summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'net-analyzer')
-rw-r--r--net-analyzer/sancp/ChangeLog5
-rw-r--r--net-analyzer/sancp/files/sguil_sancp.conf69
2 files changed, 73 insertions, 1 deletions
diff --git a/net-analyzer/sancp/ChangeLog b/net-analyzer/sancp/ChangeLog
index 74d2feb4378d..abbe81a9dffe 100644
--- a/net-analyzer/sancp/ChangeLog
+++ b/net-analyzer/sancp/ChangeLog
@@ -1,6 +1,9 @@
# ChangeLog for net-analyzer/sancp
# Copyright 1999-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-analyzer/sancp/ChangeLog,v 1.1 2005/10/08 13:52:29 strerror Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-analyzer/sancp/ChangeLog,v 1.2 2005/10/10 00:16:45 strerror Exp $
+
+ 10 Oct 2005; Benjamin Smee <strerror@gentoo.org> +files/sguil_sancp.conf:
+ Added sguil_sancp.conf
*sancp-1.6.1 (08 Oct 2005)
diff --git a/net-analyzer/sancp/files/sguil_sancp.conf b/net-analyzer/sancp/files/sguil_sancp.conf
new file mode 100644
index 000000000000..298a7b1a9043
--- /dev/null
+++ b/net-analyzer/sancp/files/sguil_sancp.conf
@@ -0,0 +1,69 @@
+# $Id: sguil_sancp.conf,v 1.1 2005/10/10 00:16:45 strerror Exp $ #
+#
+# This sancp.conf is distributed as part of sguil (http://sguil.sf.net).
+# It's purpose is to define a default output that is compatible with table
+# schema defined by sguil. Please read the README.sancp for more information
+#
+# sancp is copyrighted by John Curry and can be downloaded at:
+# www.metre.net/sancp.html
+#
+
+# SANCP VERSION 1.5.3
+
+# Currently, sguil only supports the 'stats' output and we want it in
+# timestamped fields
+default stats tsfilename stats
+
+# Time in seconds we write a new file if expired cnxs are available
+default flush_interval=30
+# This tells sancp to open new file handle, write, and close in one step
+default burst_mode=enable
+
+# Default timeout: how many secs to wait after the last packet till we consider the cnx closed
+default timeout=120
+
+# Conforms with out sguil sancp table schema
+format stats sancp_id,start_time_gmt,stop_time_gmt,duration,ip_proto,src_ip_decimal,src_port,dst_ip_decimal,dst_port,src_pkts,src_bytes,dst_pkts,dst_bytes,sflags,dflags
+
+# From here on you define what stats/cnxs/sessions/flows (whatever you
+# want to call it) get logged. Please read the sancp documention for
+# more information. Most of the below are examples of setting
+# variables for complex rules.
+
+var ip 8 # ether proto 0x0800 # ip traffic
+
+# define some ip protocols
+
+var icmp 1
+var tcp 6
+var udp 17
+
+# define some tcp protocols
+
+var http 80
+var https 443
+var smtp 25
+var dns 53
+
+var HOME_NET 127.0.0.1
+#var WWW_NET 192.168.1.0/24
+#var MAIL_SERVER 192.168.1.2
+#var MAIL_SERVER2 192.168.1.3
+
+
+# Default output logging for each connection
+# We don't use realtime or pcap logging at this point so we pass them
+default realtime=pass
+default pcap=pass
+
+# Here is where our "rules" start. We log all stats by default
+# so this is defining exceptions.
+#
+# first six fields are required before rule options can be used
+#
+# eth_proto src_ip dst_ip ip_proto src_port dst_port
+#
+
+# Here is an example if ignoring outbound HTTP stats.
+#ip HOME_NET any tcp any http, stats pass
+#ip HOME_NET any tcp any https, stats pass