Configuration File

This is the sample reptor.cfg file as included in the distribution.
#
# This file contains site specific settings that will determine what logfile
# entries Reptor selects for reporting, what types of reports are generated,
# and how those reports are formatted. By creating multiple configuration files
# and using the --config command line option to select one at runtime, you may
# create reporting scenarios for different firewalls, or different reporting
# scenarios for the same firewall.
#
# For example, you may want to generate an alert report that is emailed to the
# firewall administrator, and a separate summary report that is posted to an
# intranet web server. Create one configuration file called alerts.cfg that
# generates alerts only and outputs to email, and create one configuration file
# called summary.cfg that generates summaries only and outputs to an ftp
# server. Then, run Reptor once with each configuration file:
#
#   perl reptor.pl --config alerts.cfg
#   perl reptor.pl --config summary.cfg
#
# Options in this file must be listed one per line. A line beginning with a
# pound sign indicates a comment. Keywords are not case sensitive, but just
# about everything else is.
#
# For example, these two lines are identical:
#
#   directory /var/adm/sg/oldlogs
#   DIRECTORY /var/adm/sg/oldlogs
#
# but these two lines are not:
#
#   directory /var/adm/sg/oldlogs
#   directory /VAR/ADM/SG/OLDLOGS
#
# If it's not obvious to you where it makes a difference, stick to lowercase.
#
# Text in <angle brackets> denotes a required field. Text in [square brackets]
# denotes an optional field. The pipe character | is used to denote the concept
# of "OR". For example, <one|two> indicates that either "one" or "two" is
# required.
#
# If you wish to specify a string that contains spaces, you must enclose it in
# double quotes. For example:
#
#   alias http "Web Access"
#
# Unless otherwise stated, each option may only be specified once.
#
# Lines may also contain special substitution parameters. These are indicated
# by surrounding a string with braces. If the delimited string denotes an
# existing environment variable, then the value of that variable will be used
# in place of the string. For example, given an environment variable named
# "PROTOCOL" with a value of "HTTP", the line:
#
#   protocol_user_detail {PROTOCOL} -total 10
#
# will be interpreted as:
#
#   protocol_user_detail HTTP -total 10
#
# In this manner, Reptor's output can be modified by the command line at
# runtime:
#
#   PROTOCOL=HTTP reptor.pl --config /path/to/reptor.cfg
#
# If no environment variable for a delimited string exists, the original
# text will be used as is.
#


#
# include <filename>
#
# Reads additional configuration directives from the specified file. This
# might be useful in the case where you run Reptor on logs for more than
# one firewall and you have many directives that are the same between them.
# By placing all the common directives in a common configuration file, and
# then including that file, you can save the headache of trying to maintain
# multiple instances of the same settings.
#
# Examples:
#
# include common.cfg
# include /usr/local/reptor/standard.cfg
# include c:\reptor\detail.cfg
#


#
# basedir <directory>
#
# Indicates the directory in which Reptor is installed. This is not required,
# but is useful to avoid problems when Reptor is run from a command scheduler.
#
# Examples:
#
# basedir /usr/local/reptor
# basedir c:\raptor\logs\reptor
#


#
# remotelog <host> [path of remotelogfile executable]
#
# If specified, Reptor will use the remotelog utility provided with the
# firewall to obtain the logfile to process. The remotelog utilities are
# initiated from the client side, so no server side scripting is necessary to
# transfer logfiles. The data stream is also encrypted, so possible
# eavesdropping from packet sniffers is deterred. Use of this option requires
# previous setup of the remotelog utilities. Refer to your firewall
# documentation for further details on this process. Before attempting to
# utilize this feature, verify that the remotelogfile command works when
# manually invoked from a command prompt.
#
# Specify the name or IP address of the firewall server for the <host>
# parameter. If you are not going to use this feature, make sure this option is
# deleted or commented out -- it has precedence over the other options.
#
# Depending on how you have installed the remotelog utilities, you may also
# have to specify the path to the remotelogfile executable. Do not include the
# name of the remotelogfile program here, just the path to the directory that
# the program exists in.
#
# Examples:
#
# remotelog firewall.domain.com
# remotelog 10.1.1.7 c:\utilities
#


#
# save_logfile [directory]
#
# If specified, Reptor will save a local copy of the logfile that was retrieved
# with remotelog. This is useful if you want to have a local copy of the
# logfile for further analysis or backup. The logfile will be written to the
# current directory if none is specified. If you haven't specified the
# remotelog option, specifying this option is meaningless.
#
# Example:
#
# save_logfile /usr/local/backup
#


#
# compress <command>
#
# If save_logfile is also specified, Reptor will compress logfiles after
# saving them. The command string is the full path name to the compression
# program, plus any options. If there are any spaces in the command string, it
# must be double quoted. This feature only works with compression programs
# that can work with just the name of the file to compress as an argument. For
# example, "gzip file" or "bzip2 file". It will not work with programs that
# require archive names like "pkzip file.zip file".
#
# Examples:
#
# compress "/bin/gzip -9"
# compress "/bin/bzip2 -9"
#


#
# directory <directory>
#
# If you are not using remotelog, this option specifies the directory where the
# firewall logfiles are located on the local machine. This should be an
# absolute path name, and should include the drive letter for Windows NT
# installations. There should be no trailing (back)slash. If Reptor is being
# run on the firewall server and this option is omitted, Reptor will probably
# be able to guess where the logfiles are located. If the "remotelog" option is
# used to retrieve logfiles, this option should not be specified.
#
# Examples:
#
# directory c:\raptor\eagle\sg\oldlogs
# directory /var/adm/sg/oldlogs
#
directory c:\raptor\eagle\sg\oldlogs


#
# uncompress <command> <extension>
#
# If specified, Reptor will assume the logfile is compressed. The command
# string should contain the command to uncompress to stdout, with the full path
# name and any options. The extension string is the filename extension that the
# compression program uses. Strings with spaces should be double quoted.
#
# Examples:
#
# uncompress /bin/zcat Z
# uncompress "/bin/gunzip -c" gz
# uncompress "/bin/bunzip2 -c" bz2
#


#
# split
#
# If specified, Reptor will automatically attempt to handle log files that have
# been split by the firewall. These logs are named:
#
# logfile.date
# logfile.date-1
# logfile.date-2
# logfile.date-3
# [...]
#
# The split option may be combined with either the remotelog or uncompress
# options.
#
# When combined with remotelog, you may receive an error message from the
# remotelogfile program. Since Reptor has no way of knowing ahead of time
# how many chunks there will be, it just keeps trying to open new chunks
# until a failure occurs. The resulting error message can be safely
# ignored.
#
# If you've specified the save_logfile option, the local copy that will be
# created will consist of the concatenation of all the chunks.
#


#
# interface <interface> <alias>
#
# This option identifies the network interfaces that are installed in the
# firewall server. The firewall uses identifiers such as "73912E41-9F42-1"
# (or "Vpn1" previous to SEF v7) to designate these interfaces. If you
# wish to use a more easily understandable identifier, you may specify an
# alias for the interface. Interface aliases are case sensitive.
#
# You'll probably have to manually browse a logfile to determine which
# identifier refers to which interface. Refer to the FAQ for more details.
#
# One "interface" option may be specified for each interface in your firewall.
#
# Examples:
#
# interface Vpn1 Inside
# interface Vpn2 Outside
# interface Vpn3 DMZ
#


#
# filter <source interface> <destination interface>
#
# Instructs Reptor to process only connections made from the specified source
# interface to the specified destination interface. This option is useful if
# you wish to process traffic in only one direction or if your firewall has
# more than two network interfaces and you want to ignore traffic on one of
# them.
#
# If you specified an alias for an interface, use the alias instead of the
# interface identifier. The special keyword "any" may be used to match any
# interface. More than one "filter" option may be specified.
#
# For example, assuming a network structure where the internal interface is
# called Vpn1, the external interface is called Vpn2, and the DMZ interface
# is called Vpn3:
#
# filter any Vpn2
#   Processes traffic from the inside to the outside.
#
# filter Vpn1 Vpn2
# filter Vpn2 Vpn1
#   Processes traffic from the inside out and from the outside in.
#
# filter Vpn3 Vpn2
#   Processes traffic from the DMZ to the outside.
#
# If you have used the "interface" option to specify interface aliases like
# this:
#
# interface Vpn1 Inside
# interface Vpn2 Outside
# interface Vpn3 DMZ
#
# then you must use those aliases in the filter specification like this:
#
# filter Inside Outside
#
filter any any


#
# netmask <ip/mask>
#
# If specified, Reptor will report only on activity that matches the given
# netmask. If either the source IP address or the destination IP address
# of a connection matches the netmask, the activity will be included in
# the various report sections. If more than one netmask is specified,
# the activity will be included if it matches any one.
#
# Examples:
#
# netmask 10.0.0.0/255.0.0.0
# netmask 172.16.0.0/255.255.0.0
# netmask 192.168.1.0/255.255.255.0
# netmask 192.168.2.0/255.255.255.252
#


#
# alias <protocol> <alias>
#
# Protocol aliases allow Reptor to use a more easily understandable string to
# represent protocols that may have confusing identifiers. For example, you
# may wish to use the phrase "Web Access" to represent the HTTP protocol.
# Protocol aliases are case sensitive, and may not refer to other aliases.
#
# The protocol string is the value that actually appears in the firewall log
# file following the "proto=" tag. The alias string is the value that Reptor
# will use to refer to this protocol.
#
# Protocol aliases are often dependent on any GSP services that you may have
# created in your firewall configuration. In this case, the protocol string
# is usually constructed of the port number that the protocol utilizes,
# followed by a forward slash, followed by the transport protocol, which
# is usually tcp or udp.
#
# Examples:
#
# alias 110/tcp pop3
# alias 143/tcp imap
# alias http "Web Browsing"
# alias http-https "Secure Web Browsing"
#
# Two or more similar protocols may be combined into a single reporting group
# by giving them the same alias. For example:
#
# alias http "Web Browsing"
# alias http-https "Web Browsing"
# alias ftp "File Transfer"
# alias ftp-data "File Transfer"
# alias 110/tcp "Email"
# alias 143/tcp "Email"
# alias smtp "Email"
#
# This option may be specified more than once.
#
alias http-https http
alias ftp-data ftp
alias 22/tcp ssh
alias 110/tcp pop3
alias 119/tcp nntp
alias 143/tcp imap


#
# totals
#
# If specified, Reptor will generate a table of statistics summarizing the
# total amount of traffic detailed in the logfile.
#
totals


#
# alerts
#
# If specified, Reptor will generate a table of details about individual
# logfile entries that have triggered alert conditions. At least one of
# the "time", "duration", "volume", "bandwidth", "user", "ratings", "mime",
# or "word" options must also be specified in order to define the alert
# conditions.
#
alerts


#
# show_reason
#
# If specified, the reason for the alert will be included in the alert section.
# If this option is specified, the "alerts" option must be also.
#
show_reason


#
# show_bandwidth
#
# If specified, the average bandwidth used by the connection will be included
# in the alert section. The value will be formatted according to the setting
# of the "nice_format" option. If this option is specified, the "alerts" option
# must be also.
#
#show_bandwidth


#
# show_interface
#
# If specified, the source and destination interface will be included in the
# alert section of the report. If this option is specified, the "alerts" option
# must be also.
#
#show_interface


#
# show_user
#
# If specified, the logfile "user" field will be included in the alert section
# of the report. This field contains the user name for authenticated
# connections or the email address of the sender for SMTP connections. If this
# option is specified, the "alerts" option must be also.
#
#show_user


#
# show_auth
#
# If specified, the logfile "auth" field will be included in the alert section
# of the report. This field contains the type of authentication used for
# authenticated connections. If this option is specified, the "alerts" option
# must be also.
#
#show_auth


#
# show_rule
#
# If specified, the rule number that allows a connection to pass through the
# firewall will be included in the alert section of the report. If this option
# is specified, the "alerts" option must be also.
#
#show_rule


#
# show_op
#
# If specified, the logfile "op" field will be included in the alert section of
# the report. If this option is specified, the "alerts" option must be also.
#
#show_op


#
# show_id
#
# If specified, the logfile "id" field will be included in the alert section of
# the report. I have no idea what the id field contains, but if you do, there
# it is. If this option is specified, the "alerts" option must be also.
#
#show_id


#
# show_result
#
# If specified, the logfile "result" field will be included in the alert
# section of the report. If this option is specified, the "alerts" option must
# be also.
#
#show_result


#
# show_arg
#
# If specified, the logfile "arg" field will be included in the alert section
# of the report. This field typically contains the URL for the connection. If
# this option is specified, the "alerts" option must be also.
#
show_arg


#
# all
#
# If specified, all logfile entries will be reported in the alert section,
# regardless of the alert settings. If not specified, only logfile entries that
# trigger alerts will be reported. Use of this option will result in a huge
# amount of output. If this option is specified, the "alerts" option must be
# also.
#
# You really don't want to use this. I don't even know why it's here.
#


#
# time <protocol> <period begin> <period end>
#
# Specifies a condition that will trigger an alert if there is any traffic of
# the specified protocol within the specified time period. If you have
# specified an alias for the protocol, use the alias instead of the protocol
# name. The format of the time period string is HHMM. Use "0000" for midnight
# at the beginning of a period, and "2400" for midnight at the end of a period.
# If this option is specified, the "alerts" option must be also. This option
# may be specified more than once.
#
# Examples:
#
# time telnet 0000 0800
#    Report all telnet activity between midnight and 8am.
#
# time ftp 1830 2400
#    Report all ftp activity between 6:30pm and midnight.
#
time telnet 0000 0800
time telnet 2000 2400
time ftp 0000 0800
time ftp 2000 2400


#
# duration <protocol> <duration> [modifier]
#
# Specifies a condition that will trigger an alert if the duration of the
# connection is greater than or equal to the specified duration. The duration
# is understood as number of seconds unless followed by a modifier of "M" for
# minutes or "H" for hours. If you have specified an alias for the protocol,
# use the alias instead of the protocol name. If this option is specified, the
# "alerts" option must be also. This option may be specified more than once.
#
# Examples:
# 
# duration telnet 1 H
#   Report all telnet activity that lasts longer than 1 hour.
#
# duration ftp 15 M
#   Report all ftp activity that lasts longer than 15 minutes.
#
# duration smtp 30
#   Report all smtp activity that lasts longer than 30 seconds.
#
duration ftp 5 M
duration http 2 M
duration pop3 5 M
duration smtp 5 M
duration telnet 30 M


#
# volume <protocol> <volume> [modifier]
#
# Specifies a condition that will trigger an alert if the amount of traffic
# transferred (sent + received) during a connection is greater than or equal to
# the specified number of bytes. The volume is understood as number of bytes
# unless followed by a modifier of "K" for kilobytes, "M" for megabytes. You
# may also use "b" for bits, "k" for kilobits, or "m" for megabits. If you
# have specified an alias for the protocol, use the alias instead of the
# protocol name. If this option is specified, the "alerts" option must be also.
# This option may be specified more than once.
#
# Examples:
#
# volume ftp 2 M
#   Report all ftp transfers that are greater than 2 megabytes.
#
# volume smtp 200 K
#   Report all smtp transfers that are greater than 200 kilobytes.
#
# volume telnet 500
#   Report all telnet transfers that are greater than 500 bytes.
#
volume ftp 5 M
volume http 1 M
volume pop3 1 M
volume smtp 1 M
volume telnet 1 M

#
# bandwidth <protocol> <bandwidth> [modifier]
#
# Specifies a condition that will trigger an alert if the amount of traffic
# transferred (sent + received) during a connection is greater than or equal to
# the specified bandwidth. The bandwidth is understood as number of bits per
# second unless followed by a modifier of "k" for kilobits or "m" for megabits.
# You may also use "B" for bytes, "K" for kilobytes, or "M" for megabytes. If
# you have specified an alias for the protocol, use the alias instead of the
# protocol name. If this option is specified, the "alerts" option must be also.
# This option may be specified more than once.
#
# Examples:
#
# bandwidth ftp 1 m
#   Report all ftp transfers that averaged more then 1 megabit per second.
#
# bandwidth http 256 k
#   Report all http transfers that averaged more than 16 kilobits per second.
#


#
# user <protocol> <user>
#
# Specifies a condition that will trigger an alert if the connection is
# authenticated to the specified user. If you have specified an alias for the
# protocol, use the alias instead of the protocol name. If this option is
# specified, the "alerts" option must be also. This option may be specified
# more than once.
#
# Examples:
#
# user telnet joe
#   Report all telnet activity attributed to authenticated user joe.
#
# user smtp fred@domain.com
#   Report all emails sent from fred@domain.com.
#


#
# ratings
#
# If specified, connections that trigger WebNOT ratings settings will be
# reported in the alert section.
#
ratings


#
# mime
#
# If specified, connections that attempt a blocked MIME type will be
# reported in the alert section.
#
mime


#
# word <word>
#
# Specifies a condition that will trigger an alert if the specified regular
# expression is matched to the search string. The content of the search string
# is determined by the setting of the "search_source", "search_destination",
# and "search_arg" options. If this option is specified, the "alerts" option
# must be also. This option may be specified more than once.
#
# Note: A large number of word alerts will significantly slow the reporting
# process.
#
word casino
word gamble
word playboy
word nude
word naked
word sex
word [^x]xxx[^x]


#
# search_source
#
# If specified, Reptor will include the name of the source host in the search
# for the indicated alert words.
#
#search_source


#
# search_destination
#
# If specified, Reptor will include the name of the destination host in the
# search for the indicated alert words.
#
search_destination


#
# search_arg
#
# If specified, Reptor will include the "arg" field in the search for the
# indicated alert words. This typically contains the full URL for the
# connection, and is usually where the search words will be found.
#
search_arg


#
# pattern <pattern> [limit]
#
# This option allows you to specify text patterns that you'd like to search
# for in the log file. It can be used to generate a simple report section
# for events that Reptor doesn't otherwise report on. In its simplest form,
# the pattern is specified as a static, case-sensitive string. If you'd
# like to use a pattern that contains spaces, it must be placed within
# double quotes. For example:
#
# pattern QueSO
# pattern "Realtime Blackhole List"
# pattern "Possible Port Scan"
#
# This will cause Reptor to scan every line in the logfile for the specified
# text. Whenever a matching line is found, a counter for that pattern will
# be incremented. The resulting report section will list each pattern and
# how many times it was matched. It will look something like this:
#
# Pattern                  Count
# ----------------------- ------
# Possible Port Scan          19
# QueSO                        7
# Realtime Blackhole List    115
#
# Patterns are not limited to static strings -- they can be full Perl regular
# expressions. As such, any special characters in the pattern must be slash
# escaped. In addition to allowing very complicated patterns, the primary
# benefit of this feature is that Reptor will count each unique matching
# string separately. For example, consider the following partial logfile
# lines:
#
# ... Possible Port Scan detected on Interface 192.168.1.1 ...
# ... Possible Port Scan detected on Interface 192.168.2.1 ...
# ... Possible Port Scan detected on Interface 192.168.1.1 ...
# ... Possible Port Scan detected on Interface 192.168.1.1 ...
#
# There have been four scans -- three to one interface and one to another. If
# the pattern is specified simply as:
#
# pattern "Possible Port Scan"
#
# ... then the resulting report would look like:
#
# Pattern             Count
# ------------------ ------
# Possible Port Scan      4
#
# This may not be desirable, since it doesn't indicate how many scans were
# directed at each interface. By utilizing regular expressions, the pattern
# can be specified as:
#
# pattern "Possible Port Scan detected on Interface \S+"
#
# This causes Reptor to use the text that actually matches the pattern as
# the index for the counter. The resulting report would look like:
#
# Pattern                                               Count
# ---------------------------------------------------- ------
# Possible Port Scan detected on Interface 192.168.1.1      3
# Possible Port Scan detected on Interface 192.168.2.1      1
#
# In addition, you can use parenthesized subexpressions to trim the index
# as it displays in the report. For example, specifying the pattern as:
#
# pattern "Possible (Port Scan) detected( on) Interface( \S+)"
#
# ... would still match all the same lines as the previous example, but
# would result in a report like:
#
# Pattern                   Count
# ------------------------ ------
# Port Scan on 192.168.1.1      3
# Port Scan on 192.168.2.1      1
#
# A limit may be also specified after the pattern:
#
# pattern "Overly long line received from \S+" 10
#
# Patterns must match at least the specified number of lines in order to
# be included in the report.
#
# This option may be specified more than once.
#
# Note: Scanning every single logfile line for multiple complex patterns
# is a very CPU intensive process. Excessive use of this option can
# significantly slow down the reporting process.
#


#
# alert_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of the hosts that have triggered
# alerts. The summary will be grouped by source host and sorted by the field
# indicated in <sort>. Valid values for <sort> are:
#
#   "host" to sort by the name or address of the source host
#   "alerts" to sort by the number of alerts generated
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify
# a value for [limit].
#
# If this option is specified, the "alerts" option must be also.
#
# Example:
#
# alert_summary -alerts 10
#   Generate a summary of the top ten hosts that generated alerts, sorted by
#   number of alerts descending.
#
alert_summary -alerts 5


#
# protocol_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of traffic grouped by protocol
# and sorted by the field indicated in <sort>. Valid values for <sort> are:
# 
#   "protocol" to sort by the protocol
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify
# a value for [limit].
#
# Example:
#
# protocol_summary -total
#   Generate a summary of all protocols, sorted by total traffic volume
#   descending.
#
protocol_summary -total


#
# protocol_user_detail <protocol> <sort> [limit]
#
# If specified, Reptor will generate a detailed report of traffic for the
# specified protocol, grouped by user and sorted by the field indicated in
# <sort>. Valid values for <sort> are:
#
#   "user" to sort by the user
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the report, specify a
# value for [limit].
#
# If you have specified an alias for the protocol desired, use the alias name.
# For example, if you have specified:
#
# alias 143/tcp imap
#
# then use imap here, and not 143/tcp.
#
# This option may be specified more than once. Specify one entry for each
# detail section desired.
#
# Note: In order for this report to work correctly, your configuration must
# require users to authenticate with the firewall.
#
# Example:
#
# protocol_user_detail ftp -total 10
# protocol_user_detail http -total 10
# protocol_user_detail imap -total 10
#   Generate a report of the top ten users using ftp, http, and imap.
#


#
# protocol_host_detail <protocol> <sort> [limit]
#
# If specified, Reptor will generate a detailed report of traffic for the
# specified protocol, grouped by host and sorted by the field indicated in
# <sort>. Valid values for <sort> are:
#
#   "host" to sort by the host
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the report, specify a
# value for [limit].
#
# If you have specified an alias for the protocol desired, use the alias name.
# For example, if you have specified:
#
# alias 143/tcp imap
#
# then use imap here, and not 143/tcp.
#
# This option may be specified more than once. Specify one entry for each
# detail section desired.
#
# Example:
#
# protocol_host_detail ftp -total 10
# protocol_host_detail http -total 10
# protocol_host_detail imap -total 10
#   Generate a report of the top ten hosts using ftp, http, and imap.
#
protocol_host_detail http -total 10
protocol_host_detail ftp -total 10


#
# interface_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of traffic for each interface
# specified with the "interface" option, grouped by interface and sorted by the
# field indicated in <sort>. Valid values for <sort> are:
# 
#   "interface" to sort by the interface
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# Example:
#
# interface_summary -total
#   Generate a summary of all interfaces, sorted by total traffic volume
#   descending.
#
interface_summary -total


#
# host_summary <interface> <sort> [limit]
#
# If specified, Reptor will generate a summary of traffic for hosts on the
# specified interface, grouped by host and sorted by the field indicated in
# <sort>. If you have specified an alias for the interface, use the alias
# instead of the interface identifier. Valid values for <sort> are:
# 
#   "host" to sort by the name or address of the source host
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# One "host_summary" option may be specified for each interface.
#
# Example:
#
# host_summary Vpn1 -total 10
#   Generate a summary of the top ten hosts on interface Vpn1, sorted by total
#   traffic volume descending.
#
host_summary Inside -total 10
host_summary Outside -total 10


#
# host_user_detail <host> <sort> [limit]
#
# If specified, Reptor will generate a detailed report of traffic for the
# specified host machine, grouped by user and sorted by the field indicated in
# <sort>. Valid values for <sort> are:
#
#   "user" to sort by the user
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the report, specify
# a value for [limit].
#
# This option may be specified more than once. Specify one entry for each
# detail section desired.
#
# Note: In order for this report to work correctly, your configuration must
# require users to authenticate with the firewall.
#
# Example:
#
# host_user_detail 192.168.1.7 -total 10
#   Generate a report of the top ten users for 192.168.1.7.
#


#
# host_protocol_detail <host> <sort> [limit]
#
# If specified, Reptor will generate a detailed report of traffic for the
# specified host machine, grouped by protocol and sorted by the field indicated
# in <sort>. Valid values for <sort> are:
#
#   "protocol" to sort by the protocol
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the report, specify a
# value for [limit].
#
# This option may be specified more than once. Specify one entry for each
# detail section desired.
#
# Example:
#
# host_protocol_detail 192.168.1.7 -total 10
#   Generate a report of the top ten protocols for 192.168.1.7.
#


#
# user_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of traffic grouped by user and
# sorted by the field indicated in <sort>. This option is only useful if users
# authenticate with the firewall. Valid values for <sort> are:
#
#   "user" to sort by the user
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# Note: In order for this report to work correctly, your configuration must
# require users to authenticate with the firewall.
#
# Example:
#
# user_summary -total 10
#   Generate a summary of the top ten users sorted by total volume descending.
#
user_summary -total 10


#
# user_www_summary <sort> [limit]
#
# If specified, Reptor will generate a report of per-user WWW traffic grouped
# by user and sorted by the field indicated in <sort>. For each user, the most
# popular web sites they have visited will be displayed. The site name will be
# displayed as the top-level domain only, not the entire URL. So, hits to
# different pages within the www.wankwood.com site will be summarized on one
# report line as "www.wankwood.com". Both the user list and the sites visited
# by that user will be sorted by the field indicated in <sort>. If "user" is
# specified for the sort value, the user list will be sorted by user and the
# per-user site lists will be sorted by domain name. Valid values for <sort>
# are:
# 
#   "user" to sort by the user
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit]. If a limit is specified, it will limit both the number of
# users reported, and the number of sites reported for each user.
#
# Note: In order for this report to work correctly, your configuration must
# require users to authenticate with the firewall.
#
# Example:
#
# user_www_summary -hits 10
#   Generate a report listing the top ten users, and the top ten sites that
#   each of those users visited.
#
user_www_summary -hits 10


#
# host_www_summary <sort> [limit]
#
# If specified, Reptor will generate a report of per-host WWW traffic grouped
# by host and sorted by the field indicated in <sort>. For each host, the most
# popular web sites visited from that host will be displayed. The site name
# will be displayed as the top-level domain only, not the entire URL. So, hits
# to different pages within the www.wankwood.com site will be summarized on
# one report line as "www.wankwood.com". Both the host list and the sites
# visited from that host will be sorted by the field indicated in <sort>. If
# "host" is specified for the sort value, the host list will be sorted by host
# and the per-host site lists will be sorted by domain name. Valid values for
# <sort> are:
#
#   "host" to sort by the host
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit]. If a limit is specified, it will limit both the number of
# hosts reported, and the number of sites reported for each host.
#
# Example:
#
# host_www_summary -hits 10
#   Generate a report listing the top ten hosts, and the top ten sites that
#   were visited from those hosts.
#
host_www_summary -hits 10


#
# user_protocol_detail <user> <sort> [limit]
#
# If specified, Reptor will generate a detailed report of traffic for the
# specified user, grouped by protocol and sorted by the field indicated in
# <sort>. Valid values for <sort> are:
#
#   "protocol" to sort by the protocol
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the report, specify a
# value for [limit].
#
# This option may be specified more than once. Specify one entry for each
# detail section desired.
#
# Note: In order for this report to work correctly, your configuration must
# require users to authenticate with the firewall.
#
# Example:
#
# user_protocol_detail fred -total 10
# user_protocol_detail stan -total 10
#   Generate a report of the top ten protocols for users fred and stan.
#


#
# user_host_detail <user> <sort> [limit]
#
# If specified, Reptor will generate a detailed report of traffic for the
# specified user, grouped by host and sorted by the field indicated in <sort>.
# Valid values for <sort> are:
#
#   "host" to sort by the host
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the report, specify a
# value for [limit].
# This option may be specified more than once. Specify one entry for each
# detail section desired.
#
# Note: In order for this report to work correctly, your configuration must
# require users to authenticate with the firewall.
#
# Example:
#
# user_host_detail fred -total 10
# user_host_detail stan -total 10
#   Generate a report of the top ten hosts hosts for users fred and stan.
#


# hour_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of traffic grouped by time of
# day (in one hour periods) and sorted by the field indicated in <sort>. Valid
# values for <sort> are:
# 
#   "hour" to sort by time of day
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# Example:
#
# hour_summary hour 12
#   Generate a summary of the first twelve hours of the day.
#
hour_summary hour


#
# domain_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of top-level domains. The
# summary will be grouped by domain and sorted by the field indicated in
# <sort>. Valid values for <sort> are:
#
#   "domain" to sort by the name of the top-level domain
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# Note: In order for this summary to be useful, the logfile must be DNS
# resolved. Also, the sum of all traffic reported by the this summary will
# probably not reach 100% because not all logfile entries can be resolved.
#
# Example:
#
# domain_summary -total 10
#   Generate a summary of the top ten domains, sorted by number of bytes
#   descending.
#
domain_summary -total 5


#
# rbl_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of traffic that was rejected
# as a result of an RBL check by the SMTP proxy. The summary will be grouped
# by source host and sorted by the field indicated in <sort>. Valid values for
# <sort> are:
#
#   "rbl" to sort by the name or address of the source host
#   "hits" to sort by the number of connections rejected
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# Example:
#
# rbl_summary -hits 10
#   Generate a summary of the traffic genereted by the top ten RBL-listed
#   hosts, sorted by number of connections descending.
#
rbl_summary -hits 10



#
# mobile_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of Raptor Mobile connections.
# If you're using Raptor Mobile version 7.0 or later, use vpn_summary instead.
# The summary will be grouped by source host and sorted by the field indicated
# in <sort>. Valid values for <sort> are:
#
#   "host" to sort by the name or address of the source host
#   "hits" to sort by the number of connections made
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# Example:
#
# mobile_summary -hits 10
#   Generate a summary of the top ten hosts that connected via Raptor Mobile,
#   sorted by number of connections descending.
#
mobile_summary -hits


#
# vpn_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of VPN activity. The summary
# will be sorted by the field indicated in <sort>. Valid values for <sort>
# are:
#
#   "vpn" to sort by the VPN identifier
#   "hits" to sort by the number of logfile entries
#   "sent" to sort by the number of bytes sent
#   "received" to sort by the number of bytes received
#   "total" to sort by the total number of bytes transferred
#   "duration" to sort by the amount of time elapsed
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# Note: This option requires SEF version 7 or later. In addition, if you want
# to use this report, do not supply aliases for the vpn protocols. I.e., do
# _not_ do this:
#
# alias vpn/esp/sha1+des "My VPN"
#
# Example:
#
# vpn_summary -total
#   Generate a summary of the all VPN activity, sorted by the total number of
#   bytes transferred descending.
#
vpn_summary -total


#
# vpn <identifier> <alias>
#
# Raptor assigns a unique numeric identifier to each VPN. The vpn_summary
# will use these identifiers in the report it generates. Since they are
# not terribly meaningful, you can use this option to assign aliases to
# them.
#
# To find out what your identifiers are, examine your logfile for lines
# that contain the string "isakmpd Info: Responder, Established". The
# line will also contain the source and destination IP addresses for the
# tunnel, so you'll be able to differentiate between them if you have
# more than one. The identifier is located immediately after the word
# "TUNNEL":
#
# isakmpd Info: Responder, Established IPSEC  SA TUNNEL 12.isakmp.1194
#
# In this case, the identifier is 12, so the option would be specified
# like this:
#
#   vpn 12 "I am Jack's VPN alias"
#
# This option may be specified more than once.
#
# Examples:
#
#   vpn 1 Corporate
#   vpn 2 "Supplier Intranet"
#


#
# ooba_summary <sort> [limit]
#
# If specified, Reptor will generate a summary of OOBA activity. The summary
# will be sorted by the field indicated in <sort>. Valid values for <sort>
# are:
#
#   "time" to sort by the time of day
#   "user" to sort by the user
#   "host" to sort by the name or address of the source host
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To indicate the maximum number of entries allowed in the summary, specify a
# value for [limit].
#
# Example:
#
# ooba_summary time
#   Generate a summary of OOBA activity, sorted by time ascending.
#


#
# message_summary <sort> [severity]
#
# If specified, Reptor will generate a summary of all logfile messages. The
# summary will be grouped by message type and sorted by the field indicated in
# <sort>. Valid values for <sort> are:
#
#  "hits" to sort by the number of messages
#  "message" to sort by the message number
#
# The <sort> string may be preceded with "-" to indicate descending order.
#
# To only show messages "more severe" than a certain value, specify a value for
# [severity]. The message severity values are as follows:
#
#   100-199 Information
#   200-299 Notice
#   300-399 Warning
#   400-499 Error
#   500-599 Alert
#   600-699 Critical
#   700-799 Emergency
#
# Example:
#
# message_summary message
#   Generate a summary of all messages, sorted by message.
#
# message_summary -hits 400
#   Generate a summary of messages that are severity "Error" and above, sorted
#   by the number of messages descending.
#
message_summary message


#
# history_summary <value> <limit>
#
# Reptor can accumulate a file that contains historical traffic summary
# statistics for each day that is processed. If this option is specified, this
# file will be used to generate a simple historical summary graph of recent
# traffic. In order to generate the history file, you must specify the
# history_file option. In order for the summary to show anything, you must also
# specify the graphs option. The value of <value> determines what the graph
# graphs. Valid values are:
#
#   "hits" to graph the total number of hits for each day
#   "total" to graph the total number of bytes for each day
#   "duration" to graph the total connection duration for each day
#
# The history summary (but not the history file) will be limited to <limit>
# days. This option may be specified more than once if you want to graph
# multiple values.
#
# Example:
#
# history_summary total 30
#   Graph the total number of bytes for each day over the past 30 days.
#
history_summary total 30
history_summary hits 30


#
# history_file <file>
#
# If specified, Reptor will accumulate a file that contains historical traffic
# summary statistics. The file will only be updated if the logfile being
# processed is yesterday's log. This is to prevent duplicate entries in the
# case of using the --date or --log command line options.
#
# Note: If you are running Reptor from within a shell script or batch file, you
# may not be changing to the Reptor directory before running it. If this is the
# case, you will have to specify a full path name here, so that Reptor can
# properly find the file.
#
# The history file contains four comma separated fields per line. The fields
# (from left to right) are:
#
# date (in YYYYMMDD format)
# total number of hits for that day
# total number of bytes transferred for that day
# total duration of connections for that day
#
# Examples:
#   history_file /usr/local/reptor/history
#   history_file c:\reptor\history
#
history_file history


#
# fetcher_message
#
# If specified, Reptor will generate a small table reporting the status of the
# WebNOT fetcher process.
#
#fetcher_message


#
# links
#
# If specified, Reptor will make hyperlinks in the output where appropriate. If
# the "alerts" and "show_arg" options are also specified, the report will
# include links that will allow you to click on and visit the exact offending
# URL. Of course, doing so will cause an alert in tomorrow's report...
#
links


#
# output <
#   stdout |
#   file [>]directory/[filename] |
#   ftp username,password,address,directory/[filename] |
#   mail user@domain[,user@domain[...]]
# >
#
# Specifies the desired destination for the output. If "stdout" is specified,
# the output will be sent to the screen if not otherwise piped or redirected.
# If "file" is specified, you must also specify the desired target directory,
# and optionally, the desired file name. If specified without a filename, the
# directory should include a trailing (back)slash. If the filename is omitted,
# Reptor will automatically generate it based on the date of the logfile
# processed. If the string begins with ">", the output will be appended to the
# file if it already exists. Otherwise, it will overwrite an existing file of
# the same name. If "ftp" is specified, Reptor will upload the output to an ftp
# server using the specified settings. If "mail" is specified, Reptor will
# email the output to the list of addresses specified.
#
# Examples:
#
# output file /reports/
#   Save the output to the file /reports/<date>.html.
#
# output file /reports/output.html
#   Save the output to the file /reports/output.html, overwriting it if it
#   already exists.
#
# output file >/reports/output.html
#   Save the output to the file /reports/output.html, appending to it if it
#   already exists.
#
# output ftp anonymous,reptor,ftpsrv,/pub/incoming/reptor.html
#   Upload the output to the ftp server named ftpsrv. Log in with the userid
#   anonymous and the password reptor. Upload the file to the directory
#   /pub/incoming and name it reptor.html.
#
# output ftp apache,george,websrv,/apache/htdocs/reptor/
#   Upload the output to the ftp server named websrv. Log in with the userid
#   apache and the password george. Upload the file to the directory
#   /apache/htdocs/reptor and name it <date>.html.
#
# output mail joe@domain1.com,fred@domain2.com
#   Email the output to joe@domain1.com and fred@domain2.com.
#
output file ./


#
# mail_server <address>
#
# If you have indicated email output, this option specifies an SMTP server to
# relay mail through. If not specified, it will default to the local host.
#
# Example:
#
# mail_server 1.2.3.4
#


#
# mail_from <address>
#
# Indicates what to use for a From address when sending email output. This is
# not always required, but you may discover that your mail server has an
# anti-spam feature that rejects Reptor's output because the message does not
# have a valid From address.
#
# Example:
#
# mail_from root@domain.com
#


#
# dns
#
# If specified, Reptor will perform reverse DNS lookups on unresolved IP
# addresses that are selected to be printed. 
#
# In order to utilize the word search feature on a hostname, sort a summary by
# hostname, or specify the domain_summary option, the logfile must be fully
# DNS resolved before Reptor processes it. If real-time DNS resolution at the
# firewall is not desirable but these features are important, consider instead
# using a specially modified version of jdresolve, a high speed asynchronous
# resolver, specifically tweaked to handle Raptor logfiles. It can be
# downloaded from http://www.wankwood.com/reptor/jdresolve.html.
#
dns


#
# nice_format
#
# If specified, large byte values will be represented in Kb or Mb, as
# appropriate. In addition, other large values will be printed with commas.
#
nice_format


#
# title
#
# If specified, will be used as a report title. It may include simple HTML
# tags, but don't get silly with it.
#
title "Company<br>Firewall Activity"


#
# theme <theme>
#
# If specified, Reptor will utilize the named theme to generate the HTML
# output. The theme determines the fonts, colors, and formatting used. This
# allows for easy customization of the output. Theme names are case sensitive.
# Browse the themes directory for the names of the available themes.
#
# Example:
#
# theme Classic
#
theme Kuro5hin


#
# graphs <scale>
#
# If specified, Reptor will include graphs in summary tables. Reduce the scale
# to make the graphs narrower, increase the scale to make the graphs wider.
#
graphs 0.75


#
# smtp_bugfix
#
# If specified, Reptor will work around a Raptor bug that occasionally produces
# impossibly huge values for the number of bytes received in some logfile
# entries for the SMTP protocol.
#