# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
iisftp = {

  plugin_version = "1.0.3"

  info.1.manufacturer = "Microsoft"
  info.1.device = "IIS FTP Server"
  info.1.version = "6"

  # The name of the log format
  log.format.format_label = "IIS FTP Server Log Format"
  log.miscellaneous.log_data_type = "ftp"  
  log.miscellaneous.log_format_type = "ftp_server"

  # The log is in this format if any of the first ten lines match this regular expression
  # 2008-02-27 - GMF - improved performance of autodetect by quickly checking for 'MSFTPSVC' before running expensive regexp.
  #                    Previous, autodetecting a 1MB line took more than 1 minute for this plug-in; it now takes almost no time.
  # 2009-02-12 - GMF - Added tracking of username field
  # 2009-03-13 - GMF - 1.0.2 - Fixed bug with v.username not being defined
  # 2009-07-10 - GMF - 1.0.3 - added support for autodetection of lines without MSFTPSVC
  log.format.autodetect_expression = `
(contains(volatile.log_data_line, 'MSFTPSVC') and matches_regular_expression(volatile.log_data_line, "[0-9][0-9]:[0-9][0-9]:[0-9][0-9].*MSFTPSVC")) or

# Support files that don't have MSFTPSVC in them by looking for a close match; this might need to be loosened to look for the unusual [NNN]USER bit instead.
# 00:28:08 12.34.56.78 jane.doe 98.76.54.32 [188]USER jane.due 331 0 0 0 0 -
(matches_regular_expression(volatile.log_data_line, '^[0-9][0-9]:[0-9][0-9]:[0-9][0-9] [0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ [^ ]+ [0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ [[][0-9]+[]](USER|PASS|sent|CWD)'))

`

  # The format of dates and times in this log
  log.format.date_format = "yyyy-mm-dd"
  log.format.time_format = "hh:mm:ss"

  log.fields = {

    username = ""

  } # log.fields

  log.filter_initialization = `v.username = ""`

  log.parsing_filters.parse = `

# Remove leading bracketed section from operation
if (matches_regular_expression(cs_method, '^\\\\[.*\\\\](.*)$')) then
  cs_method = $1;

if (cs_method eq "USER") then 
  v.username = cs_uri_stem;

username = v.username;

`


  # Log Filters
  log.filters = {

    # Reject any entry that doesn't use a file transfer operation
    2 = {
      label = "2"
      comment = ""
      value = "if (matches_regular_expression(cs_method, '(created|sent|RETR|STOR|GET|PUT)')) then '' else 'reject';"
      requires_fields = {
        cs_method = true
      }
    } # 2


    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'transfers = 1;'
    } # mark_entry

  } # log.filters

  log.field_options = {

    sessions_page_field = "page"
    sessions_visitor_id_field = "c_ip"
    sessions_event_field = "transfer"

  } # log.field_options


  database.fields = {

    username = ""

  } # database.fields


  database.numerical_fields = {

    transfers = {
      label = "$lang_stats.field_labels.transfers"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # transfers

    visitors = {
      label = "$lang_stats.field_labels.visitors"
      default = false
      requires_log_field = true
      log_field = "c_ip"
      type = "unique"
      display_format_type = "integer"
    } # visitors

    sc_bytes = {
      label = "$lang_stats.field_labels.sc_bytes"
      default = true
      requires_log_field = false
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    }

    cs_bytes = {
      label = "$lang_stats.field_labels.cs_bytes"
      default = true
      requires_log_field = false
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    }

  } # database.numerical_fields


  create_profile_wizard_options = {

    date_time_tracking = true
    host_tracking = true

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      content_group = {
        cs_uri_stem = true
        cs_uri_query = true
        file_type = true
      }
      visitor_demographics_group = {
        c_ip = true
        domain_description = true
        cs_username = true
        location = true
      }
      visitor_systems_group = {
        web_browser = true
        operating_system = true
        screen_dimensions = true
        screen_depth = true
      }
      referrer_group = {
        referrer = true
        search_engine = true
        search_phrase = true
        referrer_description = true
        search_phrase_by_search_engine = true
      }
      server_group = {
        s_sitename = true
        s_ip = true
        s_port = true
        cs_host = true
      }
      other_group = {
        cs_version = true
        worm = true
        spider = true
        cs_method = true
        sc_status = true
        cs_cookie = true
      }

    } # report_groups

  } # create_profile_wizard_options

  not_supported = {
  } # not_supported

} # iisftp