1# Some examples for possible changes - edit and/or uncomment them to activate
2# See http://www.analog.cx/docs/custom.html for more information
3
4# Credits
5HOSTURL http://tud.at/programm/fwanalog/
6HOSTNAME "fwanalog 0.6.9"
7
8# If you want to exclude blocked packets from some hosts (e.g. your private network)
9# HOSTEXCLUDE 192.168.1.*
10
11# If you want to include your corporate stylesheet
12# STYLESHEET /style/mycorporationsflashydesign.css
13
14# Change the report order if you want. This is a good order for firewall
15# logs, I think.
16#REPORTORDER xiuSZo54HhDdWmzvbfPscJpBKknNIEtr               # Analog 4.x
17REPORTORDER xiurSZo5746HhwDdWmQ1zvbfPscJpBKknNIEtlLRMjYy    # Analog 5.x
18
19VHOST ON		# Interface report, you can turn it off if you have only one interface
20SIZE ON			# Blocked packet size - not very interesting in many cases
21BROWSERREP OFF 	# Set to ON if you want the mac addresses reported and your firewall logs it
22
23# Switching on reports for all output files.
24
25#DAILYREP ON	# Set to OFF if you don't want the statistics for the last N days
26#DAYROWS 21	# The last 21 days in the daily report
27
28#QUARTERREP ON	# Quarter-hour-report for the last day(s)
29#QUARTERREPROWS 264	# A full day in the five-minute-report
30
31#FIVEREP ON	# Five-minute-report for the last day(s)
32#FIVEREPROWS 264	# A full day in the five-minute-report
33
34# This is European style, I know. Change if you want to.
35WEEKBEGINSON MONDAY
36
37# I don't want warnings about surpressed reports
38WARNINGS -R
39
40# If you don't want pie charts, uncomment this
41# ALLCHART OFF
42
43# Or deactivate them one by one:
44# HOSTCHART OFF
45# DOMCHART OFF
46# etc.
47
48# Set higher floors so reports don't become too long
49# A FLOOR line consist of the following:
50# {rep}FLOOR {number}{suffix}
51
52# The following variants make sense with fwanalog:
53# Nr	at least N blocks in the report's period
54# N%r	at least N percent of the total blocks in the report's period
55# -Nr	the top N objects (hosts, ports etc.)
56
57# See the examples above and README for analog => fwanalog mappings
58
59DOMFLOOR  -30R			# Max. 30 top level domains
60SUBDOMFLOOR  -30R		# Max. 30 top level domains
61VHOSTFLOOR 5r			# Interfaces with at least 5 blocked packets
62ORGFLOOR  0.5%r			# Organizations with at least 0.5 % of the blocked packets
63HOSTFLOOR  0.5%r		# Hosts with at least 0.5 % of the blocked packets
64DIRFLOOR 1r				# Each targeted host
65SUBDIRFLOOR -40r		# Max. 40 different blocked packets (per host)
66REFFLOOR -20r			# Top 20 source ports
67BROWREPFLOOR 2r         # MAC Address report: addresses with at least 2 tries
68REQFLOOR 2r				# Blocked port report: two ports
69
70# Expanding large items in the Blocked Packet chart
71# - this has to be customized for your most-blocked IP addresses.
72#DIRCHARTEXPAND  /IPAddress1/,/IPAddress2/
73
74# If old logs are bzip2ed or gzipped, uncompress them using this program
75UNCOMPRESS *.gz,*.Z "zcat"
76UNCOMPRESS *.bz2,*.bz "bzcat"
77
78# Include the config file with lots of rare service definitions if you want
79# CONFIGFILE ./support/well_known_ports.conf
80
81# Uncomment the next line if your firewall logs numeric ICMP types
82DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/(.+)/$	"$1/$2, unknown type $3"
83# /ipaddress/icmp/type => ipaddress/icmp, type
84
85# Uncomment the next line if your firewall logs alphanumeric ICMP types (OpenBSD 3 PF)
86#DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/(.+)/$	"$1/$2, type $3"
87# /ipaddress/icmp/type => ipaddress/icmp, type
88
89