SA Network Connection Profiler v 1.6.2 candidate C.2 (beta)

**************************************************************************
**Security Analyst Network Connection Profiler [sancp] - v 1.6.2 C.2 (beta)
**    A TCP/IP statistics and pcap collection tool
 * ************************************************************************
 * * Copyright (C) 2003,2004 John Curry <john.curry@metre.net>
 * *
 * * This program is distributed under the terms of version 1.0 of the
 * * Q Public License.  See LICENSE.QPL for further details.
 * *
 * * This program is distributed in the hope that it will be useful,
 * * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * *
 * ***********************************************************************


 About SANCP:
 ------------

SANCP collects network traffic on a specified ethernet interface (option: -i) or from a file (option: -r) and records packets and connection statistics to output files. SANCP creates three main types of output files (pcap, realtime, and stats) in the current (or specified) directory (option: -d).  Output filenames are composed of the output name, interface name and start time in seconds (epoch).  All three output types can be independantly disabled from command line (options: -P -R -S)

A fourth output type (debug_pcap_raw) can alternately be enabled (option: -A) which records raw traffic, before processing.

Two more output types were added in version 1.6.2:

		(console) can be used to inspect ongoing activity (used by: kill signal SIGHUP to print ongoing traffic 
		  	by command-line option --config to dump the configuration

		(index) creates an connection to packet index that can be used to perform fast packet retrieval from large pcap files


Here is another look at the four output file types and the information each provides: 


	pcap: (file format: pcap)
	-----
	Recorded network packets in tcpdump readable format after decoding and processing. 
	By default, a new file is created every 30 minutes to record new 'connection' traffic. (see 'flush_interval').


        index: (file format: '|' delimited text) 
        ------   
        Log an 'index' entry for each packet written to pcap output.
        Records output fields sancp_id, output_filename, start_pos, and stop_pos 
	This is disabled by default.  (see: --index or 'default index log' to enable)


	realtime: (file format: '|' delimited text)
	---------
	Log entries are recorded here each time a network packet representing a new 'connection' is identified.


	stats: (file format: '|' delimited text)
	-----
	Log entries are recorded here each time a connection terminates or times out (see: default timeout).


	console: (file format: ' ' delimited text)
	--------
	Running configuration is recorded here each time the program receives the kill signal -USR1
	Log entries are recorded here each time the program receives the kill signal -USR2 
	(Recommend clear contents from file prior to calling kill signal)


	debug_pcap_raw: (file format: pcap)
	---------------
	Recorded raw network packets prior to decoding and processing. 
	This output is used for diagnostics and is disabled by default. 


     *Important note about how SANCP writes to pcap format files*

	SANCP may actively log to multiple files - at the same time.
	It will log all pcap data (for a given connection) to the same pcap file. 
	This is done by associating each connection with the 'current' pcap output file. 
	For this reason pcap files will remain open until all associated connections either terminate or timeout.

	SANCP will append pcap data to 'pre-existing' pcap files (ref: rule directive 'pcap filename')

	When managing SANCP pcap files, always check to see if the file is in use. 
	SANCP assumes files that it opens are always present so that it can write pcap data quickly.
	If you destroy a SANCP output file while actively in use, the file will not be recreated, resulting in data loss.

	CAUTION: No file size limits are present which allows for unlimited file sizes.

	i.e. use a program such as 'fuser' to check whether a process is using an output file.

	
  Custom output types:

	SANCP also supports custom output types.
	The first custom output type is 'prelude' which requires prelude support to be compiled with SANCP (check the Makefile).
	Only the options 'pass' and 'log' are supported for this custom output type.  

	
	Example configuration:

	var trusty 10.0.0.1	

	default prelude pass  # disables prelude output, the default is to 'log' when compiled with prelude support)

	8 any any 6 any 22 prelude log  # enable prelude output for matching	
	8 any any 6 22 any prelude log  # catches 'reversed' connections 

	8 trusty any 6 any 22 prelude pass  # disable prelude output for matching	
	8 any trusty 6 22 any prelude pass  # catches 'reversed' connections  

	

	Additional Prelude configuration support in rule options (when compiled with prelude support)


	The following rule options are available which override the defaults which are indicated below:

	prelude_profile=sancp prelude_impact_severity=medium prelude_impact_completion=succeeded prelude_impact_type=other prelude_confidence_rating=high




  Command Line Options:
  ---------------------

	-? -h  
		print help 

	-c <filename>  

		specify the configuration/rules filename

	-d <directory>  

		specify the directory for output files

	-i <device>  

		set the network device to listen on (default: 'any')

	-g <gid>   

		set a group identity

	-u <uid>   

		set a user identity

	-p <pidfile>   

		set a pidfile to write to (default is: sancp.pid)

	-r <pcapfile>  

		pcap file to read, overrides (option -i)

	-B "<bpf expression>"  

		set a bpf expression (alternative to -F <filename>)

	-D 
		(daemon) forks, prints msgs to syslog only, overrides (option -C)

	-K 
		(console) enable additional printing of 'realtimes' to stdout, suppressed by (option -D)

	-F <bpf filename>  

		file containing a bpf filter expression, overrides (option -B)

	-H --human-readable  

		write IP addresses in dotted notation and TCPflag fields in hex 

	-HH --human-readable-header (TODO: FAULTY) 

		record header field names to initial row of stat and realtime output files

	-a --enable-arprarp-decode  (see config: arprarp_decode)

		record the sender and target ARP/RARP IP address fields to 's_ip' and 'd_ip' 
		record hardware and protocol type to 's_port' and 'd_port'
        	record hardware and protocol length to 'src_bytes' 'dst_bytes', 
		record operation type to 'ip_proto' from ARP/RARP packets

	-R  
		disables realtime, but rules can override

	-S  
		disables stats, but rules can override

	-P  
		disables pcap, but rules can override

        --index  
		enables index, but rules can override 

	-I --enable_icmp_mixed  

		record 'code' and 'type' fields for ICMP
		to the fields 's_port' and 'd_port'.
		note: affects how related icmp packets are correlated 

	-V  
		display version

    	--shift  

		(debug) force interpretation of packet starting at byte[2] 
                normally performed when reading from the 'any' interface, on some systems

	--strip_8021Q  

		strip 802.1Q headers from 802.1Q packets; used to 
 	  	decode 802.1Q encapsulated packets - affects -A option, 

	--log-facility <facility>  

		where facility can be 'LOCAL1' - 'LOCAL7'
		The default log facility used by SANCP is LOG_DAEMON 

	-A  
		(debug) records ALL traffic frames to the pcap output file 'debug_pcap_raw'
	  	before decoding and rule processing. Use packet filters (options: -F or -B) 
		to restrict what is collected. (see: default debug_pcap_raw enable)


   Kill Signals:
   -------------
	
   	-HUP   re-read rules from configuration file and open new output files
		(sets next <unixtimestamp> used for new output files)

	-USR1  print running configuration (with commented counters for rule matches) to 'console' output

	-USR2  append all 'ongoing' and 'expired' (pending erasure) connections to 'console' output


   HINT A:
      You can access the kill signal output in daemon mode using the console output file

	sancp -i $INTERFACE -D -c sancp.conf
	NOW=`now`
	echo $NOW > console 
	kill -USR1 `cat sancp.pid`
	mv console console.$NOW
	cat console.$NOW | map | filter | translate | encrypt | mail -s 'Current network state $NOW' analyst
	

       You can view the console with 'cat console' and clear it with 'echo > console'.


   HINT B:
      If you set 'realtime=pass' for all rules which define normal traffic, then 
      only abnormal activity will be appear in the realtime log.


   HINT C:
      'Tuning' sancp consists of running it, extracting new activity from realtime files,
       creating rules to identify the normal activity and having sancp re-read the modified configuration file
       (using: kill -HUP <sancp pid>).

   HINT D:
   Check fields 41-43 to see what kind of logging was performed on the connection at a glance
   i.e. 'Was a realtime logged' (a.k.a 'have we seen this traffic before')


  Output Fields: for 'realtime' and 'stats' files
  For realtime format, some fields wll be naturally blank, (i.e. destination packet counter 'dst_pkts')
  -----------------------------------------------

   1:   64bit sancp id: based on timeptr.tv_sec and timeptr.tv_usec
   2:   32bit start time: unix timestamp for first packet
   3:   32bit end time: unix timestamp for last packet
   4:   32bit erased time: unix timestamp for when connection was cleared from memory
   5:   16bit hw_proto: layer 2 protocol number
   6:   8bit proto: layer 3 protocol (if IP proto is layer 2)
   7:   32bit source address: dotted notation IP address
   8:   16bit source port: i.e. udp, tcp 
          also used for icmp 'type' (see: --enable_icmp_mixed)
   9:   32bit destination address: dotted notation IP address
   10:  16bit destination port: i.e. udp, tcp 
   	      also used for icmp 'code' (see: --enable_icmp_mixed)
   11:  32bit duration: seconds the connection remained active 
   	      (difference between start and end times)
   12:  16bit timeout: applicable timeout value for the connection
   13:  64bit source packets: packets received from source
   14:  64bit destination packets: packets received from destination
   15:  64bit source bytes: bytes received from source
   16:  64bit destination bytes: bytes received from destination
     The next two fields contain 8bit values representing 8 possible TCP flags
     cumulativeily seen from source and destination throughout the connection
              8Bit order is 12UAPRSF, where:
                 1: Reserved bit 1 from source
                 2: Reserved bit 2 from source
                 U: Urgent Pointer bit from source
                 A: ACK bit from source
                 P: Push bit from source
                 R: Reset bit from source
                 S: SYN bit from source
                 F: FIN bit from source

   17:  8bit sflags: cumlative tcp flags from source (bit order: 12UAPRSF)
   18:  8bit dflags: cumlative tcp flags from dest (bit order: 12UAPRSF)

     The next field contains an 8bit value representing 6 possible TCP close session flags
     from the source and destination.  The first 2 significant bits are unused.)
              8Bit order is 00AARRFF/00DSDSDS, where:
                  DA: Close ACK seen from destination
                  SA: Close ACK seen from source
                  DR: Close Reset seen from destination
                  SR: Close Reset seen from source
                  DF: Close FIN seen from destination
                  SF: Close FIN seen from source
   19:  8bit closed flags (bit order: 00AARRFF/00DSDSDS)

    The next 8 fields contain p0F information gathered from initial TCP packet
   20:  16bit wss: window segment size (initial packet, tcp only)
   21:  8bit ttl: time to live (initial packet, tcp only)
   22:  16bit mss: maximum segment size (initial packet, tcp only)
   23:  Y/N df: don't fragment bit was set (initial packet, tcp only)
   24:  8bit wscale: window scale (initial packet, tcp only)
   25:  Y/N sack_ok: sack_ok flag was set (initial packet, tcp only)
   26:  Y/N nop: 'no op' was seen (initial packet, tcp only)
   27:  16bit len: ip length (initial packet, tcp only)

    The next 8 fields contain p0F information gathered from second TCP packet
   28:  16bit wss2: window segment size (second packet, tcp only)
   29:  8bit ttl2: time to live (second packet, tcp only)
   30:  16bit mss2: maximum segment size (second packet, tcp only)
   31:  Y/N df2: don't fragment bit was set (second packet, tcp only)
   32:  8bit wscale2: window scale (second packet, tcp only)
   33:  Y/N sack_ok2: sack_ok flag was set (second packet, tcp only)
   34:  Y/N nop2: 'no op' was seen (second packet, tcp only)
   35:  16bit len2: ip length (second packet, tcp only)

    The last 7 fields contain information about how we handled the connection
   36:  8bit reversed: did we reverse the ip addresses seen in the 
         initial packet?  0=no, 1=yes, 2=no(both ports were known),
         3=no(both ports were unknown)
   37:  8bit collect: what mode was used for collecting: 
         none, both, from_src, from_dst (0,1,2,3 respectively)
   38:  64bit collected: how much data did we collect 
   39:  64bit limit: how much data were we limited to collecting
   40:  16bit tcplag value: seconds to wait for straggler packets, after the connection 'ends'
   41:  Y/N pcap enabled: did we record data to a pcap file 
         (does not apply to data recorded using the -A option)
   42:  Y/N realtime enabled: did we record the connection to a realtime file
   43:  Y/N stats enabled: did we record the connection to a stats file 
   44:  16bit hash value: used for tuning (developer's choice)
   45:  64bit total_bytes: useful for overall statistics
   46:  32bit rid: rule id  assoc. w/ the network profile rule that this connection matched on ('0' is default)
   47:  8bit status: status assigned to this connection i.e. assigned by rule
   48:  16bit node: node/network interface/sancp instance associated this connection
        i.e. assigned globally as a 'default' or, specifically, by a rule
   49:  17byte src_mac: source ethernet address in ascii format i.e. xx:xx:xx:xx:xx:xx 
   50:  17byte dst_mac: destination ethernet address in ascii format i.e. xx:xx:xx:xx:xx:xx 
   51:  16bit sample_src_len: number of bytes in payload to be sampled from the source (initiator) for this connection
   52:  [variable size] sample_src_asc: enables logging sampled data from source (initiator) [ascii characters only]
   53:  [variable size] sample_src_hex: enables logging sampled data from dest (target) in hex values
   54:  16bit sample_dst_len: number of bytes in payload to be sampled from the destination (target) for this connection
   55:  [variable size] sample_dst_asc: enables logging sampled data from source (initiator) [ascii characters only]
   56:  [variable size] sample_dst_hex: enables logging sampled data from dest (target) in hex values
   57:  [variable size] output_filename: print name of pcap output filename data is written to
   58:  [32bit] output_session_id: prints the timestamp present in associated pcap output filename
   59:  [64bit] start_pos: print start byte position of the last packet written to the pcap output file (i.e. [struct pcap_pkthdr] + [pkt] )
   60:  [64bit] stop_pos: print end byte position of the last packet written to the pcap output file
   61:  [64bit] first_start_pos: print start byte position of the first packet written to the pcap output file
   62:  [64bit] last_stop_pos: print end byte position of the last packet written to the pcap output file




Basic Theory:

A 'connection' represents relationship between a sender and reciepient

A 'connection' represents one or more packets, or sets of packets, which contain common charateristics that identify a sender and an intended receipient.  Connections for common network traffic are distiguishable by (six) characteristics, which may not be present in all traffic.  These are:  

	eth_proto  = ethernet protocol number
	s_ip 	   = source internet protocol (IP) address
	d_ip 	   = destination IP address
	ip_proto   = IP transport protocol number
	s_port 	   = source port number
	d_port 	   = destination port number



  Configuration and Rule Syntax:  (one rule per line)
  -----------------------------


  The configuration file designates the characters: <tab> <space> ',' and '=' as word separators
  These four characters may be used liberally as rule-beautifying delimiters; they are treated spaces.


  var syntax:
  -----------------------:
  Use vars to avoid having to use protocol numbers in rules i.e.   var icmp 1
  Vars are used to define 4 kinds of values: ethernet protocols, ip addresses, ip protocols, and ports
  These values are present in the connection rules and the known_ports definition
  These vars remain present when sancp prints the running configuration
  Var 'names' should be unique nnd represent only one kind of value, else rule behavior is undefined 
  (generally, you may get parse errors or the running configuration output will appear incorrect.)
  			
  Vars have valid value ranges depending on the kind of value they are to represent;
      ethernet protocols:  0x0-0xFFFF  (0-65535)
      ip addresses:        0.0.0.0/255.255.255.255 (0.0.0.0/32)
      ip protocols:        0x0-0xFF (0-255)
      ports:               0x0-0xFFFF (0-65535)
 	Values outside these ranges may be trunicated or otherwise result in a rule error
  	You can represent all but 'dotted-ip' values in decimal, hex or octal.
  	One single range should be specified in a var. In the case of an IP address, you 
    will want to use a normal ipaddress/mask to represent a 'network range'
  			
  var <varname> <ip address{/[<CIDR>|<dotted>]}>
  	Define <varname> for use in place of IP addresses in proceding rules

  'default' syntax:
  -----------------------:
  default <keyword> <option/value> ('defaults' specified here override command line options)
  		keywords:
                 pcap     {log|pass|filename|tsfilename}
                 index    {log|pass|filename|tsfilename}
                 realtime {log|pass|filename|tsfilename}
                 stats    {log|pass|filename|tsfilename}
                 console  {filename}
                 limit   <bytes>
                 timeout <seconds>
  		 tcplag  <seconds> 	number of seconds to wait (i.e. for lagging TCP RST packets) after a TCP connection is 'closed' 
                 status  <value 0-255>            user-defined value
  		 use_pcap_time (enable|disable)   disable = use system clock (see: alarm(1)), enable = use timestamps from packets  
  		 arprarp_decode (enable|disable)  disable = decode arp and rarp packets (see: --enable-arprarp-decode)
  		 flush_interval <value 0-65535>   interval in seconds to write stats for closed connections to disk
                 pcapfilter [ bpf expression ]    (read only once - at start-up, requires restart to change)
                 strip_8021Q  { disable|enable }  remove 8021Q headers before processing
                 node <number>  	          user-defined value
                 debug_pcap_raw  { disable|enable } record packets to output file debug_pcap_raw prior to decoding and processing
                 sample_src_length <bytes>  (default is 64) number of bytes to sample from source (initiator) per connection
                 sample_dst_length <bytes>  (default is 64) number of payload bytes to sample from destination (target) per connection
		 nosrc_pktsok 0|1 (default is 0 - disabled) do not re-reverse connections which counted no packets from the assumed source*

		*does not apply to TCP connections whose first packet contained a SYN or SYN-ACK flag combination, for these the inferred TCP direction is preferred
							

  known_port syntax:
  -----------------------:
  known_ports [<protocol>] [<port>{-<end_port_range>}{,<another range>}{,...}] 
     Define a list of 'known tcp and/or udp server ports'
     SANCP will use these lists to help 'resolve/guess' the direction of ambiguous tcp/udp connections
     Lists should only be provided to help reduce the occurrance of logging 'reversed' connections.
     And were going to make this one hurt... you have to specify '6' or '17' for the <protocol> 
     Or just create and use vars for them i.e. 'var tcp 6','var udp 17'

	Short Example of using vars in conjuntion with known_ports:

		var tcp 6
		var udp 17
		var http 80
		var https 443
		var dns 53
		known_ports udp dns
		known_ports tcp dns,http,https


  connection rule syntax:
  -----------------------:

	A connection rule consists of two central parts:
 		1) network connection profile 
			i.e. ether proto, ip address, ip proto and ports
		2) options
			a) collection options
				i.e. stats=pass, pcap=pass, realtime=pass, timeout=120 or limit=1500 
			b) tagging options 
				i.e. status=16 rid=1112 node=2 

  [<ether protocol>[-<end_range>] [<src_ip{/<CIDR>|<dotted>}>] [<dst_ip{/<CIDR>|<dotted>}>] [{tcp|udp|icmp|<proto number>[-<end_range>] }]
  [<src_port>{-[<end_port_range>]}] [<dst_port>{-[<end_port_range>]}] 
  { ignore | stats [{log|pass}] | realtime [{log|pass}] | pcap [ {log|pass|rule|connection|{filename|tsfilename} [<outputfilename>]}
  { logdst|logsrc } { timeout [<seconds>]|limit [<bytes>]|tcplag [<secs>]|retro|status <0-255>|rid <number>|node <number> }


  Description for connection (rule) options:
  ------------------------------------------

    timeout <secs> - set delay after last packet before expiring the connection 
    limit <bytes> - set max bytes of pcap data to record per connection 
    realtime (option):
            pass - do not log realtime for this traffic
            log - log realtime for this traffic
	    filename <outputfilename> - record realtime to a specific file
		 filename (names starting with '/' are considered absolute).
	    tsfilename <outputfilename> - record statistics realtime to a specific file
		 include specified '-i' interface or 'any' and timestamp (seconds from epoch)
    index (option): 
            pass - do not log index for this traffic
            log - log index for this traffic
	    filename <outputfilename> - record index to a specific file
		 filename (names starting with '/' are considered absolute).
	    tsfilename <outputfilename> - record index to a specific file
		 include specified '-i' interface or 'any' and timestamp (seconds from epoch)
    stats (option): 
            pass - do not log statistics for this traffic
            log - log statistics for this traffic
	    filename <outputfilename> - record stats to a specific file
		 filename (names starting with '/' are considered absolute).
	    tsfilename <outputfilename> - record stats to a specific file
		 include specified '-i' interface or 'any' and timestamp (seconds from epoch)
    pcap (option): 
	    pass - do not record pcap data
	    log - record pcap data to the default 'pcap' output file
	    rule - record pcap data to output file; filename derived from rule
	    connection - record pcap data to a output file; filename derived 
		 from the connection
	    filename <outputfilename> - record pcap data to a specific file
		 filename (names starting with '/' are considered absolute).
	    tsfilename <outputfilename> - record pcap data to a specific file
		 include specified '-i' interface or 'any' and timestamp (seconds from epoch)
   logsrc - only record pcap data from the source (default is both)
   logdst - only record pcap data from the destination (default is both)
   ignore - set realtime, stats, and pcap to 'pass' (ignores any logdst or logsrc options)
   retro - apply this rule to -all- ongoing connections, not just new ones
   nosrc_pktsok - set to 1 to allow known_ports to decide final direction of connections which i
		count no packets from the perceived source

  Description of 'tagging' options:
  --------------------------------------

   status <number> - status to be assigned to matching connections 
   rid <number> - rule id (32bit) for this rule (assign to matching connections)
   node <number> - node id (8bit) number to assign to matching connections
   	    the node id is formed from the notion that more than one network could be monitored
   	    by one or more instances of sancp on the same system.  Node id can be handy in rules
        to help tag traffic as belonging to a certain network interface; i.e. consider '-i any'


   	NOTE: Malformed rules are reported to syslog and simply ignored



  Basic Examples:
  ---------------


    Notes:

	Below is a matrix outlining how the three different output types are used for four different modes of operation.

	Output Type 	Mode 1	Mode 2	Mode 3  Mode 4  Mode 5
	----------------------------------------------------- 
	pcap         	log	log	pass	pass    *     
	realtime	log	pass	pass	pass    *     
	stats		log	log	log	pass    *     
	debug_pcap_raw	disable	disable	disable	disable enable

     These modes can be obtained by setting their 'defaults' in the sancp.conf
     or by providing the command line option: -P -S and -R to disable pcap, stats
	      and realtime, respectively 

	IMPORTANT NOTE: the configuration file overides the cmdline options to ensure SANCP
	can be controlled through configuration file changes (use: kill -HUP <pid>  to re-read the config)

	Mode 1: Default Monitoring Mode: allow full access to 'realtime', 'stats' and 'pcap' data
		Use a set of rules which define your network. Disable realtime for uninteresting traffic.
		Use collection options to reduce collection effort on certain traffic
		Use realtime entries as 'alerts' to notify you of new and interesting traffic
		Modify rules real-time so sancp can stay current with your changing collection requirements
		Use rule identifiers (rid)'s to mark connections as matching a different kinds (profiles) of traffic
		Storing rules with rule id's in the same database allows for quick access to connections
		of certain kinds of traffic

	Mode 2: Batch Analysis Mode: for (re)processing pcap files - realtime disabled
		Use a set of rules to extract interesting traffic from large tcpdump files;
		Create a 'pcap' file containing only traffic of interest.
		Use the 'stats' file as an index to the data available in 'pcap' file.

	Mode 3: Connection Profiling Mode: (output only a stats log from a pcap file)
		Rules may be needed to exclude certain IP traffic you don't care about.

	Mode 4: Pcap Split Mode: turns off all default output modes, uses rules to
		control which files matching traffic should be written to.
		  Use the 'pcap filename <filename>' rule option to specify an output file.
		  The 'pcap rule' option will create a filename based on/derived from the rule itself
	i.e. <sip>-<smask>:<dip>-<dmask>_<sportl>-<sporth>:<dportl>-<dporth>_<protoh>-<protol>.<sancprestarttime>
		  The 'pcap uniq' option will write to a pcap file whose filename is
		based on/derived from the connection itself:
		i.e. <sip>:<sport>_<dip>:<dport>-<proto>.<sancpstarttime>

	Mode 5: Debug Pcap Raw Mode: additionally, records all traffic to a 'debug_pcap_raw' file
	        regardless of any rules.  8021Q headers are still stripped, if configured to do so
	        This is enabled via command line (-A) or via config file (default debug_pcap_raw enable)
	        It can subsequently be disabled via config file (default debug_pcap_raw disable)

	 **To use the configuration file to dynamically (re)configure sancp while running**
		see: 'kill signals'


SAMPLE CONFIGURATION FILE:
==========================


##################
## Option defaults
##################


default use_icmp_mixed=disable  # enable to log icmp values of 'type' and 'code' to fields 'src_port' and 'dst_port ', respectively, from icmp packets

default use_pcap_time=disable  # enable to set clock to timestamps contained in packet headers rather than the system clock

default debug_pcap_raw=disable  # enable to record packets to output file name pcap_raw prior to packet decoding (use for debugging)

default realtime=tsfilename realtime # sets realtime output filename format to 'realtime.<interface>.<unixtimestamp>'; set to pass to disable

default stats=tsfilename stats # sets stats output filename format to 'stats.<interface>.<unixtimestamp>'; set to pass to disable

default pcap=tsfilename pcap  # sets pcap output filename format to 'pcap.<interface>.<unixtimestamp>'; set to pass to disable

default flush_interval=1800  # flush to disk every N seconds

default expire_interval=10  # check for expired connections every N seconds

default burst_mode=enable  # force close of stats output file after every flush_interval to create new output file, set to disable to continue logging to same file until program ends

default status=0  # set default status id to N

default node=0  # set default node id to N

default zone=0  # assign default zone id to N

default rid=0  # assign default rule id to N

default rgid=0 # assign default rule group id to N

default limit=0  # limit pcap data collected per connection to N bytes

default timeout=300  # expire connections after N seconds of inactivity

default tcplag=0  # extend timeout N seconds before expiring tcp connections

default sample_src_length=0 # set to number of initial bytes of data to sample from source payload to N

default sample_dst_length=0 # set to number of initial bytes of data to sample from destination payload to N

default strip_8021Q=disable # enable to remove 8021Q (VLAN) headers from packets (obsoletes strip-80211 option)

default arprarp_decode=disable # enable to log values to certain ip fields from arp and rarp packets, records arp/rarp ip addresses to src_ip and dest_ip, operation to ip_proto, and then hardware and protocol types and lengths to source and dest port and byte fields, respectively.

default index=pass # set to log to enable logging of start and stop positions of packets written to pcap files


#################
## output formats (must be specified on one line)
#################

format index=sancp_id, output_filename, start_pos, stop_pos

format console=delimiter=\s, sancp_id, start_time_local, src_mac, dst_mac, src_ip_dotted, dst_ip_dotted, eth_proto, ip_proto, src_port, dst_port, src_pkts, dst_pkts, src_bytes, dst_bytes, timeout, total_bytes, output_session_id, sflags_hex, dflags_hex, cflags_hex, duration, sample_src_asc

format realtime=delimiter=|, start_time_gmt, duration, src_ip_dotted, dst_ip_dotted, ip_proto, src_port, dst_port, src_pkts, dst_pkts, src_bytes, dst_bytes, total_bytes, collected, sample_src_len, sample_src_hex, sample_src_asc

format stats=delimiter=|, sancp_id, start_time_gmt, stop_time_gmt, erased_time_gmt, eth_proto, ip_proto, src_ip_decimal, src_port, dst_ip_decimal, dst_port, duration, timeout, src_pkts, dst_pkts, src_bytes, dst_bytes, sflags, dflags, cflags, total_bytes, collect, collected, climit, tcplag, pcap, realtime, stats, reversed, hash, rid, rgid, node, zone, status, retro, src_mac, dst_mac, sample_src_len, sample_dst_len, sample_src_hex, sample_dst_hex


##############
## RULE SYNTAX
##############

#
# 1 - Define variables to use in subsequent rules
#

var ip 8
var icmp 1
var tcp 6
var udp 17
var dns 53

#
# 2 - Define known ports for udp and tcp/ip traffic
#
# These values will be used to reverse the (source and destination-related values) to change the apparent
#  direction of connections which commonly appear 'reverse' that of their commonly presumed direction.
#

known_ports udp dns
known_ports tcp 25, dns, 80, 443

#
# 3 - Define rules
#
#  Rule Format: {PROFILE} {OPTIONS}
#
#  Where
#  PROFILE contains six fields:   (Use the field-keyword 'any' to indicate all possible field values)
#
#   <eth_proto.num> <src_ip.dotted[/mask]> <dst_ip.dotted[/mask]> <ip_proto.num> <src_port.num> <dst_port.num>
#
#  OPTIONS may include any of the following:
#
#  realtime <log|pass>, stats <log|pass>, pcap <log|pass|filename|tsfilename|connection>,
#  rid <N>, rgid <N>, limit <N>, tcplag <N>, timeout <N>, retro
#
#

ip any any tcp any 443; limit 1500
ip any any udp any any; realtime pass
ip any any icmp any any; realtime pass

#
# Note: comments (/#.*$/), commas, semi-colons, equal-signs and extra spaces are ignored in configuration files
#

