# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
sourcefile_ids = {

  plugin_version = "1.0"

  # 2007-09-14 - 1.0 - KBB - added version number and changed file name from beta_sourcefile_ids.cfg

  # The name of the log format
  log.format.format_label = "Sourcefire IDS"
  log.miscellaneous.log_data_type = "csv_generic"  
  log.miscellaneous.log_format_type = "other"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "^Initiator IP,Responder IP,Initiator Port,Responder Port,First Packet,Last Packet,Packets Sent,Packets Recieved,Protocol,Service Name"

  # The format of dates and times in this log
  log.format.date_format = "auto"
  log.format.time_format = "auto"

  # Use comma as the field separator
  log.format.field_separator = ","

  log.fields = {

    date = ""
    time = ""

    initiator_ip.index = 1
    responder_ip.index = 2
    initiator_port.index = 3
    responder_port.index = 4
    first_packet.index = 5
    last_packet.index = 6
    packets_sent.index = 7
    packets_received.index = 8
    protocols.index = 9
    service_name.index = 10
    client_application_id.index = 11
    client_application_version.index = 12

    url = {
      index = 13
      type = "page"
      hierarchy_dividers = "/?"
      left_to_right = true
      leading_divider = "true"
    } # url

  } # log.fields


  log.parsing_filters.parse = `


if (matches_regular_expression(first_packet, '^[A-Z][a-z][a-z] ([A-Za-z]+) +([0-9]+) ([0-9:]+) ([0-9]+)$')) then (
  date = $2 . '/' . $1 . '/' . $4;
  time = $3;
);

events = 1;

`


  database.fields = {

    date_time = ""
    day_of_week = ""
    hour_of_day = ""

    initiator_ip = ""
    responder_ip = ""
    initiator_port = ""
    responder_port = ""
#    first_packet = ""
#    last_packet = ""
    protocols = ""
    service_name = ""
    client_application_id = ""
    client_application_version = ""

  } # database.fields


  database.numerical_fields = {

    events = {
      default = true
      requires_log_field = false
      entries_field = true
    } # events

    packets_sent = ""
    packets_received = ""

    unique_initiator_ips = {
      log_field = "initiator_ip"
      type = "unique"
    }

  } # database.numerical_fields


  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # sourcefile_ids