# $Id: sancp.conf,v 1.1 2004/03/19 20:33:59 bamm Exp $ # # # This sancp.conf is distributed as part of sguil (http://sguil.sf.net). # It's purpose is to define a default output that is compatible with table # schema defined by sguil. Please read the README.sancp for more information # # sancp is copyrighted by John Curry and can be downloaded at: # www.metre.net/sancp.html # # SANCP VERSION 1.5.3 # Currently, sguil only supports the 'stats' output and we want it in # timestamped fields default stats tsfilename stats # Time in seconds we write a new file if expired cnxs are available default flush_interval=30 # This tells sancp to open new file handle, write, and close in one step default burst_mode=enable # Default timeout: how many secs to wait after the last packet till we consider the cnx closed default timeout=120 # Conforms with out sguil sancp table schema format stats sancp_id,start_time_gmt,stop_time_gmt,duration,ip_proto,src_ip_decimal,src_port,dst_ip_decimal,dst_port,src_pkts,src_bytes,dst_pkts,dst_bytes,sflags,dflags # From here on you define what stats/cnxs/sessions/flows (whatever you # want to call it) get logged. Please read the sancp documention for # more information. Most of the below are examples of setting # variables for complex rules. var ip 8 # ether proto 0x0800 # ip traffic # define some ip protocols var icmp 1 var tcp 6 var udp 17 # define some tcp protocols var http 80 var https 443 var smtp 25 var dns 53 var HOME_NET 127.0.0.1 #var WWW_NET 192.168.1.0/24 #var MAIL_SERVER 192.168.1.2 #var MAIL_SERVER2 192.168.1.3 # Default output logging for each connection # We don't use realtime or pcap logging at this point so we pass them default realtime=pass default pcap=pass # Here is where our "rules" start. We log all stats by default # so this is defining exceptions. # # first six fields are required before rule options can be used # # eth_proto src_ip dst_ip ip_proto src_port dst_port # # Here is an example if ignoring outbound HTTP stats. #ip HOME_NET any tcp any http, stats pass #ip HOME_NET any tcp any https, stats pass