File: fwanalog.analog.conf

package info (click to toggle)
fwanalog 0.6.9-8
  • links: PTS
  • area: main
  • in suites: bookworm, bullseye, buster, sid
  • size: 1,004 kB
  • ctags: 25
  • sloc: sh: 1,541; makefile: 48
file content (136 lines) | stat: -rw-r--r-- 5,335 bytes parent folder | download | duplicates (7)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# Configuration file for fwanalog. This is a modified analog.conf for the
# special requirements of firewall logs. You shouldn't modify options here
# (only for bugfixing), please edit fwanalog.analog.conf.local .

# See http://www.statslab.cam.ac.uk/~sret1/analog/ and http://tud.at/programm/fwanalog/

# $Id: fwanalog.analog.conf,v 1.20 2003/07/05 09:34:58 bb Exp $

APACHEDEFAULTLOGFORMAT (%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %v)
# Apache: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %v"

# Include the port number to name assignments.
# If you prefer "21" instead of "ftp", simply comment it out. 
CONFIGFILE /usr/share/fwanalog/services.conf

# No logos and images, please.
LOGO none
IMAGEDIR none

GENERAL ON	# General summary
MONTHLY ON	# Monthly summary for the last monts
WEEKLY ON	# Weekly summary for the last weeks
HOURLY ON	# Hourly summary
DOMAIN ON	# top-level domains of attackers
ORGANISATION ON	# Which organisation do the attackers belong to
HOST ON	# Which hosts tried to attack you
REFERRER ON		# Source port report
DIRECTORY ON	# Blocked request report

USER ON			# iptables log-prefix report - analog ignores it
				# if there are no log prefixes

REFSITE OFF	# doesn't make sense here
FAILREF OFF	# doesn't make sense here
REDIRREF OFF	# doesn't make sense here
FULLBROWSER OFF	# doesn't make sense here
REDIR OFF	# doesn't make sense here
FAILURE OFF	# doesn't make sense here
SEARCHQUERY OFF	# doesn't make sense here
SEARCHWORD OFF	# doesn't make sense here
OSREP OFF	# doesn't make sense here
STATUS OFF	# HTTP Status report, doesn't make sense here
FILETYPE OFF	# We don't have files
REQUEST OFF		# the directory report is better
PROCTIME OFF	# Processing time, not very interesting

# Get the (slightly modified) language strings from this file
LANGFILE /usr/share/fwanalog/fwanalog.lng
DOMAINSFILE /usr/share/fwanalog/fwanalog-dom.tab

DNS WRITE
# Resolve IP addresses to names and write them into the domains file

TIMECOLS RrB	# columns in time reports
WEEKROWS 12		# only the last 12 weeks in the weekly report

ALLGRAPH r	# All graphs are based on blocks

CASE INSENSITIVE
# Accept TCP and tcp as the same protocol

DOMCOLS   RrBD
DOMSORTBY REQUESTS
SUBDOMSORTBY REQUESTS

ORGCOLS   	NRrBD
USERCOLS   	NRBbD
SIZECOLS	RrBbD

HOSTCOLS   NRrBD
HOSTSORTBY REQUESTS

DIRCOLS   RrBD
DIRSORTBY REQUESTS

SUBDIR */*/*
SUBDIRSORTBY REQUESTS

REQCOLS NRrBD
REQSORTBY REQUESTS

USERCOLS NRrBbD

VHOSTSORTBY REQUESTS

BROWREPSORTBY REQUESTS          # Sort by requests

REFCOLS NRrBD
REFOUTPUTALIAS REGEXP:http://(.*)/ $1
# Convert the faked source port "URL" into just the port number

#ICMP code to type mapping. Source: http://www.cotse.com/icmptypes.html
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/1/$	"$1/$2/echo reply (1)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/3/$	"$1/$2/destination unreachable (3)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/4/$	"$1/$2/source quench (4)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/5/$	"$1/$2/redirect (5)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/6/$	"$1/$2/alternate host address (6)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/8/$	"$1/$2/echo (8)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/9/$	"$1/$2/router advertisement (9)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/10/$	"$1/$2/router selection (10)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/11/$	"$1/$2/time exceeded (11)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/12/$	"$1/$2/parameter problem (12)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/13/$	"$1/$2/timestamp (13)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/14/$	"$1/$2/timestamp reply (14)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/15/$	"$1/$2/information request (15)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/16/$	"$1/$2/information reply (16)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/17/$	"$1/$2/address mask request (17)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/18/$	"$1/$2/address mask reply (18)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/30/$	"$1/$2/traceroute (30)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/31/$	"$1/$2/datagram conversion error (31)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/32/$	"$1/$2/mobile host redirect (32)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/33/$	"$1/$2/ipv6 where are you (33)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/34/$	"$1/$2/ipv6 i am here (34)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/35/$	"$1/$2/mobile registration request (35)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/36/$	"$1/$2/mobile registration reply (36)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/37/$	"$1/$2/domain name request (37)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/38/$	"$1/$2/domain name reply (38)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/39/$	"$1/$2/skip (39)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/40/$	"$1/$2/photuris (40)"

# the rest of ICMP - see fwanalog.analog.conf.local
# DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/(.+)/$	"$1/$2, unknown type $3"
# /ipaddress/icmp/type => ipaddress/icmp, type

# Better aliasing of blocked requests
DIROUTPUTALIAS REGEXP:^/(.+)/(.*)/(.+)/$	$1:$3/$2
# /ipaddress/protocol/portnumber/ => ipadress:portnumber/protocol
DIROUTPUTALIAS REGEXP:^/(.+)/([0-9]+)/$		"$1/unknown protocol $2"
# /ipaddress/numeric_protocol/=> ipadress/unknown protocol numeric_protocol
DIROUTPUTALIAS REGEXP:^/(.+)/(.*)/$		$1/$2
# /ipaddress/protocol/ => ipadress/protocol
DIROUTPUTALIAS REGEXP:^/(.+)/$			$1
# /ipaddress/ => ipadress

PAGEEXCLUDE *	# Page reports don't make sense