1# Some examples for possible changes - edit and/or uncomment them to activate 2# See http://www.analog.cx/docs/custom.html for more information 3 4# Credits 5HOSTURL http://tud.at/programm/fwanalog/ 6HOSTNAME "fwanalog 0.6.9" 7 8# If you want to exclude blocked packets from some hosts (e.g. your private network) 9# HOSTEXCLUDE 192.168.1.* 10 11# If you want to include your corporate stylesheet 12# STYLESHEET /style/mycorporationsflashydesign.css 13 14# Change the report order if you want. This is a good order for firewall 15# logs, I think. 16#REPORTORDER xiuSZo54HhDdWmzvbfPscJpBKknNIEtr # Analog 4.x 17REPORTORDER xiurSZo5746HhwDdWmQ1zvbfPscJpBKknNIEtlLRMjYy # Analog 5.x 18 19VHOST ON # Interface report, you can turn it off if you have only one interface 20SIZE ON # Blocked packet size - not very interesting in many cases 21BROWSERREP OFF # Set to ON if you want the mac addresses reported and your firewall logs it 22 23# Switching on reports for all output files. 24 25#DAILYREP ON # Set to OFF if you don't want the statistics for the last N days 26#DAYROWS 21 # The last 21 days in the daily report 27 28#QUARTERREP ON # Quarter-hour-report for the last day(s) 29#QUARTERREPROWS 264 # A full day in the five-minute-report 30 31#FIVEREP ON # Five-minute-report for the last day(s) 32#FIVEREPROWS 264 # A full day in the five-minute-report 33 34# This is European style, I know. Change if you want to. 35WEEKBEGINSON MONDAY 36 37# I don't want warnings about surpressed reports 38WARNINGS -R 39 40# If you don't want pie charts, uncomment this 41# ALLCHART OFF 42 43# Or deactivate them one by one: 44# HOSTCHART OFF 45# DOMCHART OFF 46# etc. 47 48# Set higher floors so reports don't become too long 49# A FLOOR line consist of the following: 50# {rep}FLOOR {number}{suffix} 51 52# The following variants make sense with fwanalog: 53# Nr at least N blocks in the report's period 54# N%r at least N percent of the total blocks in the report's period 55# -Nr the top N objects (hosts, ports etc.) 56 57# See the examples above and README for analog => fwanalog mappings 58 59DOMFLOOR -30R # Max. 30 top level domains 60SUBDOMFLOOR -30R # Max. 30 top level domains 61VHOSTFLOOR 5r # Interfaces with at least 5 blocked packets 62ORGFLOOR 0.5%r # Organizations with at least 0.5 % of the blocked packets 63HOSTFLOOR 0.5%r # Hosts with at least 0.5 % of the blocked packets 64DIRFLOOR 1r # Each targeted host 65SUBDIRFLOOR -40r # Max. 40 different blocked packets (per host) 66REFFLOOR -20r # Top 20 source ports 67BROWREPFLOOR 2r # MAC Address report: addresses with at least 2 tries 68REQFLOOR 2r # Blocked port report: two ports 69 70# Expanding large items in the Blocked Packet chart 71# - this has to be customized for your most-blocked IP addresses. 72#DIRCHARTEXPAND /IPAddress1/,/IPAddress2/ 73 74# If old logs are bzip2ed or gzipped, uncompress them using this program 75UNCOMPRESS *.gz,*.Z "zcat" 76UNCOMPRESS *.bz2,*.bz "bzcat" 77 78# Include the config file with lots of rare service definitions if you want 79# CONFIGFILE ./support/well_known_ports.conf 80 81# Uncomment the next line if your firewall logs numeric ICMP types 82DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/(.+)/$ "$1/$2, unknown type $3" 83# /ipaddress/icmp/type => ipaddress/icmp, type 84 85# Uncomment the next line if your firewall logs alphanumeric ICMP types (OpenBSD 3 PF) 86#DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/(.+)/$ "$1/$2, type $3" 87# /ipaddress/icmp/type => ipaddress/icmp, type 88 89