1# Configuration file for fwanalog. This is a modified analog.conf for the
2# special requirements of firewall logs. You shouldn't modify options here
3# (only for bugfixing), please edit fwanalog.analog.conf.local .
4
5# See http://www.statslab.cam.ac.uk/~sret1/analog/ and http://tud.at/programm/fwanalog/
6
7# $Id: fwanalog.analog.conf,v 1.20 2003/07/05 09:34:58 bb Exp $
8
9APACHEDEFAULTLOGFORMAT (%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %v)
10# Apache: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %v"
11
12# Include the port number to name assignments.
13# If you prefer "21" instead of "ftp", simply comment it out.
14CONFIGFILE ./services.conf
15
16# No logos and images, please.
17LOGO none
18IMAGEDIR none
19
20GENERAL ON	# General summary
21MONTHLY ON	# Monthly summary for the last monts
22WEEKLY ON	# Weekly summary for the last weeks
23HOURLY ON	# Hourly summary
24DOMAIN ON	# top-level domains of attackers
25ORGANISATION ON	# Which organisation do the attackers belong to
26HOST ON	# Which hosts tried to attack you
27REFERRER ON		# Source port report
28DIRECTORY ON	# Blocked request report
29
30USER ON			# iptables log-prefix report - analog ignores it
31				# if there are no log prefixes
32
33REFSITE OFF	# doesn't make sense here
34FAILREF OFF	# doesn't make sense here
35REDIRREF OFF	# doesn't make sense here
36FULLBROWSER OFF	# doesn't make sense here
37REDIR OFF	# doesn't make sense here
38FAILURE OFF	# doesn't make sense here
39SEARCHQUERY OFF	# doesn't make sense here
40SEARCHWORD OFF	# doesn't make sense here
41OSREP OFF	# doesn't make sense here
42STATUS OFF	# HTTP Status report, doesn't make sense here
43FILETYPE OFF	# We don't have files
44REQUEST OFF		# the directory report is better
45PROCTIME OFF	# Processing time, not very interesting
46
47# Get the (slightly modified) language strings from this file
48LANGFILE ./fwanalog.lng
49DOMAINSFILE ./fwanalog-dom.tab
50
51DNS WRITE
52# Resolve IP addresses to names and write them into the domains file
53
54TIMECOLS RrB	# columns in time reports
55WEEKROWS 12		# only the last 12 weeks in the weekly report
56
57ALLGRAPH r	# All graphs are based on blocks
58
59CASE INSENSITIVE
60# Accept TCP and tcp as the same protocol
61
62DOMCOLS   RrBD
63DOMSORTBY REQUESTS
64SUBDOMSORTBY REQUESTS
65
66ORGCOLS   	NRrBD
67USERCOLS   	NRBbD
68SIZECOLS	RrBbD
69
70HOSTCOLS   NRrBD
71HOSTSORTBY REQUESTS
72
73DIRCOLS   RrBD
74DIRSORTBY REQUESTS
75
76SUBDIR */*/*
77SUBDIRSORTBY REQUESTS
78
79REQCOLS NRrBD
80REQSORTBY REQUESTS
81
82USERCOLS NRrBbD
83
84VHOSTSORTBY REQUESTS
85
86BROWREPSORTBY REQUESTS          # Sort by requests
87
88REFCOLS NRrBD
89REFOUTPUTALIAS REGEXP:http://(.*)/ $1
90# Convert the faked source port "URL" into just the port number
91
92#ICMP code to type mapping. Source: http://www.cotse.com/icmptypes.html
93DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/1/$	"$1/$2/echo reply (1)"
94DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/3/$	"$1/$2/destination unreachable (3)"
95DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/4/$	"$1/$2/source quench (4)"
96DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/5/$	"$1/$2/redirect (5)"
97DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/6/$	"$1/$2/alternate host address (6)"
98DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/8/$	"$1/$2/echo (8)"
99DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/9/$	"$1/$2/router advertisement (9)"
100DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/10/$	"$1/$2/router selection (10)"
101DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/11/$	"$1/$2/time exceeded (11)"
102DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/12/$	"$1/$2/parameter problem (12)"
103DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/13/$	"$1/$2/timestamp (13)"
104DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/14/$	"$1/$2/timestamp reply (14)"
105DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/15/$	"$1/$2/information request (15)"
106DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/16/$	"$1/$2/information reply (16)"
107DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/17/$	"$1/$2/address mask request (17)"
108DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/18/$	"$1/$2/address mask reply (18)"
109DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/30/$	"$1/$2/traceroute (30)"
110DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/31/$	"$1/$2/datagram conversion error (31)"
111DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/32/$	"$1/$2/mobile host redirect (32)"
112DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/33/$	"$1/$2/ipv6 where are you (33)"
113DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/34/$	"$1/$2/ipv6 i am here (34)"
114DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/35/$	"$1/$2/mobile registration request (35)"
115DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/36/$	"$1/$2/mobile registration reply (36)"
116DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/37/$	"$1/$2/domain name request (37)"
117DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/38/$	"$1/$2/domain name reply (38)"
118DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/39/$	"$1/$2/skip (39)"
119DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/40/$	"$1/$2/photuris (40)"
120
121# the rest of ICMP - see fwanalog.analog.conf.local
122# DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/(.+)/$	"$1/$2, unknown type $3"
123# /ipaddress/icmp/type => ipaddress/icmp, type
124
125# Better aliasing of blocked requests
126DIROUTPUTALIAS REGEXP:^/(.+)/(.*)/(.+)/$	$1:$3/$2
127# /ipaddress/protocol/portnumber/ => ipadress:portnumber/protocol
128DIROUTPUTALIAS REGEXP:^/(.+)/([0-9]+)/$		"$1/unknown protocol $2"
129# /ipaddress/numeric_protocol/=> ipadress/unknown protocol numeric_protocol
130DIROUTPUTALIAS REGEXP:^/(.+)/(.*)/$		$1/$2
131# /ipaddress/protocol/ => ipadress/protocol
132DIROUTPUTALIAS REGEXP:^/(.+)/$			$1
133# /ipaddress/ => ipadress
134
135PAGEEXCLUDE *	# Page reports don't make sense
136
137