--- a/example.conf	Mon Aug 17 08:22:24 2009 +0300
+++ b/example.conf	Mon Aug 17 08:22:38 2009 +0300
@@ -14,11 +14,11 @@
 # NOTICE! IF YOU DON'T CHANGE THIS TO 0, MALTFILTER WILL NOT DAEMONIZE!
 DRY_RUN = 1
 
+# Full path to iptables binary
+IPTABLES = "/sbin/iptables"
+
 # Maltfilter logfile path and name (set empty "" if you don't want logging)
 LOGFILE = "/var/log/maltfilter"
-  
-# Full path to iptables binary
-IPTABLES = "/sbin/iptables"
 
 # System passwd file location (default is /etc/passwd), this file
 # is checked to figure out system account names. See also SYSACCT_
@@ -161,3 +161,16 @@
 ## If disabled (0), instead of full timestamps, first/last hit times
 ## will be printed as "W weeks, D days, H hours ago." etc.
 #FULL_TIME           = 1
+
+
+#############################################################################
+### Evidence gathering
+#############################################################################
+## By enabling EVIDENCE=1 and setting EVIDENCE_DIR to existing directory
+## writable by the effective UID which Maltfilter runs as, it will be
+## populated by *.data and *.hosts files. If succesfully retrieved, .data
+## files will have contents of the attempted XSS URI. *.hosts files
+## list which hosts have attempted to exploit this specific URI.
+
+#EVIDENCE            = 0
+#EVIDENCE_DIR        = "/var/run/malt-evidence"