1#!/bin/sh
2
3###########################################################################
4#
5#	User-changeable options for fwanalog.sh
6#
7#	$Id: fwanalog.opts.fw1,v 1.3 2005/02/24 15:59:34 bb Exp $
8#
9###########################################################################
10outdir="/root/fwanalog.out"
11# The directory where the output goes to, without / at the end. You need write
12# permissions, of course, and should secure this directory with permissions,
13# minefields, guard dogs etc. It will be created if you don`t have it yet.
14
15logformat="fw1"
16# What log format your firewall writes.
17# Currently available options:
18#	iptables	Linux 2.4 iptables		(probably in /var/log/messages)
19#	ipchains	Linux 2.2 ipchains		(probably in /var/log/messages)
20#	ipf			BSD/Solaris ipfilter	(probably in /var/log/ipflog)
21#	openbsd		this was the same as ipf until OpenBSD 2.9; this also
22#					seems to work on NetBSD
23#	freebsd		FreeBSD`s output format	(probably in /var/log/ipflog)
24#	ipfw		FreeBSD`s ipfw output format
25#	solarisipf	Solaris 8.0 Intel ipf 3.4.20 (using ipmon -sn &)
26#	pf_30		OpenBSD 3.0 pf binary log format
27#					fwanalog *must* run on OpenBSD 3.0 for this to work
28#					(because of the special tcpdump of OpenBSD)
29#	zynos		ZyNOS (ZyXEL, Netgear) logfile
30#	pix			Cisco Pix (tested with version 6.22/IOS)
31#	watchguard	Watchguard Firebox
32#	fw1			Checkpoint Firewall-One (not fw-1 NG!)
33#	sonicwall	SonicWall TZ-170 syslog logfile
34
35# Feel free to program a parser for your firewall if it is not supported.
36# See the comments in iptables() and ipf()
37#
38# The officially maintained formats are pf_30 and iptables.
39
40inputfiles_mask="firewall*"	# The name of your logfiles, with a wildcard if you want
41inputfiles_dir="/var/log"	# The directory where your logfiles are in,
42							# 	e.g. /var/log
43inputfiles_mtime="31"		# How old the logfiles can be
44# You can change this to your log rotate interval + 1 day (so you never miss a logfile entry)
45inputfiles=`find $inputfiles_dir -maxdepth 1 -name "$inputfiles_mask" -mtime -$inputfiles_mtime | sort -r`
46# This should find the names of the logfiles you want to parse
47# It MUST return the names in reverse order (chronologically) or you
48# will have LOTS of duplicate lines in your log.
49
50onehost=false
51# Available options: false true dynip
52
53# Default: false
54
55# Set to true if this firewall runs on one machine only and you want to see
56# the source hosts (not the protected target hosts) in the Blocked Packet
57# Report. This is suggested if you protect one server, but loses information
58# if you protect a network.
59
60# Set to "dynip" if your firewall has a dynamic IP address.
61
62# After changing onehost, you must delete everything in $outdir!
63
64sep_hosts=false
65# Set to true if you want fwanalog to create a separate, additional report for
66# each attacking host IP.
67# WARNING: this can run for hours using 100 % CPU and consume lots of hard
68# disk space (up to 25 kB per host) so you can easily fill up your server if
69# too many packets from different hosts were blocked.
70# Also, this makes only limited sense with onehost mode set to true.
71# If you set this option after having used fwanalog, some hosts won`t be
72# linked in the report. You can create a report for a host with the
73# "-a <IP-address>" command line option.
74
75sep_packets=false
76# Like sep_hosts, but for blocked packets.
77# The corresponding command line option is "-p <packet>"
78
79# Program invocations - add path if needed
80
81analog="analog"
82# Full pathname if you need, or "nice analog" if you want to de-priorize it
83
84date="date"		# should be GNU date or one which can print the timezone.
85				# see "timezone" below
86grep="grep" 	# should be GNU grep
87egrep="egrep"	# should be GNU egrep
88zegrep="zegrep" # this is just a shellscript on most systems. If you don`t
89				# have it, copy it from another Unix-lookalike.
90gzcat="gzcat"	# needed only on OpenBSD 3.x
91sed="sed"
92perl="perl"
93tcpdump="tcpdump"	# needed only on OpenBSD 3.x
94
95timezone=`$date +%z`
96# Which timezone the server is in. Correct if the server fwanalog runs on
97# is not in the timezone the firewall is in.
98# The %z option of date is supported on GNU/Linux and OpenBSD,
99# but apparently NOT on FreeBSD so you will have to insert your
100# timezone difference (e.g. -0500) yourself or use GNU date.
101