forked from packetinspector/AlienVault-Other
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnewhost.cfg
36 lines (31 loc) · 1 KB
/
newhost.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[DEFAULT]
#This is the anomalies plugin ID. Might not be great idea to use this...
plugin_id=5004
[config]
type=detector
enable=yes
#You need to make a user
#GRANT SELECT ON alienvault.host, to hostchecker@'127.0.0.1' IDENTIFIED BY 'some HSP';
#GRANT SELECT ON alienvault.host_ip, to hostchecker@'127.0.0.1' IDENTIFIED BY 'some HSP';
source=database
source_type=mysql
source_ip=127.0.0.1
user=hostchecker
password=some HSP
db=alienvault
#Appears to be in seconds, but doubled when executed on the second attempt
sleep=60
process=
start=no
stop=no
[start_query]
#This seems to be required. Pick first poll time and we'll use that in the next query
query="select unix_timestamp() as id;"
[query]
#host db appears in GMT, this could change so be aware...
query="select unix_timestamp() as id,hostname as host,inet6_ntoa(i.ip) as ip from host h,host_ip i where h.id = i.host_id AND h.created > convert_tz(from_unixtime($1 - 120),@@session.time_zone,'+00:00');"
plugin_sid=99
src_ip={$2}
userdata1={$1}
#also required
ref=0