#section 1: database connection
dbDriver = com.microsoft.jdbc.sqlserver.SQLServerDriver
dbURL = jdbc:microsoft:sqlserver://balisong:1433;DatabaseName=dmz_whole_d1;SelectMethod=cursor
#dbDriver = org.gjt.mm.mysql.Driver
#dbURL = jdbc:mysql://balisong/inside

#newTable = insert into myevent select distinct e.sid, e.cid, e.signature, s.sig_name, e.timestamp, i.ip_src, i.ip_dst, t.tcp_sport, t.tcp_dport from event e, signature s, iphdr i, tcphdr t where e.signature=s.sig_id  and  e.sid=i.sid and e.cid=i.cid and e.sid=t.sid and e.cid = t.cid;

#section 2: knowledge base
Generate_Knowledge_Base = true
Knowledge_Base_XML_File = DARPA_2K_final.xml

#section 3: correlation engine
AlertTable = events
# column names of RealSecure & MSSQL
AlertID = EventID
AlertName = OrigEventName
BeginTime = EventDate
EndTime = EventDate
SrcIPAddress = SrcIPAddress
SrcPort = SrcPort
DestIPAddress = DestIPAddress
DestPort = DestPort

# column names of snort & my sql 
#AlertID = cid
#AlertName = sig_name
#BeginTime = timestamp
#EndTime = timestamp
#SrcIPAddress = ip_src
#SrcPort = layer4_sport
#DestIPAddress = ip_dst
#DestPort = layer4_dport

Original_Graph_Output = darpa_dmz1.txt

#Below are the three utilities
#section 4: graph reduction
Aggregation_Time_Interval = -1
Graph_Reduction_Output = sample_reduction.txt

#section 5: focus analysis
Focused_Analysis_GraphID = 9
Focusing_Constraint = DestIPAddress='152.1.19.5'
Focused_Aggregation = true
Focused_Aggregation_Time_Interval = -1 
Focused_Output = sample_focused.txt

#section 6: graph decomposition
# the value is the column name in the original alert table
Decomposition_ID = 9
Clustering_Constraint = h1.DestIPAddress=h2.DestIPAddress
Decomposition_Aggregation = true
Decomposition_Aggregation_Time_Interval = -1
Decomposition_Output = sample_decomp_a.txt