1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
# Configuration file for fwanalog. This is a modified analog.conf for the
# special requirements of firewall logs. You shouldn't modify options here
# (only for bugfixing), please edit fwanalog.analog.conf.local .
# See http://www.statslab.cam.ac.uk/~sret1/analog/ and http://tud.at/programm/fwanalog/
# $Id: fwanalog.analog.conf,v 1.20 2003/07/05 09:34:58 bb Exp $
APACHEDEFAULTLOGFORMAT (%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %v)
# Apache: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %T %v"
# Include the port number to name assignments.
# If you prefer "21" instead of "ftp", simply comment it out.
CONFIGFILE /usr/share/fwanalog/services.conf
# No logos and images, please.
LOGO none
IMAGEDIR none
GENERAL ON # General summary
MONTHLY ON # Monthly summary for the last monts
WEEKLY ON # Weekly summary for the last weeks
HOURLY ON # Hourly summary
DOMAIN ON # top-level domains of attackers
ORGANISATION ON # Which organisation do the attackers belong to
HOST ON # Which hosts tried to attack you
REFERRER ON # Source port report
DIRECTORY ON # Blocked request report
USER ON # iptables log-prefix report - analog ignores it
# if there are no log prefixes
REFSITE OFF # doesn't make sense here
FAILREF OFF # doesn't make sense here
REDIRREF OFF # doesn't make sense here
FULLBROWSER OFF # doesn't make sense here
REDIR OFF # doesn't make sense here
FAILURE OFF # doesn't make sense here
SEARCHQUERY OFF # doesn't make sense here
SEARCHWORD OFF # doesn't make sense here
OSREP OFF # doesn't make sense here
STATUS OFF # HTTP Status report, doesn't make sense here
FILETYPE OFF # We don't have files
REQUEST OFF # the directory report is better
PROCTIME OFF # Processing time, not very interesting
# Get the (slightly modified) language strings from this file
LANGFILE /usr/share/fwanalog/fwanalog.lng
DOMAINSFILE /usr/share/fwanalog/fwanalog-dom.tab
DNS WRITE
# Resolve IP addresses to names and write them into the domains file
TIMECOLS RrB # columns in time reports
WEEKROWS 12 # only the last 12 weeks in the weekly report
ALLGRAPH r # All graphs are based on blocks
CASE INSENSITIVE
# Accept TCP and tcp as the same protocol
DOMCOLS RrBD
DOMSORTBY REQUESTS
SUBDOMSORTBY REQUESTS
ORGCOLS NRrBD
USERCOLS NRBbD
SIZECOLS RrBbD
HOSTCOLS NRrBD
HOSTSORTBY REQUESTS
DIRCOLS RrBD
DIRSORTBY REQUESTS
SUBDIR */*/*
SUBDIRSORTBY REQUESTS
REQCOLS NRrBD
REQSORTBY REQUESTS
USERCOLS NRrBbD
VHOSTSORTBY REQUESTS
BROWREPSORTBY REQUESTS # Sort by requests
REFCOLS NRrBD
REFOUTPUTALIAS REGEXP:http://(.*)/ $1
# Convert the faked source port "URL" into just the port number
#ICMP code to type mapping. Source: http://www.cotse.com/icmptypes.html
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/1/$ "$1/$2/echo reply (1)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/3/$ "$1/$2/destination unreachable (3)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/4/$ "$1/$2/source quench (4)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/5/$ "$1/$2/redirect (5)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/6/$ "$1/$2/alternate host address (6)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/8/$ "$1/$2/echo (8)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/9/$ "$1/$2/router advertisement (9)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/10/$ "$1/$2/router selection (10)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/11/$ "$1/$2/time exceeded (11)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/12/$ "$1/$2/parameter problem (12)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/13/$ "$1/$2/timestamp (13)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/14/$ "$1/$2/timestamp reply (14)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/15/$ "$1/$2/information request (15)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/16/$ "$1/$2/information reply (16)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/17/$ "$1/$2/address mask request (17)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/18/$ "$1/$2/address mask reply (18)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/30/$ "$1/$2/traceroute (30)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/31/$ "$1/$2/datagram conversion error (31)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/32/$ "$1/$2/mobile host redirect (32)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/33/$ "$1/$2/ipv6 where are you (33)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/34/$ "$1/$2/ipv6 i am here (34)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/35/$ "$1/$2/mobile registration request (35)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/36/$ "$1/$2/mobile registration reply (36)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/37/$ "$1/$2/domain name request (37)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/38/$ "$1/$2/domain name reply (38)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/39/$ "$1/$2/skip (39)"
DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/40/$ "$1/$2/photuris (40)"
# the rest of ICMP - see fwanalog.analog.conf.local
# DIROUTPUTALIAS REGEXPI:^/(.+)/(ICMP)/(.+)/$ "$1/$2, unknown type $3"
# /ipaddress/icmp/type => ipaddress/icmp, type
# Better aliasing of blocked requests
DIROUTPUTALIAS REGEXP:^/(.+)/(.*)/(.+)/$ $1:$3/$2
# /ipaddress/protocol/portnumber/ => ipadress:portnumber/protocol
DIROUTPUTALIAS REGEXP:^/(.+)/([0-9]+)/$ "$1/unknown protocol $2"
# /ipaddress/numeric_protocol/=> ipadress/unknown protocol numeric_protocol
DIROUTPUTALIAS REGEXP:^/(.+)/(.*)/$ $1/$2
# /ipaddress/protocol/ => ipadress/protocol
DIROUTPUTALIAS REGEXP:^/(.+)/$ $1
# /ipaddress/ => ipadress
PAGEEXCLUDE * # Page reports don't make sense
|
