.248.199.240|c83-248-199-240.bredband.comhem.se|63564|85.255.114.94|comhem
4 | 2012-03-26 03:41:15|80.217.153.189|c80-217-153-189.bredband.comhem.se|2052|213.109.73.71|comhem
5 | 2012-03-26 04:08:41|83.254.3.100|c83-254-3-100.bredband.comhem.se|59448|93.188.162.83|comhem
6 | 2012-03-26 06:42:44|83.248.162.209|c83-248-162-209.bredband.comhem.se|58198|85.255.114.83|comhem
7 | 2012-03-26 07:17:03|80.216.238.166|c80-216-238-166.bredband.comhem.se|59977|85.255.114.108|comhem
8 | 2012-03-26 07:39:13|83.254.227.48|c83-254-227-48.bredband.comhem.se|1038|85.255.112.104|comhem
9 | 2012-03-26 07:49:04|80.217.171.115|c80-217-171-115.bredband.comhem.se|61395|85.255.115.116|comhem
10 | 2012-03-30 04:30:22|2.69.62.160|2.69.62.160.mobile.tre.se|56862|85.255.116.105|Tre
11 | 2012-03-30 04:42:17|109.58.72.213|109.58.72.213.bredband.tre.se|54888|85.255.113.148|Tre
12 | 2012-03-30 04:45:16|94.191.184.36|94.191.184.36.mobile.3.dk|35188|85.255.112.231|Tre
13 | 2012-03-30 05:44:06|109.58.79.149|109.58.79.149.bredband.tre.se|61964|93.188.162.88|Tre
14 | 2012-03-30 05:57:03|109.58.190.251|109.58.190.251.bredband.tre.se|54243|85.255.116.28|Tre
15 | 2012-03-30 06:35:29|79.138.250.167|79.138.250.167.bredband.3.dk|55144|85.255.113.134|Tre
16 | 2012-04-02 22:59:32|109.225.127.237||1024|213.109.73.6|AllTele (Allmänna Svenska Telefonaktiebolaget)
17 | 2012-04-02 06:16:42|148.160.20.62||3410|213.109.67.28|Borås elnät
18 | 2012-04-01 17:15:08|80.216.60.184||61179|93.188.164.72|comhem
19 |
--------------------------------------------------------------------------------
/test-data/emerging-compromised.log:
--------------------------------------------------------------------------------
1 | 1.202.183.107
2 | 1.202.249.106
3 | 1.234.2.102
4 | 1.234.22.175
5 | 1.36.5.113
6 | 106.187.48.180
7 | 108.58.115.219
8 | 108.60.197.162
9 | 109.111.72.149
10 | 109.123.217.44
11 | 109.123.74.144
12 | 109.123.78.55
13 | 109.169.63.146
14 | 109.207.1.142
15 | 109.230.233.96
16 | 109.235.216.21
17 | 109.237.39.77
18 | 109.70.68.35
19 | 109.70.69.118
20 | 109.73.10.10
21 | 109.74.6.197
22 | 109.75.160.57
23 | 109.86.25.240
24 | 110.138.178.89
25 | 110.164.183.230
26 | 110.234.96.196
27 | 110.76.38.87
28 | 110.76.46.74
29 | 111.118.171.229
30 | 111.221.3.242
31 | 111.67.193.120
32 | 111.74.59.194
33 | 111.90.43.13
34 | 111.92.236.251
35 | 111.92.237.216
36 | 112.140.185.124
37 | 112.175.23.165
38 | 112.197.190.91
39 | 112.215.11.169
40 | 112.216.140.51
41 | 112.216.191.58
42 | 112.220.124.205
43 | 112.220.65.195
44 | 112.220.98.51
45 | 112.65.165.131
46 | 112.65.245.244
47 | 112.78.199.101
48 | 113.105.128.254
49 | 113.105.131.130
50 | 112.65.245.244
51 |
--------------------------------------------------------------------------------
/test-data/epoch-test.log:
--------------------------------------------------------------------------------
1 | ##
2 | # epochInSec
3 | ##
4 |
5 | # 1263002826 --> Sat, 09 Jan 2010 02:07:06 UTC
6 | 1263002826 10.0.0.1
7 |
8 | # 1398163736 --> Tue, 22 Apr 2014 10:48:56 UTC
9 | 1398163736 10.0.0.2
10 |
11 |
12 | ##
13 | # epochInMs
14 | ##
15 |
16 | # 1263002826000 --> Sat, 09 Jan 2010 02:07:06 UTC
17 | 1263002826000 10.0.0.1
18 |
19 | # 1398163736000 --> Tue, 22 Apr 2014 10:48:56 UTC
20 | 1398163736000 10.0.0.2
21 |
22 |
23 | ##
24 | # windowsEpoch
25 | ##
26 |
27 | # 130379098763733422 --> Wed, 26 Feb 2014 17:37:56 UTC (1393436276)
28 | 130379098763733422 10.0.0.1
29 |
30 | # 130379098763889429 --> Wed, 26 Feb 2014 17:37:56 UTC (1393436276)
31 | 130379098763889429 10.0.0.2
32 |
33 | # 130379691525956712 --> Thu, 27 Feb 2014 10:05:53 UTC (1393495552)
34 | 130379691525956712 10.0.0.3
35 |
36 | # 130426376470000000 --> Tue, 22 Apr 2014 10:54:07 UTC (1398164047)
37 | 130426376470000000 10.0.0.4
38 |
39 | # 130426454790000000 --> Tue, 22 Apr 2014 13:04:39 UTC (1398171879)
40 | 130426454790000000 10.0.0.5
41 |
42 | # 130426454610000000 --> Tue, 22 Apr 2014 13:04:21 UTC (1398171861)
43 | 130426454610000000 10.0.0.6
44 |
45 | # 130426456300000000 --> Tue, 22 Apr 2014 13:07:10 UTC (1398172030)
46 | 130426456300000000 10.0.0.7
47 |
--------------------------------------------------------------------------------
/test-data/fullip.rfc-ignorant.org.log:
--------------------------------------------------------------------------------
1 | $TTL 3600
2 | ;
3 | @ IN SOA ns0.rfc-ignorant.org. hostmaster.megacity.org. ( 2009032402
4 | 30M ; refresh
5 | 15M ; retry
6 | 14D ; expire
7 | 60M ; minimum
8 | )
9 |
10 | IN NS rfci.bl.xs4all.nl.
11 |
12 | *._smtp_client IN TXT "spf=deny"
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/test-data/infiltrated-net-blacklist.log:
--------------------------------------------------------------------------------
1 | # Wed Oct 26 06:02:47 CDT 2011
2 |
3 | 99.46.177.18
4 | 99.254.168.132
5 | 99.245.29.38
6 | 99.240.245.97
7 | 99.239.100.211
8 | 99.237.18.132
9 | 99.235.112.39
10 | 99.187.228.12
11 | 99.169.101.6
12 | 99.141.151.46
13 | 99.135.231.45
14 | 99.127.65.225
15 | 99.107.179.119
16 | 8.158.109.131
17 | 98.154.148.244
18 | 98.142.221.10
19 | 98.142.215.184 AS14141
20 | 98.142.215.183 AS14141
21 | 98.142.215.181 AS14141
22 | 98.141.153.212
23 | 98.139.180.149 AS26101
24 | 98.139.135.22 AS26101
25 | 98.139.135.21 AS26101
26 | 98.137.51.254 AS36752
27 | 98.137.51.1 AS36752
28 | 98.137.49.1 AS36752
29 | 98.137.48.23 AS36752
30 | 98.137.149.56 AS36752
31 | 98.137.149.56
32 | 98.136.10.33 AS36752
33 | 98.131.212.3 AS32392
34 | 98.131.2.1 AS32392
35 | 98.129.237.51
36 | 98.129.212.228
37 | 98.129.136.206 AS33070
38 | 98.126.95.98
39 | 10.22.8.10
40 |
41 | 83.241.222.192
42 | 192.36.171.154
43 | 192.71.238.76
44 | 194.198.255.0
45 |
46 | #
47 |
--------------------------------------------------------------------------------
/test-data/megatron-whois-hostname.log:
--------------------------------------------------------------------------------
1 | # Test Comment
2 | # http://www.svt.se
3 |
4 | https://www.cert.se/om-cert-se
5 | ftp://anonymous:hubba@ftp.funet.fi/pub/README
6 | ftp://ftp.sendmail.org/pub/sendmail/RELEASE_NOTES
7 | http://seclists.org/bugtraq/2014/Jun/att-11/ESA-2014-032.txt
8 | www.sunet.se
9 | www.dn.se
10 | http://www.feber.se:8080/hubba.html
11 | www.svd.se/
12 | www.expressen.se/foo.html
13 | www.hd.se
14 | http://www.google.com/pub/sendmail/RELEASE_NOTES
15 | https://twitter.com
16 | hxxp://www.slashdot.org/hubba.html
17 |
18 | HXXP://WWW.FACEBOOK.COM/FOOBAR
19 |
20 | hxxp://www.wired.com/cgi-bin/logintest.cgi?8
21 | hxxp://www.binero.se/?
22 |
23 | https://192.121.218.90:8080
24 | 1.2.3.4
25 |
26 | http://folkpartiet.se/test.html
27 | sap.se
28 |
29 |
--------------------------------------------------------------------------------
/test-data/multiple-ips-per-line.log:
--------------------------------------------------------------------------------
1 | 192.168.0.1
2 | 130.242.82.146 192.121.192.22 192.121.234.65 xxxxx 192.121.234.66 xxxxxxxxxx 192.165.239.30
3 | 192.165.247.1 192.34.107.10 192.34.107.12 192.34.107.13 192.34.107.200 192.34.107.222 192.34.107.77 192.36.34.249 192.36.80.8 192.44.242.18 192.44.243.18
4 | xxxxxxxxxx xxxxxxxxxx 193.13.73.77
5 | 193.15.240.59 xxxxxxxxxx xxxxxxxxxx
6 | 193.15.240.60
7 | xxxxxxxxxx xxxxxxxxxx193.15.253.84xxxxxxxxxx xxxxxxxxxx
8 | 193.180.228.186
9 | zzzzzzzzzzzzzz
10 | zzzzzzzzzzzzzz
11 | 193.44.157.68
12 | 193.44.157.95 zzzzzzzzzzz
13 | 193.44.6.118 | 193.44.6.134 | 192.44.242.18 | 192.44.243.18
14 | 10.0.0.1
15 | 192.168.0.1
16 | 192.176.242.1
17 | 192.176.242.128
18 | 193.15.189.199
19 | 213.212.40.16
20 | zzzzzzzzz 193.44.6.50
21 | xxxxxxxxxxxxxxxxxx
22 |
--------------------------------------------------------------------------------
/test-data/multiple-ips-per-line2.log:
--------------------------------------------------------------------------------
1 | 193.44.6.118 193.44.6.134 192.44.242.18 192.44.243.18
2 |
3 | 193.44.6.119
4 | xxxxxxxxxxxxxxxxxxxxxx
5 | 193.44.6.220 193.44.6.221
6 |
--------------------------------------------------------------------------------
/test-data/open-resolver-ddos.log:
--------------------------------------------------------------------------------
1 | 44034 | 2.64.228.1 | SE
2 | 31677 | 84.243.55.1 | SE
3 | NA | 157.180.146.64 | SE
4 | 1257 | 37.197.191.64 | SE
5 | 44034 | 2.68.251.64 | SE
6 | 34244 | 92.39.46.64 | SE
7 | 3301 | 90.237.97.78 | SE
8 | 5400 | 213.15.111.79 | SE
9 | 3301 | 213.64.174.79 | SE
10 | 5400 | 195.163.175.79 | SE
11 | 1257 | 5.243.191.80 | SE
12 | 2119 | 138.14.243.80 | SE
13 | 44034 | 2.64.246.80 | SE
14 | 3301 | 195.198.251.80 | SE
15 | 44034 | 2.64.76.80 | SE
16 | 44034 | 2.68.90.80 | SE
17 | 3301 | 194.23.210.81 | SE
18 | NA | 141.147.160.82 | SE
19 | 44034 | 2.68.196.82 | SE
20 | 35041 | 83.168.200.82 | SE
21 | 39651 | 83.254.80.82 | SE
22 | NA | 194.14.223.83 | SE
23 | NA | 194.132.229.83 | SE
24 | 2119 | 46.195.14.84 | SE
25 | 5400 | 62.5.17.84 | SE
26 |
--------------------------------------------------------------------------------
/test-data/open-resolver-ddos2.log:
--------------------------------------------------------------------------------
1 | 2.64.228.1
2 | 84.243.55.1
3 | 157.180.146.64
4 | 37.197.191.64
5 | 2.68.251.64
6 | 92.39.46.64
7 | 90.237.97.78
8 | 213.15.111.79
9 | 213.64.174.79
10 | 195.163.175.79
11 | 5.243.191.80
12 | 138.14.243.80
13 | 2.64.246.80
14 | 195.198.251.80
15 | 2.64.76.80
16 | 2.68.90.80
17 | 194.23.210.81
18 | 141.147.160.82
19 | 2.68.196.82
20 | 83.168.200.82
21 | 83.254.80.82
22 | 194.14.223.83
23 | 194.132.229.83
24 | 46.195.14.84
25 | 62.5.17.84
26 |
--------------------------------------------------------------------------------
/test-data/rbl/ip-sorbs-smtp.dnsbl.sorbs.net__2009-09-24_075227.log:
--------------------------------------------------------------------------------
1 | $SOA 86400 rbldns0.sorbs.net dns.isux.com 0 7200 7200 604800 3600
2 | $NS 86400 rbldns10.sorbs.net. rbldns8.sorbs.net. rbldns3.sorbs.net. rbldns2.sorbs.net. rbldns4.sorbs.net. rbldns6.sorbs.net. rbldns5.sorbs.net.
3 | :127.0.0.5:Open SMTP Relay See: http://www.sorbs.net/lookup.shtml?$
4 | $TTL 3600
5 | 127.0.0.2/32
6 | 61.9.230.65
7 | 194.170.16.7
8 | 62.49.86.10
9 | 87.118.118.51
10 | 77.236.192.252
11 | 88.255.193.85
12 | 85.10.194.148
13 | 213.189.9.75
14 | 85.10.194.148
15 | 205.201.1.75
16 | 212.69.218.36
17 | 212.69.218.36
18 | 77.246.179.200
19 | 218.211.224.232
20 | 202.79.208.28
21 | 87.105.214.229
22 | 220.181.21.91
23 | 220.181.21.94
24 | 222.127.115.86
25 | 60.190.218.27
26 | 220.71.9.17
27 | 67.15.232.166
28 | 65.38.221.134
29 | 122.224.142.157
30 | 81.104.240.61
31 | 8.10.62.183
32 | 92.84.82.124
33 | 216.107.110.26
34 | 210.13.117.103
35 | 198.246.0.41
36 | 61.47.61.92
37 | 219.128.51.102
38 | 82.223.162.71
39 | 59.27.170.253
40 | 88.255.202.68
41 | 82.76.149.44
42 | 88.191.75.35
43 | 88.200.181.66
44 | 220.130.112.10
45 | 137.101.151.130
46 | 200.69.149.91
47 | 89.188.106.10
48 | 201.155.119.248
49 | 189.20.245.170
50 | 58.141.131.2
51 | 137.30.242.55
52 | 77.104.234.245
53 | 212.123.196.210
54 | 220.130.23.235
55 | 66.132.229.61
56 | 204.61.4.167
57 | 84.52.86.252
58 | 217.109.93.93
59 |
--------------------------------------------------------------------------------
/test-data/rbl/ip-uceprotect-dnsbl-1.uceprotect.net__2009-09-24_075747.log:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/test-data/rbl/ip-uceprotect-dnsbl-1.uceprotect.net__2009-09-24_075747.log
--------------------------------------------------------------------------------
/test-data/rbl/ip-uceprotect-dnsbl-2.uceprotect.net__2009-09-24_080339.log:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/test-data/rbl/ip-uceprotect-dnsbl-2.uceprotect.net__2009-09-24_080339.log
--------------------------------------------------------------------------------
/test-data/rbl/ip-uceprotect-dnsbl-3.uceprotect.net__2009-09-24_080611.log:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/test-data/rbl/ip-uceprotect-dnsbl-3.uceprotect.net__2009-09-24_080611.log
--------------------------------------------------------------------------------
/test-data/sshbl.log:
--------------------------------------------------------------------------------
1 | # sshbl.org
2 | # Mon Jan 11 14:45:03 2010 CET
3 | #
4 | # source ip date
5 | 219.148.37.154 1263250024
6 | 216.16.230.122 1263195606
7 | 216.177.133.106 1263194390
8 | 66.64.56.218 1263186291
9 | 94.93.24.66 1263178761
10 | 118.219.54.70 1263167479
11 | 202.131.97.194 1263166357
12 | 195.103.143.114 1263164479
13 | 77.245.148.196 1263143518
14 | 81.168.132.66 1263140379
15 | 61.177.119.226 1263138036
16 | 211.197.191.35 1263128466
17 | 65.23.159.124 1263128299
18 | 124.127.117.20 1263106423
19 | 58.60.106.160 1263086661
20 | 221.213.49.116 1263079243
21 | 210.51.180.212 1263078798
22 | 85.21.139.69 1263073175
23 | 201.6.123.99 1263072915
24 | 64.27.6.23 1263065068
25 | 59.37.54.76 1263061524
26 | 60.217.234.134 1263059021
27 | 92.45.45.6 1263053067
28 | 61.135.207.195 1263049189
29 | 192.121.218.4 1263044316
30 | 130.239.8.25 1263044316
31 | 80.237.152.92 1263044316
32 | 119.75.231.224 1263026543
33 | 212.224.90.55 1263005493
34 | 190.223.40.154 1263004785
35 | 119.192.234.169 1263002826
36 |
--------------------------------------------------------------------------------
/test-data/stopforumspam.log:
--------------------------------------------------------------------------------
1 | 0.0.0.0,1.11.0.84,1.112.172.52,1.113.146.6,1.113.159.221,1.144.112.80,1.145.195.71,1.148.171.101,1.148.201.60,1.148.238.41,1.148.252.170,1.148.92.74,1.152.113.115,99.98.178.221,99.98.188.85,99.98.202.103,99.99.161.40,99.99.86.2,99.99.87.11,99.99.87.116,99.99.87.216,83.241.222.192,192.36.171.154,192.71.238.76,194.198.255.0,
--------------------------------------------------------------------------------
/test-data/time-ip.log:
--------------------------------------------------------------------------------
1 | 2012-06-06 09:56:02;21.214.133.164
2 | 2012-06-06 21:12:18;65.229.63.112
3 | 2012-06-06 09:33:43;61.94.75.167
4 | 2012-06-06 22:44:34;25.224.35.60
5 | 2012-06-06 20:52:17;37.4.5.165
6 |
7 | 2012-05-22 17:26:00;220.102.246.161
8 | 2012-05-21 17:25:25;78.29.57.116
9 | 2012-05-20 16:26:00;27.51.31.212
10 | 2012-05-19 17:27:00;24.172.220.194
11 | 2012-05-11 12:21:55;27.51.31.212
12 | 2012-05-29 08:26:54;24.172.220.194
13 |
14 | 2012-05-29 08:26:54;212.181.19.0
15 | 2012-05-29 08:26:54;62.127.100.40
16 | 2012-05-29 08:26:54;192.36.25.0
17 | 2012-05-29 08:26:54;192.165.69.0
18 | 2012-05-29 08:26:54;193.181.190.0
19 | 2012-05-29 08:26:54;193.235.83.0
20 | 2012-05-29 08:26:54;194.132.96.0
21 | 2012-05-29 08:26:54;193.10.58.0
22 | 2012-05-29 08:26:54;193.182.167.0
23 | 2012-05-29 08:26:54;62.13.78.0
24 | 2012-05-29 08:26:54;213.115.124.8
25 | 2012-05-29 08:26:54;213.242.135.144
26 | 2012-05-29 08:26:54;82.136.153.64
27 |
28 | 2012-05-29 08:26:54;82.136.153.64
29 |
--------------------------------------------------------------------------------
/test-data/timestamp-plus-ip.log:
--------------------------------------------------------------------------------
1 | 2009-04-24 21:01:01 130.242.82.146
2 | 2009-04-24 21:01:01 192.121.192.22
3 | 2009-04-24 21:01:01 192.121.234.65
4 | 2009-04-24 21:01:01 192.121.234.66
5 | 2009-04-24 21:01:01 192.165.239.30
6 | 2009-04-24 21:01:01 192.165.247.1
7 | 2009-04-24 21:01:01 192.34.107.10
8 | 2009-04-24 21:01:01 192.34.107.12
9 | 2009-04-24 21:01:01 192.34.107.13
10 | 2009-04-24 21:01:01 192.34.107.200
11 | 2009-04-24 21:01:01 192.34.107.222
12 | 2009-04-24 21:01:01 192.34.107.77
13 | 2009-04-24 21:01:01 192.36.34.249
14 | 2009-04-24 21:01:01 192.36.80.8
15 | 2009-04-24 21:01:01 192.44.242.18
16 | 2009-04-24 21:01:01 192.44.243.18
17 | 2009-04-24 21:01:01 193.13.73.77
18 | 2009-04-24 21:01:01 193.15.240.59
19 | 2009-04-24 21:01:01 193.15.240.60
20 | 2009-04-24 21:01:01 193.15.253.84
21 | 2009-04-24 21:01:01 193.180.228.186
22 | 2009-04-24 21:01:01 193.44.157.68
23 | 2009-04-24 21:01:01 193.44.157.95
24 | 2009-04-24 21:01:01 193.44.6.118
25 | 2009-04-24 21:01:01 193.44.6.134
26 | 2009-04-24 21:01:01 193.44.6.50
27 | 2009-04-24 21:01:01 194.103.188.58
28 | 2009-04-24 21:01:01 194.103.189.24
29 | 2009-04-24 21:01:01 194.103.189.35
30 | 2009-04-24 21:01:01 194.103.189.42
31 | 2009-04-24 21:01:01 194.132.44.115
32 | 2009-04-24 21:01:01 194.132.44.122
33 | 2009-04-24 21:01:01 194.132.44.126
34 | 2009-04-24 21:01:01 194.132.65.195
35 | 2009-04-24 21:01:01 194.16.47.4
36 | 2009-04-24 21:01:01 194.17.12.146
37 |
--------------------------------------------------------------------------------
/test-data/vs-db.log:
--------------------------------------------------------------------------------
1 | "Fri, 22 Oct 2010 10:55:51 +0000",www.sherlock-holmes.org.uk,http://feedproxy.google.com/~r/VulnerableSitesDatabase/~3/pPsGWJvN0Q4/
2 | "Wed, 20 Oct 2010 22:45:17 +0000",www.nmfilm.com,http://feedproxy.google.com/~r/VulnerableSitesDatabase/~3/h7VGGsoSiZM/
3 | "Wed, 20 Oct 2010 22:38:15 +0000",www.artlantis.com,http://feedproxy.google.com/~r/VulnerableSitesDatabase/~3/gxCennXPsV4/
4 | "Wed, 20 Oct 2010 22:30:39 +0000",www.armagh.gov.uk,http://feedproxy.google.com/~r/VulnerableSitesDatabase/~3/4XhwdTcXu3s/
5 | "Wed, 20 Oct 2010 22:26:38 +0000",www.jewishjustice.org,http://feedproxy.google.com/~r/VulnerableSitesDatabase/~3/GRLaE5gFjIo/
6 | "Wed, 20 Oct 2010 22:22:30 +0000",www.ncca.gov.ph,http://feedproxy.google.com/~r/VulnerableSitesDatabase/~3/-5S6a9PH5Wo/
7 | "Wed, 20 Oct 2010 11:36:29 +0000",www.e-solution.pl,http://feedproxy.google.com/~r/VulnerableSitesDatabase/~3/L2TWdlK5xxU/
8 | "Tue, 19 Oct 2010 15:21:29 +0000",www.pracowniaforma.pl,http://feedproxy.google.com/~r/VulnerableSitesDatabase/~3/hM_LGeOY88o/
9 | "Tue, 19 Oct 2010 14:15:45 +0000",www.booking-hotels.biz,http://feedproxy.google.com/~r/VulnerableSitesDatabase/~3/XzffGcYVgYo/
10 | "Tue, 19 Oct 2010 09:15:32 +0000",www.multiciti.com,http://feedproxy.google.com/~r/VulnerableSitesDatabase/~3/mcePgfOF3-M/
11 |
12 | "Tue, 19 Oct 2010 09:15:32 +0000",www.sitic.se,http://feedproxy.google.com/~r/VulnerableSitesDatabase/~3/mcePgfOF3-M/
13 | "Tue, 19 Oct 2010 09:15:32 +0000",www.kds.nu,http://feedproxy.google.com/~r/VulnerableSitesDatabase/~3/mcePgfOF3-M/
14 |
--------------------------------------------------------------------------------
/test-data/web-iis.log:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cert-se/megatron-java/5b9d7803f074cfec61fb7e504593f8faa0241cb7/test-data/web-iis.log
--------------------------------------------------------------------------------
/test-data/whois-cymru-timestamp-test.log:
--------------------------------------------------------------------------------
1 | Bulk mode; whois.cymru.com [2009-04-24 17:38:13 +0000]
2 | 3301 | 193.180.228.186 | 193.180.228.0/24 | SE | ripencc | 1993-09-01 | 2009-01-01 12:00:01 CET | TELIANET-SWEDEN TeliaNet Sweden
3 | 3301 | 193.44.157.68 | 193.44.0.0/15 | SE | ripencc | 1993-09-01 | 2009-06-01 12:00:02 CEST | TELIANET-SWEDEN TeliaNet Sweden
4 | 3301 | 193.44.157.95 | 193.44.0.0/15 | SE | ripencc | 1993-09-01 | 2009-01-01 12:00:03 GMT+01:00 | TELIANET-SWEDEN TeliaNet Sweden
5 | 3301 | 193.44.6.50 | 193.44.0.0/15 | SE | ripencc | 1993-09-01 | 2009-06-01 12:00:04 GMT+02:00 | TELIANET-SWEDEN TeliaNet Sweden
6 | 3301 | 193.180.228.186 | 193.180.228.0/24 | SE | ripencc | 1993-09-01 | 2009-01-01 12:00:05 GMT | TELIANET-SWEDEN TeliaNet Sweden
7 | 3301 | 193.44.157.68 | 193.44.0.0/15 | SE | ripencc | 1993-09-01 | 2009-06-01 12:00:06 BST | TELIANET-SWEDEN TeliaNet Sweden
8 | 3301 | 193.44.6.50 | 193.44.0.0/15 | SE | ripencc | 1993-09-01 | 2009-06-01 12:00:07 GMT-01:00 | TELIANET-SWEDEN TeliaNet Sweden
9 | 3301 | 193.44.6.50 | 193.44.0.0/15 | SE | ripencc | 1993-09-01 | 2009-06-01 12:00:08 GMT+01:30 | TELIANET-SWEDEN TeliaNet Sweden
10 | 3301 | 193.44.6.50 | 193.44.0.0/15 | SE | ripencc | 1993-09-01 | 2009-06-01 12:00:09 EST | TELIANET-SWEDEN TeliaNet Sweden
11 | 3301 | 193.44.6.50 | 193.44.0.0/15 | SE | ripencc | 1993-09-01 | 2009-06-01 12:00:10 PST | TELIANET-SWEDEN TeliaNet Sweden
12 | 3301 | 193.44.6.50 | 193.44.0.0/15 | SE | ripencc | 1993-09-01 | 2009-06-01 12:00:11 PDT | TELIANET-SWEDEN TeliaNet Sweden
13 |
--------------------------------------------------------------------------------
/test-data/whois-cymru-verbose-with-timestamps.log:
--------------------------------------------------------------------------------
1 | Bulk mode; whois.cymru.com [2009-04-24 17:38:13 +0000]
2 | 3301 | 193.180.228.186 | 193.180.228.0/24 | SE | ripencc | 1993-09-01 | 2009-04-24 13:23:01 GMT | TELIANET-SWEDEN TeliaNet Sweden
3 | 3301 | 193.44.157.68 | 193.44.0.0/15 | SE | ripencc | 1993-09-01 | 2009-04-24 21:23:59 GMT | TELIANET-SWEDEN TeliaNet Sweden
4 | 3301 | 193.44.157.95 | 193.44.0.0/15 | SE | ripencc | 1993-09-01 | 2009-04-24 07:24:01 GMT | TELIANET-SWEDEN TeliaNet Sweden
5 | 3301 | 193.44.6.50 | 193.44.0.0/15 | SE | ripencc | 1993-09-01 | 2009-04-25 14:24:01 GMT | TELIANET-SWEDEN TeliaNet Sweden
6 |
--------------------------------------------------------------------------------