summaryrefslogtreecommitdiff
blob: 713efec785af38fc5feb1a3499d93a3404714cc7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#
# This sancp.conf is distributed as part of sguil (http://sguil.sf.net).
# It's purpose is to define a default output that is compatible with table
# schema defined by sguil. Please read the README.sancp for more information
#
# sancp is copyrighted by John Curry and can be downloaded at:
# www.metre.net/sancp.html
#

# SANCP VERSION 1.5.3

# Currently, sguil only supports the 'stats' output and we want it in
# timestamped fields
default stats tsfilename stats

# Time in seconds we write a new file if expired cnxs are available
default flush_interval=30
# This tells sancp to open new file handle, write, and close in one step
default burst_mode=enable

# Default timeout: how many secs to wait after the last packet till we consider the cnx closed
default timeout=120
				
# Conforms with out sguil sancp table schema
format stats sancp_id,start_time_gmt,stop_time_gmt,duration,ip_proto,src_ip_decimal,src_port,dst_ip_decimal,dst_port,src_pkts,src_bytes,dst_pkts,dst_bytes,sflags,dflags

# From here on you define what stats/cnxs/sessions/flows (whatever you 
# want to call it) get logged. Please read the sancp documention for 
# more information. Most of the below are examples of setting 
# variables for complex rules.

var ip 8                # ether proto 0x0800  # ip traffic

# define some ip protocols

var icmp 1
var tcp 6
var udp 17

# define some tcp protocols

var http 80
var https 443
var smtp 25
var dns 53

var HOME_NET 127.0.0.1
#var WWW_NET 192.168.1.0/24
#var MAIL_SERVER 192.168.1.2
#var MAIL_SERVER2 192.168.1.3


# Default output logging for each connection
# We don't use realtime or pcap logging at this point so we pass them
default realtime=pass
default pcap=pass

# Here is where our "rules" start. We log all stats by default
# so this is defining exceptions.
#
# first six fields are required before rule options can be used
#
#     eth_proto src_ip dst_ip ip_proto src_port dst_port
#

# Here is an example if ignoring outbound HTTP stats.
#ip HOME_NET any tcp any http, stats pass
#ip HOME_NET any tcp any https, stats pass