1# Configuration file for fwanalog. This is a modified analog.conf for the 2# special requirements of firewall logs. You shouldn't modify options here 3# (only for bugfixing), please edit fwanalog.analog.conf.local . 4 5# See http://www.statslab.cam.ac.uk/~sret1/analog/ and http://tud.at/programm/fwanalog/ 6 7# $Id: fwanalog.analog.conf,v 1.20 2003/07/05 09:34:58 bb Exp $ 8 9APACHEDEFAULTLOGFORMAT (%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %v) 10# Apache: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %v" 11 12# Include the port number to name assignments. 13# If you prefer "21" instead of "ftp", simply comment it out. 14CONFIGFILE ./services.conf 15 16# No logos and images, please. 17LOGO none 18IMAGEDIR none 19 20GENERAL ON # General summary 21MONTHLY ON # Monthly summary for the last monts 22WEEKLY ON # Weekly summary for the last weeks 23HOURLY ON # Hourly summary 24DOMAIN ON # top-level domains of attackers 25ORGANISATION ON # Which organisation do the attackers belong to 26HOST ON # Which hosts tried to attack you 27REFERRER ON # Source port report 28DIRECTORY ON # Blocked request report 29 30USER ON # iptables log-prefix report - analog ignores it 31 # if there are no log prefixes 32 33REFSITE OFF # doesn't make sense here 34FAILREF OFF # doesn't make sense here 35REDIRREF OFF # doesn't make sense here 36FULLBROWSER OFF # doesn't make sense here 37REDIR OFF # doesn't make sense here 38FAILURE OFF # doesn't make sense here 39SEARCHQUERY OFF # doesn't make sense here 40SEARCHWORD OFF # doesn't make sense here 41OSREP OFF # doesn't make sense here 42STATUS OFF # HTTP Status report, doesn't make sense here 43FILETYPE OFF # We don't have files 44REQUEST OFF # the directory report is better 45PROCTIME OFF # Processing time, not very interesting 46 47# Get the (slightly modified) language strings from this file 48LANGFILE ./fwanalog.lng 49DOMAINSFILE ./fwanalog-dom.tab 50 51DNS WRITE 52# Resolve IP addresses to names and write them into the domains file 53 54TIMECOLS RrB # columns in time reports 55WEEKROWS 12 # only the last 12 weeks in the weekly report 56 57ALLGRAPH r # All graphs are based on blocks 58 59CASE INSENSITIVE 60# Accept TCP and tcp as the same protocol 61 62DOMCOLS RrBD 63DOMSORTBY REQUESTS 64SUBDOMSORTBY REQUESTS 65 66ORGCOLS NRrBD 67USERCOLS NRBbD 68SIZECOLS RrBbD 69 70HOSTCOLS NRrBD 71HOSTSORTBY REQUESTS 72 73DIRCOLS RrBD 74DIRSORTBY REQUESTS 75 76SUBDIR */*/* 77SUBDIRSORTBY REQUESTS 78 79REQCOLS NRrBD 80REQSORTBY REQUESTS 81 82USERCOLS NRrBbD 83 84VHOSTSORTBY REQUESTS 85 86BROWREPSORTBY REQUESTS # Sort by requests 87 88REFCOLS NRrBD 89REFOUTPUTALIAS REGEXP:http://(.*)/ $1 90# Convert the faked source port "URL" into just the port number 91 92#ICMP code to type mapping. Source: http://www.cotse.com/icmptypes.html 93DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/1/$ "$1/$2/echo reply (1)" 94DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/3/$ "$1/$2/destination unreachable (3)" 95DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/4/$ "$1/$2/source quench (4)" 96DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/5/$ "$1/$2/redirect (5)" 97DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/6/$ "$1/$2/alternate host address (6)" 98DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/8/$ "$1/$2/echo (8)" 99DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/9/$ "$1/$2/router advertisement (9)" 100DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/10/$ "$1/$2/router selection (10)" 101DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/11/$ "$1/$2/time exceeded (11)" 102DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/12/$ "$1/$2/parameter problem (12)" 103DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/13/$ "$1/$2/timestamp (13)" 104DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/14/$ "$1/$2/timestamp reply (14)" 105DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/15/$ "$1/$2/information request (15)" 106DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/16/$ "$1/$2/information reply (16)" 107DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/17/$ "$1/$2/address mask request (17)" 108DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/18/$ "$1/$2/address mask reply (18)" 109DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/30/$ "$1/$2/traceroute (30)" 110DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/31/$ "$1/$2/datagram conversion error (31)" 111DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/32/$ "$1/$2/mobile host redirect (32)" 112DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/33/$ "$1/$2/ipv6 where are you (33)" 113DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/34/$ "$1/$2/ipv6 i am here (34)" 114DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/35/$ "$1/$2/mobile registration request (35)" 115DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/36/$ "$1/$2/mobile registration reply (36)" 116DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/37/$ "$1/$2/domain name request (37)" 117DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/38/$ "$1/$2/domain name reply (38)" 118DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/39/$ "$1/$2/skip (39)" 119DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/40/$ "$1/$2/photuris (40)" 120 121# the rest of ICMP - see fwanalog.analog.conf.local 122# DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/(.+)/$ "$1/$2, unknown type $3" 123# /ipaddress/icmp/type => ipaddress/icmp, type 124 125# Better aliasing of blocked requests 126DIROUTPUTALIAS REGEXP:^/(.+)/(.*)/(.+)/$ $1:$3/$2 127# /ipaddress/protocol/portnumber/ => ipadress:portnumber/protocol 128DIROUTPUTALIAS REGEXP:^/(.+)/([0-9]+)/$ "$1/unknown protocol $2" 129# /ipaddress/numeric_protocol/=> ipadress/unknown protocol numeric_protocol 130DIROUTPUTALIAS REGEXP:^/(.+)/(.*)/$ $1/$2 131# /ipaddress/protocol/ => ipadress/protocol 132DIROUTPUTALIAS REGEXP:^/(.+)/$ $1 133# /ipaddress/ => ipadress 134 135PAGEEXCLUDE * # Page reports don't make sense 136 137