# Configuration file for fwanalog. This is a modified analog.conf for the # special requirements of firewall logs. You shouldn't modify options here # (only for bugfixing), please edit fwanalog.analog.conf.local . # See http://www.statslab.cam.ac.uk/~sret1/analog/ and http://tud.at/programm/fwanalog/ # $Id: fwanalog.analog.conf,v 1.20 2003/07/05 09:34:58 bb Exp $ APACHEDEFAULTLOGFORMAT (%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %v) # Apache: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %v" # Include the port number to name assignments. # If you prefer "21" instead of "ftp", simply comment it out. CONFIGFILE ./services.conf # No logos and images, please. LOGO none IMAGEDIR none GENERAL ON # General summary MONTHLY ON # Monthly summary for the last monts WEEKLY ON # Weekly summary for the last weeks HOURLY ON # Hourly summary DOMAIN ON # top-level domains of attackers ORGANISATION ON # Which organisation do the attackers belong to HOST ON # Which hosts tried to attack you REFERRER ON # Source port report DIRECTORY ON # Blocked request report USER ON # iptables log-prefix report - analog ignores it # if there are no log prefixes REFSITE OFF # doesn't make sense here FAILREF OFF # doesn't make sense here REDIRREF OFF # doesn't make sense here FULLBROWSER OFF # doesn't make sense here REDIR OFF # doesn't make sense here FAILURE OFF # doesn't make sense here SEARCHQUERY OFF # doesn't make sense here SEARCHWORD OFF # doesn't make sense here OSREP OFF # doesn't make sense here STATUS OFF # HTTP Status report, doesn't make sense here FILETYPE OFF # We don't have files REQUEST OFF # the directory report is better PROCTIME OFF # Processing time, not very interesting # Get the (slightly modified) language strings from this file LANGFILE ./fwanalog.lng DOMAINSFILE ./fwanalog-dom.tab DNS WRITE # Resolve IP addresses to names and write them into the domains file TIMECOLS RrB # columns in time reports WEEKROWS 12 # only the last 12 weeks in the weekly report ALLGRAPH r # All graphs are based on blocks CASE INSENSITIVE # Accept TCP and tcp as the same protocol DOMCOLS RrBD DOMSORTBY REQUESTS SUBDOMSORTBY REQUESTS ORGCOLS NRrBD USERCOLS NRBbD SIZECOLS RrBbD HOSTCOLS NRrBD HOSTSORTBY REQUESTS DIRCOLS RrBD DIRSORTBY REQUESTS SUBDIR */*/* SUBDIRSORTBY REQUESTS REQCOLS NRrBD REQSORTBY REQUESTS USERCOLS NRrBbD VHOSTSORTBY REQUESTS BROWREPSORTBY REQUESTS # Sort by requests REFCOLS NRrBD REFOUTPUTALIAS REGEXP:http://(.*)/ $1 # Convert the faked source port "URL" into just the port number #ICMP code to type mapping. Source: http://www.cotse.com/icmptypes.html DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/1/$ "$1/$2/echo reply (1)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/3/$ "$1/$2/destination unreachable (3)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/4/$ "$1/$2/source quench (4)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/5/$ "$1/$2/redirect (5)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/6/$ "$1/$2/alternate host address (6)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/8/$ "$1/$2/echo (8)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/9/$ "$1/$2/router advertisement (9)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/10/$ "$1/$2/router selection (10)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/11/$ "$1/$2/time exceeded (11)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/12/$ "$1/$2/parameter problem (12)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/13/$ "$1/$2/timestamp (13)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/14/$ "$1/$2/timestamp reply (14)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/15/$ "$1/$2/information request (15)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/16/$ "$1/$2/information reply (16)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/17/$ "$1/$2/address mask request (17)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/18/$ "$1/$2/address mask reply (18)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/30/$ "$1/$2/traceroute (30)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/31/$ "$1/$2/datagram conversion error (31)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/32/$ "$1/$2/mobile host redirect (32)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/33/$ "$1/$2/ipv6 where are you (33)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/34/$ "$1/$2/ipv6 i am here (34)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/35/$ "$1/$2/mobile registration request (35)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/36/$ "$1/$2/mobile registration reply (36)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/37/$ "$1/$2/domain name request (37)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/38/$ "$1/$2/domain name reply (38)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/39/$ "$1/$2/skip (39)" DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/40/$ "$1/$2/photuris (40)" # the rest of ICMP - see fwanalog.analog.conf.local # DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/(.+)/$ "$1/$2, unknown type $3" # /ipaddress/icmp/type => ipaddress/icmp, type # Better aliasing of blocked requests DIROUTPUTALIAS REGEXP:^/(.+)/(.*)/(.+)/$ $1:$3/$2 # /ipaddress/protocol/portnumber/ => ipadress:portnumber/protocol DIROUTPUTALIAS REGEXP:^/(.+)/([0-9]+)/$ "$1/unknown protocol $2" # /ipaddress/numeric_protocol/=> ipadress/unknown protocol numeric_protocol DIROUTPUTALIAS REGEXP:^/(.+)/(.*)/$ $1/$2 # /ipaddress/protocol/ => ipadress/protocol DIROUTPUTALIAS REGEXP:^/(.+)/$ $1 # /ipaddress/ => ipadress PAGEEXCLUDE * # Page reports don't make sense