# CONFIG SECTION
################

# NOTE: Below are default values. You can either change these or 
# create an $HOME/.incident.pl.cfg or ./incident.pl.cfg (in the current directory)
# All of the values below will be overridden by a configuration file.
# See incident.pl.cfg.sample that came with this script.

# For email contacts, always include these users of the suspect domain
@admin_emails = ( "root", "postmaster", "webmaster", "abuse", "security", "noc");

# EMAIL information
$MYDOMAIN = "ZDLMYDOMAIN";
$FROM_ADDR = 'ZDLEMAIL';
$SMTP_SERVER = "ZDLSMTP";
$ALWAYS_CC = 'ZDLCC';

# Your timezone information, which is by default included in the message body
# Leave undefined and your GMT offset should be determined automatically.
# $TIMEZONE_STR = "Eastern US time - GMT -0400";

# Rwhois server for name lookups
$RWHOIS_SERVER = 'root.rwhois.net';

# Rwhois server for IP lookups
$RWHOIS_ARIN_SERVER = 'rwhois.arin.net';

# Whois server for IP lookups
$WHOIS_ARIN_SERVER = 'whois.arin.net';

# Abuse.net lookups
# Set this to 1 to perform domain lookups at whois.abuse.net
$ABUSE_NET_LOOKUP = 1;
$WHOIS_ABUSE_NET_SERVER = 'whois.abuse.net';

# Setting this to 1 will make abuse.net reported contacts take priority
# over ones retrieved through other means. This may reduce complaints to
# the wrong admins.
$ABUSE_NET_PRI = 1;

# Rwhois port number
$RWHOIS_PORT = 4321;

# Number of seconds to wait for whois results
$WHOIS_TIMEOUT = 60;

# Number of times to try whois if it fails
$WHOIS_NUM_TRIES = 3;

# Number of seconds to wait between whois retries
# Do not make this too low because too many fast queries can get you banned
$WHOIS_RETRY_INTERVAL = 10;

# Number of seconds to wait for rwhois results
$RWHOIS_TIMEOUT = $WHOIS_TIMEOUT;

# Number of times to try rwhois if it fails
$RWHOIS_NUM_TRIES = $WHOIS_NUM_TRIES;

# Number of seconds to wait between rwhois retries
# Do not make this too low because too many fast queries can get you banned
$RWHOIS_RETRY_INTERVAL = $WHOIS_RETRY_INTERVAL;

# Format of how your whois command is called
# Default format is for Linux fwhois
# For Solaris, you may need to change this to 'whois -h SERVER QUERY'
$WHOIS_FORMAT = 'whois QUERY@SERVER';

# TCP services to check for on suspect host
@tcp_ports = ( );

# TCP timeout (for telnet)
$TCP_TIMEOUT = 5;

# Override initial string timeouts for these ports
# Basically we want to wait longer for initial string data on these ports
# if there is connection to the port within $TCP_TIMEOUT
%tcp_override_timeouts = (
	"21" => "30",
	"22" => "30",
	"23" => "30",
	"25" => "30"
);

# Reporting directory
# If not defined, will use current directory
# $REP_DIR = "/home/valankar/incident/incidents";

# Report file (in subdir of $REP_DIR)
$REP_FILE = "orig_email.txt";

# Will store email addresses of who was sent $REP_FILE (in subdir of $REP_DIR)
$SENT_TO_FILE = "orig_email_sent_to.txt";

# Where to store email followups (in subdir of $REP_DIR)
$FOLLOWUP_FILE = "email_followup.txt";

# tmp file
$TMP_FILE = "/tmp/incident.out.$$";

# Signature to append to message
# If not defined, no signature
# $SIGNATURE = "/home/valankar/.sig";

# Favorite editor
$EDITOR = "vi";

# If you change the subject format below, keep DOMAIN_INS and INCNUM_INS in the subject
# or followup processing will not work
$attack_email_subject = "Possible attack from your system - DOMAIN_INS - Incident #: INCNUM_INS";

# The actual message that will be sent to the administrators
$attack_email = <<EOF;

System Administrators, 

        We noticed what is most likely an attempted attack on our  
computers which has been logged from the address:

FQDN_INS
IP_INS

        We ask that you please look into this matter as soon as
possible.  Attached below is our logs which show evidence of the attack.
The date and times of the requests are listed below.  Please let us know 
how we can be of further assistance tracking this down. We consider this 
a very serious threat to our company systems. Thank you for your 
cooperation in this matter.

Note that all hostnames listed below that are not fully qualified are in
the $MYDOMAIN domain, and all times are TIMEZONE_INS.

Please keep the Subject of this message intact on all correspondence.

SIG_INS
Date of this report: DATE_INS
DESC_INS
EOF

# If an attacker appears to be resolved to one of these domains, we should
# ignore this domain entry. They are registrars, and they will complain
# that they are not authority for security incidents.
# Note: These are ADDED to @stock_bogus_domains
@bogus_domains = ();

# Set this to 1 to ignore IPs that syslog messages have come FROM
$IGNORE_SYSLOG_IPS = 1;

# All IPs within a line are now examined. To revert back to old behavior
# that examined only the leftmost IP, set this to 1.
$OLD_SUSPECT_LOOKUP = 1;

# END CONFIG SECTION
####################

# Do not remove the 1; below
1;