mwcollectd.conf.dist

Revision 58, 7.2 kB (checked in by oxff, 4 years ago)
fixed some linebreak in .conf.dist added some verbose logging (compile time disabled by default) to fetcht-tftp

Line
1	# mwcollectd (linux) dist config
2	# 2005-05-12 Georg Wicherski
3
4	# the term default refers to what mwcollect will fall back to, if the value does not exist
5	# in the config file, not to what the value is set in the dist config
6
7	{
8	modules
9	{
10	# the name of a config is completly up to you, however using something
11	# related to the module is a good idea as the name may appear in the logs
12
13	# everything such a block must have is the value library specifying the path
14	# to the .so file, everything else is module specific stuff
15
16	# to have multiple instances of a module loaded
17	# just specify those blocks multiple times
18	# but remember to give them different names if you don't want to use the same
19	# config
20
21	log-syslog
22	{
23	library = "./bin/modules/log-syslog.so";
24
25	level = "info"; # defaults to critical
26	identity = "mwcollectd"; # defaults to mwcollectd
27	}
28
29	log-irc-1
30	{
31	library = "./bin/modules/log-irc.so";
32
33	server
34	{
35	host = "irc.freenode.org"; # default "127.0.0.1"
36	port = "6667"; # default "6667"
37	channel = "#mwcollect-demo"; # default "#mwcollect-demo"
38	key = ""; # the channel key, default ""
39	password = ""; # the server password, default ""
40	}
41
42	admin
43	{
44	# "*" is wildcard as single value, matching
45	# like "fo*ba" not supported!
46
47	nick = ""; # default ""
48	host = ""; # default ""
49	user = ""; # default ""
50	}
51
52	nick = "mwcollect-sensor"; # CHANGEME
53	}
54
55	fetch-generic
56	{
57	library = "./bin/modules/fetch-generic.so";
58
59	temp-directory = "/tmp/"; # defaults to /tmp/
60	user-agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"; # defaults to mwcollect2
61	max-filesize = "10485760"; # max filesize to be downloaded, in bytes
62	redirects = "3"; # limit number of Location: redirects, 0 means none, def: 3
63	}
64
65	fetch-tftp
66	{
67	library = "./bin/modules/fetch-tftp.so";
68
69	timeout = "20"; # timeout in s, defaults to 30s
70	block-strict = "0"; # defaults to 0, whether tftp packets have to be sent in valid block order (most bots suck.)
71	retries = "16"; # how often will a packet be retransmited before timeout?
72	}
73
74	# duh, long lists of bagles :)
75
76	vuln-bagle-1
77	{
78	library = "./bin/modules/vuln-bagle.so";
79
80	port = "2745"; # port to listen on, default 2745
81
82	signatures
83	{ # this is the hex dump of the auth string before the url, vnames do not matter
84	sign-1 = "43FFFFFF303030010A2891A12BE6602F328F60151A201A"; # thx anonymous
85	}
86	}
87
88	vuln-bagle-2
89	{
90	library = "./bin/modules/vuln-bagle.so";
91
92	port = "2556"; # port to listen on, default 2745
93
94	signatures
95	{ # this is the hex dump of the auth string before the url, vnames do not matter
96	sign-1 = "43FFFFFF303030010A2891A12BE6602F328F60151A201A"; # thx anonymous
97	}
98	}
99
100	vuln-bagle-3
101	{
102	library = "./bin/modules/vuln-bagle.so";
103
104	port = "8866"; # port to listen on, default 2745
105
106	signatures
107	{ # this is the hex dump of the auth string before the url, vnames do not matter
108	sign-1 = "43FFFFFF303030010A2891A12BE6602F328F60151A201A"; # thx anonymous
109	}
110	}
111
112	vuln-bagle-3
113	{
114	library = "./bin/modules/vuln-bagle.so";
115
116	port = "2535"; # port to listen on, default 2745
117
118	signatures
119	{ # this is the hex dump of the auth string before the url, vnames do not matter
120	sign-1 = "43FFFFFF303030010A2891A12BE6602F328F60151A201A"; # thx anonymous
121	}
122	}
123
124	vuln-bagle-4
125	{
126	library = "./bin/modules/vuln-bagle.so";
127
128	port = "4751"; # port to listen on, default 2745
129
130	signatures
131	{ # this is the hex dump of the auth string before the url, vnames do not matter
132	sign-1 = "43FFFFFF303030010A2891A12BE6602F328F60151A201A"; # thx anonymous
133	}
134	}
135
136	vuln-bagle-5
137	{
138	library = "./bin/modules/vuln-bagle.so";
139
140	port = "6777"; # port to listen on, default 2745
141
142	signatures
143	{ # this is the hex dump of the auth string before the url, vnames do not matter
144	sign-1 = "43FFFFFF303030010A2891A12BE6602F328F60151A201A"; # thx anonymous
145	}
146	}
147
148	vuln-bagle-6
149	{
150	library = "./bin/modules/vuln-bagle.so";
151
152	port = "11117"; # port to listen on, default 2745
153
154	signatures
155	{ # this is the hex dump of the auth string before the url, vnames do not matter
156	sign-1 = "43FFFFFF303030010A2891A12BE6602F328F60151A201A"; # thx anonymous
157	}
158	}
159
160	vuln-bagle-7
161	{
162	library = "./bin/modules/vuln-bagle.so";
163
164	port = "81"; # port to listen on, default 2745
165
166	signatures
167	{ # this is the hex dump of the auth string before the url, vnames do not matter
168	sign-1 = "43FFFFFF303030010A2891A12BE6602F328F60151A201A"; # thx anonymous
169	}
170	}
171
172	# end list of bagles
173
174	vuln-rpc-dcom
175	{
176	library = "./bin/modules/vuln-win32rpc.so";
177
178	port = "135"; # defaults to 135
179	}
180
181	vuln-rpc-lsass
182	{
183	library = "./bin/modules/vuln-win32rpc.so";
184
185	port = "445"; # defaults to 135
186	}
187
188	vuln-rpc-defbind # windows binds some rpc stuff to 1025 as the first free default port..
189	{
190	library = "./bin/modules/vuln-win32rpc.so";
191
192	port = "1025"; # defaults to 135
193	}
194
195	vuln-wins
196	{
197	library = "./bin/modules/vuln-wins.so";
198
199	port = "42"; # defaults to 42
200	}
201
202	submit-file
203	{
204	library = "./bin/modules/submit-file.so";
205
206	destination = "/var/mwcollect/"; # defaults to /var/mwcollect CHANGEME
207	chown = "nobody:nobody"; # defaults to not performing any chown CHANGEME
208	}
209
210
211	# experimental mysql module provided by anonymous 3rd party
212	# BLOCKING!
213	# build with `make submit-mysql`
214	# submit-mysql
215	# {
216	# library = "./bin/modules/submit-mysql.so";
217	#
218	# host = "localhost"; # which mysql server to connect to, defaults to localhost
219	# user = "mwcollect"; # username for mysql, defaults to mwcollect
220	# password = "mwcollect"; # password for mysql, defaults to mwcollect
221	# db = "mwcollect"; # database to put data into, defaults to mwcollect
222	# port = "3306"; # port to connect to, defaults to 0
223	# }
224
225	generic-bot-shellcode-parser
226	{
227	library= "./bin/modules/scparse-genbot.so";
228	}
229	};
230	# you can put a semicolon after a block if you like to
231	# you can also spam your file with them:
232	;;;
233	# however you _must_ put it after a value assignment
234
235	# shell emulation configuration (wow)
236	shell-emulation
237	{
238	tftp # win32 tftp.exe
239	{
240	enable = "1"; # defaults to off but is nearly a must for all bot shellcodes
241	}
242
243	enable-connectback = "1"; # defaults to off but is needed by most lsass bots
244	enable-listenshell = "1"; # defaults to off but is nedded by most lsass bots; can mess with fw
245	}
246
247
248	fetch-multi-dispatch = "0"; # bool whether to dispatch one fetch request to all matching protocol handlers, default off!
249	fetch-local = "0"; # bool whether to fetch `local' files (e.g. files within a 192.168.0.0/16 range), default: 0
250	filter-unique-interval = "300"; # filter urls to be unique in the last n seconds, set to 0 to disable -- if not unique, file will be discarded, default 300 (5 minutes)
251
252	bind-address = "0.0.0.0"; # address to bind server sockets to, default "0.0.0.0" (binds to all)
253	backlog = "16"; # backlog for server sockets, defaults to 16
254	data-timeout = "30"; # incoming data timeout in seconds after connections are forcefully closed (defaults to 300, 0 does NOT disable feature)
255	max-filedescriptors = "0"; # if you are running this as root, you can increase the number of maximum file descriptors for this process here. this defaults to 0.
256	}

Note: See TracBrowser for help on using the browser.

Download in other formats:

Original Format