1 #ifndef SANCP_H
2 #include "sancp.h"
3 #endif
4 #include <iostream>
5 using namespace std;
6 /**************************************************************************
7 **SA Network Connection Profiler [sancp] - A TCP/IP statistical/collection tool
8 * ************************************************************************
9 * * Copyright (C) 2003 John Curry <john.curry@metre.net>
10 * *
11 * * This program is distributed under the terms of version 1.0 of the
12 * * Q Public License. See LICENSE.QPL for further details.
13 * *
14 * * This program is distributed in the hope that it will be useful,
15 * * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
17 * *
18 * ***********************************************************************/
usage()19 void usage()
20 {
21 cout << "\n"
22 << "**************************************************************************\n"
23 << "**Security Analyst Network Connection Profiler [sancp] - v " << VERSION <<"\n"
24 << "** A TCP/IP statistics and pcap collection tool\n"
25 << " * ************************************************************************\n"
26 << " * * Copyright (C) 2003,2004 John Curry <john.curry@metre.net>\n"
27 << " * *\n"
28 << " * * This program is distributed under the terms of version 1.0 of the\n"
29 << " * * Q Public License. See LICENSE.QPL for further details.\n"
30 << " * *\n"
31 << " * * This program is distributed in the hope that it will be useful,\n"
32 << " * * but WITHOUT ANY WARRANTY; without even the implied warranty of\n"
33 << " * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n"
34 << " * *\n"
35 << " * ***********************************************************************\n"
36 << "\n"
37 << "\n"
38 << " About SANCP:\n"
39 << " ------------\n"
40 << "\n"
41 << " Without specifying any options, SANCP (pronounced san-cee-pee) collects\n"
42 << " all network traffic on the default pcap interface 'any' \n"
43 << " SANCP creates three types of output files (pcap, realtime, and stats)\n"
44 << " in the current directory. Filenames contain the interface (-i) and\n"
45 << " timestamp, both are optional.\n"
46 << " All three output types are optional see: -R -P -S cmdline options\n"
47 << "\n"
48 << "\n"
49 << " pcap:\n"
50 << " -----\n"
51 << " We record all pcap data in tcpdump format, as it arrives.\n"
52 << " Filename format: pcap.<interface>.<unixtimestamp>\n"
53 << "\n"
54 << " realtime:\n"
55 << " ---------\n"
56 << " We record a 'realtime' entry upon seeing the first \n"
57 << " packet of each unique connection. The 'realtime' format is changable.\n"
58 << " Filename format: realtime.<interface>.<unixtimestamp>\n"
59 << "\n"
60 << " stats:\n"
61 << " -----\n"
62 << " We record a 'stats' entry when a connection terminates or times out.\n"
63 << " The 'stats' format is changable"
64 << " Filename format: stats.<interface>.<unixtimestamp>\n"
65 << "\n"
66 << " debug_pcap_raw: (Fourth output for Debug mode)\n"
67 << " ---------------\n"
68 << " When the -A option is given, log all pcap data to a second pcap file\n"
69 << " -before- any rule or packet manipulation occurs.\n"
70 << " See: 'default debug_pcap_raw enable'\n"
71 << " Filename format: debug_pcap_raw.<interface>.<unixtimestamp>\n"
72 << "\n"
73 << "\n"
74 << " *Important Notes about how SANCP handles pcap files*\n"
75 << "\n"
76 << " SANCP may actively log to multiple files -at the same time-.\n"
77 << " SANCP will log all pcap data (for a given connection)\n"
78 << " is written to the same pcap file. SANCP does this by associating\n"
79 << " each connection with the 'current' pcap output filehandle. \n"
80 << " Pcap files will remain open until all connections associated with it\n"
81 << " either terminate or timeout\n"
82 << " SANCP will append pcap data to 'pre-existing' pcap files (ref: rule directive 'pcap filename')\n"
83 << " However ,preexisting files need to have valid pcap headers since SANCP will only create \n"
84 << " a pcap header for new/empty files.\n"
85 << " When managing SANCP pcap files, always check to see if the file \n"
86 << " is in use before handling it in a destructive manner. If you destroy a SANCP output\n"
87 << " file, while actively in use, SANCP will not recreate the file on the disk for subsequent logging.\n"
88 << " SANCP assumes files that it opens are always present.\n "
89 << " This is done so that SANCP can write pcap data quickly.\n"
90 << "\n"
91 << " i.e. use a system command such as 'fuser' to check whether a process is using an output file.\n"
92 << "\n"
93 << "\n"
94 << " HINT:\n"
95 << " If write rules to define your normal traffic with 'realtimes=pass' set on each,\n"
96 << " then all abnormal activity will be appear in the realtime log.\n"
97 << "\n"
98 << " HINT:\n"
99 << " 'Tuning' sancp consists of running it, extracting new activity from realtime files,\n"
100 << " creating rules to identify the normal activity and having sancp re-read the configuration file\n"
101 << " (Using kill -HUP <sancp pid>).\n"
102 << "\n"
103 << " Command Line Options: (cmdline)\n"
104 << " ---------------------\n"
105 << "\n"
106 << " -? or -h this help screen\n"
107 << " -c <filename> specify the configuration/rules filename\n"
108 << " -d <directory> specify the directory for output files\n"
109 << " -i <device> set the network device to listen on (default: 'any')\n"
110 << " -g <gid> set a group identity\n"
111 << " -u <uid> set a user identity\n"
112 << " -r <pcapfile> pcap file to read (overrides -i)\n"
113 << " -B \"<bpf expression>\" set a bpf expression (alternative to -F <filename>)\n"
114 << " -D (daemon) forks, prints msgs to syslog only and overrides -C option\n"
115 << " -K (console) enable additional printing of 'realtimes' to stdout (suppressed by option -D)\n"
116 << " -F <bpf filename> file containing a bpf filter expression, overrides (alternative to -B)\n"
117 << " -H --human-readable write IP addresses in dotted notation and TCPflag fields in hex \n"
118 << " -R Set default for realtime to 'pass' (default is 'log') disables realtime, but rules can override\n"
119 << " -S Set default for stats to 'pass' (default is 'log') disables stats, but rules can override\n"
120 << " -P Set default for pcap to 'pass' (default is 'log') disables pcap, but rules can override\n"
121 << " -I or --enable_icmp_mixed record 'code' and 'type' fields for ICMP\n"
122 << " to the fields 's_port' and 'd_port'.\n"
123 << " note: affects how related icmp packets are correlated \n"
124 << " -V display version\n"
125 << " --shift (debug) force interpretation of packet starting at byte[2] \n"
126 << " normally performed when reading from the 'any' interface\n"
127 << " --strip-80211 strip 802.1Q headers from 802.1Q packets; used to \n"
128 << " decode 802.1Q encapsulated packets - affects -A option, \n"
129 << " --log-facility <facility> where facility can be 'LOCAL1' - 'LOCAL7'\n"
130 << " The default log facility used by SANCP is LOG_DAEMON \n"
131 << "\n"
132 << " # Debug mode for pcap data logging\n"
133 << " -A records ALL traffic frames to a pcap file named 'debug_pcap_raw'\n"
134 << " (despite rules). Packets are logged here prior to decoding or handling. \n"
135 << " Use -F or -B option to restrict what is collectedi.\n"
136 << " Pcap data logged using this option is affected by the --strip-80211 cmdline option\n"
137 << " The configuration file equivalent to this is 'default debug_pcap_raw enable'\n"
138 << "\n"
139 << "\n"
140 << " Kill Signals:\n"
141 << " -------------\n"
142 << " \n"
143 << " -HUP re-read rules configuration file and open new output files\n"
144 << " (sets new <unixtimestamp> used for new output files)\n"
145 << " -USR1 print running configuration (with counters for rule matches)\n"
146 << " -USR2 print -all ongoing- connections to stdout\n"
147 << "\n"
148 << " HINT:\n"
149 << " Run sancp something like this to have access the kill signal output in daemon mode\n"
150 << " sancp -D -H >> sancp.output & \n"
151 << " This way you can view it 'cat sancp.output' and then clear it '> sancp.output'\n"
152 << " and sancp will continue to output to this file as normal.\n"
153 << "\n"
154 << " Output Fields: for 'realtime' and 'stats' files\n"
155 << " (Some realtime fields are naturally blank, i.e. counters)\n"
156 << " --------------\n"
157 << "\n"
158 << " 1: 64bit sancp id: based on timeptr.tv_sec and timeptr.tv_usec\n"
159 << " 2: 32bit start time: unix timestamp for first packet\n"
160 << " 3: 32bit end time: unix timestamp for last packet\n"
161 << " 4: 32bit erased time: unix timestamp for when connection was cleared from memory\n"
162 << " 5: 16bit hw_proto: layer 2 protocol number\n"
163 << " 6: 8bit proto: layer 3 protocol (if IP proto is layer 2)\n"
164 << " 7: 32bit source address: dotted notation IP address\n"
165 << " 8: 16bit source port: i.e. udp, tcp \n"
166 << " also used for icmp 'type' (see: --enable_icmp_mixed)\n"
167 << " 9: 32bit destination address: dotted notation IP address\n"
168 << " 10: 16bit destination port: i.e. udp, tcp \n"
169 << " also used for icmp 'code' (see: --enable_icmp_mixed)\n"
170 << " 11: 32bit duration: seconds the connection remained active \n"
171 << " (difference between start and end times)\n"
172 << " 12: 16bit timeout: applicable timeout value for the connection\n"
173 << " 13: 64bit source packets: packets received from source\n"
174 << " 14: 64bit destination packets: packets received from destination\n"
175 << " 15: 64bit source bytes: bytes received from source\n"
176 << " 16: 64bit destination bytes: bytes received from destination\n"
177 << " The next two fields contain 8bit values representing 8 possible TCP flags\n"
178 << " cumulativeily seen from source and destination throughout the connection\n"
179 << " 8Bit order is 12UAPRSF, where:\n"
180 << " 1: Reserved bit 1 from source\n"
181 << " 2: Reserved bit 2 from source\n"
182 << " U: Urgent Pointer bit from source\n"
183 << " A: ACK bit from source\n"
184 << " P: Push bit from source\n"
185 << " R: Reset bit from source\n"
186 << " S: SYN bit from source\n"
187 << " F: FIN bit from source\n"
188 << "\n"
189 << " 17: 8bit sflags: cumlative tcp flags from source (bit order: 12UAPRSF)\n"
190 << " 18: 8bit dflags: cumlative tcp flags from dest (bit order: 12UAPRSF)\n"
191 << "\n"
192 << " The next field contains an 8bit value representing 6 possible TCP close session flags\n"
193 << " from the source and destination. The first 2 significant bits are unused.)\n"
194 << " 8Bit order is 00AARRFF/00DSDSDS, where:\n"
195 << " DA: Close ACK seen from destination\n"
196 << " SA: Close ACK seen from source\n"
197 << " DR: Close Reset seen from destination\n"
198 << " SR: Close Reset seen from source\n"
199 << " DF: Close FIN seen from destination\n"
200 << " SF: Close FIN seen from source\n"
201 << " 19: 8bit closed flags (bit order: 00AARRFF/00DSDSDS)\n"
202 << "\n"
203 << " The next 8 fields contain p0F information gathered from initial TCP packet\n"
204 << " 20: 16bit wss: window segment size (initial packet, tcp only)\n"
205 << " 21: 8bit ttl: time to live (initial packet, tcp only)\n"
206 #ifdef EXPERIMENTAL_TCPOPTIONS
207 << " 22: 16bit mss: maximum segment size (initial packet, tcp only)\n"
208 #else
209 << " 22: 16bit mss: maximum segment size (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS\n"
210 #endif
211 << " 23: Y/N df: don't fragment bit was set (initial packet, tcp only)\n"
212 #ifdef EXPERIMENTAL_TCPOPTIONS
213 << " 24: 8bit wscale: window scale (initial packet, tcp only)\n"
214 << " 25: Y/N sack_ok: sack_ok flag was set (initial packet, tcp only)\n"
215 << " 26: Y/N nop: 'no op' was seen (initial packet, tcp only)\n"
216 #else
217 << " 24: 8bit wscale: window scale (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS\n"
218 << " 25: Y/N sack_ok: sack_ok flag was set (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS\n"
219 << " 26: Y/N nop: 'no op' was seen (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS\n"
220 #endif
221
222 << " 27: 16bit len: ip length (initial packet, tcp only)\n"
223 << "\n"
224 << " The next 8 fields contain p0F information gathered from second TCP packet\n"
225 << " 28: 16bit wss2: window segment size (second packet, tcp only)\n"
226 << " 29: 8bit ttl2: time to live (second packet, tcp only)\n"
227 << " 30: 16bit mss2: maximum segment size (second packet, tcp only)\n"
228 << " 31: Y/N df2: don't fragment bit was set (second packet, tcp only)\n"
229 << " 32: 8bit wscale2: window scale (second packet, tcp only)\n"
230 << " 33: Y/N sack_ok2: sack_ok flag was set (second packet, tcp only)\n"
231 << " 34: Y/N nop2: 'no op' was seen (second packet, tcp only)\n"
232 << " 35: 16bit len2: ip length (second packet, tcp only)\n"
233 << "\n"
234 << " The last 7 fields contain information about how we handled the connection\n"
235 << " 36: 8bit reversed: did we reverse the ip addresses seen in the \n"
236 << " initial packet? 0=no, 1=yes, 2=no(both ports were known),\n"
237 << " 3=no(both ports were unknown)\n"
238 << " 37: 8bit collect: what mode was used for collecting: \n"
239 << " none, both, from_src, from_dst (0,1,2,3 respectively)\n"
240 << " 38: 64bit collected: how much data did we collect \n"
241 << " 39: 64bit limit: how much data were we limited to collecting\n"
242 << " 40: 16bit tcplag value: seconds to wait for straggler packets, after the connection 'ends'\n"
243 << " 41: Y/N pcap enabled: did we record data to a pcap file \n"
244 << " (does not apply to data recorded using the -A option)\n"
245 << " 42: Y/N realtime enabled: did we record the connection to a realtime file\n"
246 << " 43: Y/N stats enabled: did we record the connection to a stats file \n"
247 << " 44: 16bit hash value: used for tuning (developer's choice)\n"
248 << " 45: 64bit total_bytes: useful for overall statistics\n"
249 << " 46: 32bit rid: rule id assoc. w/ the network profile rule that this connection matched on ('0' is default)\n"
250 << " 47: 8bit status: status assigned to this connection i.e. assigned by rule\n"
251 << " 48: 16bit node: node/network interface/sancp instance associated this connection\n"
252 << " i.e. assigned globally as a 'default' or, specifically, by a rule\n"
253 << " 49: 17byte src-mac: source ethernet address in ascii format i.e. xx:xx:xx:xx:xx:xx \n"
254 << " 50: 17byte dst_mac: destination ethernet address in ascii format i.e. xx:xx:xx:xx:xx:xx \n"
255 << "\n"
256 << "\n"
257 << "\n"
258 << " HINT:\n"
259 << " Check fields 41-43 to see what kind of logging was performed on the connection at a glance\n"
260 << " i.e. 'Was a realtime logged' (a.k.a 'have we seen this traffic before')\n"
261 << " i.e. 'Did we collect any data' (a.k.a '')\n"
262 << "\n"
263 << "\n"
264 << "\n"
265 << "\n"
266 << " Configuration and Rule Syntax: (one rule per line)\n"
267 << " -----------------------------\n"
268 << "\n"
269 << "\n"
270 << " The configuration file designates the characters: <tab> <space> ',' and '=' as word separators\n"
271 << " These four characters may be used liberally as rule-beautifying delimiters; they are treated spaces.\n"
272 << "\n"
273 << "\n"
274 << " var syntax:\n"
275 << " -----------------------:\n"
276 << " Use vars to avoid having to use protocol numbers in rules i.e. var icmp 1\n"
277 << " Vars are used to define 4 kinds of values: ethernet protocols, ip addresses, ip protocols, and ports\n"
278 << " These values are present in the connection rules and the known_ports definition\n"
279 << " These vars remain present when sancp prints the running configuration\n"
280 << " Var 'names' should be unique nnd represent only one kind of value, else rule behavior is undefined \n"
281 << " (generally, you may get parse errors or the running configuration output will appear incorrect.)\n"
282 << " \n"
283 << " Vars have valid value ranges depending on the kind of value they are to represent;\n"
284 << " ethernet protocols: 0x0-0xFFFF (0-65535)\n"
285 << " ip addresses: 0.0.0.0/255.255.255.255 (0.0.0.0/32)\n"
286 << " ip protocols: 0x0-0xFF (0-255)\n"
287 << " ports: 0x0-0xFFFF (0-65535)\n"
288 << " Values outside these ranges may be trunicated or otherwise result in a rule error\n"
289 << " You can represent all but 'dotted-ip' values in decimal, hex or octal.\n"
290 << " One single range should be specified in a var. In the case of an IP address, you \n"
291 << " will want to use a normal ipaddress/mask to represent a 'network range'\n"
292 << " \n"
293 << " var <varname> <ip address{/[<CIDR>|<dotted>]}>\n"
294 << " Define <varname> for use in place of IP addresses in proceding rules\n"
295 << "\n"
296 << " 'default' syntax:\n"
297 << " -----------------------:\n"
298 << " default <keyword> <option(s)> (defaults specified here override command line options\n"
299 << " keywords:\n"
300 << " pcap {log|pass}\n"
301 << " realtime {log|pass}\n"
302 << " stats {log|pass}\n"
303 << " limit <bytes>\n"
304 << " timeout <seconds>\n"
305 << " tcplag <seconds>\n"
306 << " status <value 0-255>\n"
307 << " pcapfilter [ bpf expression ] (read only once at start-up)\n"
308 << " strip-80211 { disable|enable }\n"
309 << " node <number>\n"
310 << " debug_pcap_raw { disable|enable }\n"
311 << "\n"
312 << " known_port syntax:\n"
313 << " -----------------------:\n"
314 << " known_ports [<protocol>] [<port>{-<end_port_range>}{,<another range>}{,...}] \n"
315 << " Define a list of 'known tcp and/or udp server ports'\n"
316 << " SANCP will use these lists to help 'resolve/guess' the direction of ambiguous tcp/udp connections\n"
317 << " Lists should only be provided to help reduce the occurrance of logging 'reversed' connections.\n"
318 << " And were going to make this one hurt... you have to specify '6' or '17' for the <protocol> \n"
319 << " Or just create and use vars for them i.e. 'var tcp 6','var udp 17'\n"
320 << "\n"
321 << " Short Example of using vars in conjuntion with known_ports:\n"
322 << "\n"
323 << " var tcp 6\n"
324 << " var udp 17\n"
325 << " var http 80\n"
326 << " var https 443\n"
327 << " var dns 53\n"
328 << " known_ports udp dns\n"
329 << " known_ports tcp dns,http,https\n"
330 << "\n"
331 << "\n"
332 << " connection rule syntax:\n"
333 << " -----------------------:\n"
334 << "\n"
335 << " A connection rule consists of two central parts:\n"
336 << " 1) network connection profile \n"
337 << " i.e. ether proto, ip address, ip proto and ports\n"
338 << " 2) options\n"
339 << " a) collection options\n"
340 << " i.e. stats=pass, pcap=pass, realtime=pass, timeout=120 or limit=1500 \n"
341 << " b) tagging options \n"
342 << " i.e. status=16 rid=1112 node=2 \n"
343 << "\n"
344 << " [<ether protocol>[-<end_range>] [<src_ip{/<CIDR>|<dotted>}>] [<dst_ip{/<CIDR>|<dotted>}>] [{tcp|udp|icmp|<proto number>[-<end_range>] }]\n"
345 << " [<src_port>{-[<end_port_range>]}] [<dst_port>{-[<end_port_range>]}] \n"
346 << " { ignore | stats [{log|pass}] | realtime [{log|pass}] |\n"
347 << " pcap [ {log|pass|rule|connection|{filename|tsfilename} [<outputfilename>]}\n"
348 << " { logdst|logsrc } { timeout [<seconds>]|limit [<bytes>]|tcplag [<secs>]|retro|status <0-255>|rid <number>|node <number> }\n"
349 << "\n"
350 << "\n"
351 << " Description for connection options:\n"
352 << " --------------------------------------\n"
353 << "\n"
354 << " timeout <secs> - set delay after last packet before expiring the connection \n"
355 << " limit <bytes> - set max bytes of pcap data to record per connection \n"
356 << " realtime (option):\n"
357 << " pass - do not log realtime for this traffic\n"
358 << " log - log realtime for this traffic\n"
359 << " stats (option): \n"
360 << " pass - do not log statistics for this traffic\n"
361 << " log - log statistics for this traffic\n"
362 << " pcap (option): \n"
363 << " pass - do not record pcap data\n"
364 << " log - record pcap data to the default 'pcap' output file\n"
365 << " rule - record pcap data to output file; filename derived from rule\n"
366 << " connection - record pcap data to a output file; filename derived \n"
367 << " from the connection\n"
368 << " filename <outputfilename> - record pcap data to a specific output \n"
369 << " filename (names starting with '/' are considered absolute).\n"
370 << " logsrc - only record pcap data from the source (default is both)\n"
371 << " logdst - only record pcap data from the destination (default is both)\n"
372 << " ignore - set realtime, stats, and pcap to 'pass' (ignores any logdst or logsrc options)\n"
373 << " retro - apply this rule to -all- ongoing connections, not just new ones\n"
374 << "\n"
375 << " Description of 'tagging' options:\n"
376 << " --------------------------------------\n"
377 << "\n"
378 << " status <number> - status to be assigned to matching connections \n"
379 << " rid <number> - rule id (32bit) for this rule (assign to matching connections)\n"
380 << " node <number> - node id (8bit) number to assign to matching connections\n"
381 << " the node id is formed from the notion that more than one network could be monitored\n"
382 << " by one or more instances of sancp on the same system. Node id can be handy in rules\n"
383 << " to help tag traffic as belonging to a certain network interface; i.e. consider '-i any'\n"
384 << "\n"
385 << "\n"
386 << " NOTE: Malformed rules are reported to syslog and simply ignored\n"
387 << "\n"
388 << "\n"
389 << "\n"
390 << " Basic Examples:\n"
391 << " ---------------\n"
392 << "\n"
393 << "\n"
394 << " Notes:\n"
395 << "\n"
396 << " Below is a matrix outlining how the three different output types are used for four different modes of operation.\n"
397 << "\n"
398 << " Output Type Mode 1 Mode 2 Mode 3 Mode 4 Mode 5\n"
399 << " ----------------------------------------------------- \n"
400 << " pcap log log pass pass * \n"
401 << " realtime log pass pass pass * \n"
402 << " stats log log log pass * \n"
403 << " debug_pcap_raw disable disable disable disable enable\n"
404 << "\n"
405 << " These modes can be obtained by setting their 'defaults' in the sancp.conf\n"
406 << " or by providing the command line option: -P -S and -R to disable pcap, stats\n"
407 << " and realtime, respectively \n"
408 << "\n"
409 << " IMPORTANT NOTE: the configuration file overides the cmdline options to ensure SANCP\n"
410 << " can be controlled through configuration file changes (use: kill -HUP <pid> to re-read the config)\n"
411 << "\n"
412 << " Mode 1: Default Monitoring Mode: allow full access to 'realtime', 'stats' and 'pcap' data\n"
413 << " Use a set of rules which define your network. Disable realtime for uninteresting traffic.\n"
414 << " Use collection options to reduce collection effort on certain traffic\n"
415 << " Use realtime entries as 'alerts' to notify you of new and interesting traffic\n"
416 << " Modify rules real-time so sancp can stay current with your changing collection requirements\n"
417 << " Use rule identifiers (rid)'s to mark connections as matching a different kinds (profiles) of traffic\n"
418 << " Storing rules with rule id's in the same database allows for quick access to connections\n"
419 << " of certain kinds of traffic\n"
420 << "\n"
421 << " Mode 2: Batch Analysis Mode: for (re)processing pcap files - realtime disabled\n"
422 << " Use a set of rules to extract interesting traffic from large tcpdump files;\n"
423 << " Create a 'pcap' file containing only traffic of interest.\n"
424 << " Use the 'stats' file as an index to the data available in 'pcap' file.\n"
425 << "\n"
426 << " Mode 3: Connection Profiling Mode: (output only a stats log from a pcap file)\n"
427 << " Rules may be needed to exclude certain IP traffic you don't care about.\n"
428 << "\n"
429 << " Mode 4: Pcap Split Mode: turns off all default output modes, uses rules to\n"
430 << " control which files matching traffic should be written to.\n"
431 << " Use the 'pcap filename <filename>' rule option to specify an output file.\n"
432 << " The 'pcap rule' option will create a filename based on/derived from the rule itself\n"
433 << " i.e. <sip>-<smask>:<dip>-<dmask>_<sportl>-<sporth>:<dportl>-<dporth>_<protoh>-<protol>.<sancprestarttime>\n"
434 << " The 'pcap uniq' option will write to a pcap file whose filename is\n"
435 << " based on/derived from the connection itself:\n"
436 << " i.e. <sip>:<sport>_<dip>:<dport>-<proto>.<sancpstarttime>\n"
437 << "\n"
438 << " Mode 5: Debug Pcap Raw Mode: additionally, records all traffic to a 'debug_pcap_raw' file\n"
439 << " regardless of any rules. 80211 headers are still stripped, if configured to do so\n"
440 << " This is enabled via command line (-A) or via config file (default debug_pcap_raw enable)\n"
441 << " It can subsequently be disabled via config file (default debug_pcap_raw disable)\n"
442 << "\n"
443 << " **To use the configuration file to dynamically (re)configure sancp while running**\n"
444 << " see: 'kill signals'\n"
445 << "\n"
446 << " -----------------------------\n"
447 << " #\n"
448 << " # Example sancp.conf file\n"
449 << " #\n"
450 << " # Define known_ports to help sancp determine connection direction\n"
451 << " # for pre-existing udp and tcp connections (i.e. at startup)\n"
452 << " # We set these only as we need them. They are used for half-open TCP connections\n"
453 << " # (ie. if we missed the syn or syn-ack), and for all udp connections \n"
454 << " # The 'reversed' field in the connection (profile) output will tell you if \n"
455 << " # SANCP recorded the direction opposite that of the initial packet (i.e. '1').\n"
456 << " #\n"
457 << " # known_ports tcp 80,443\n"
458 << " # known_ports udp 53\n"
459 << "\n"
460 << " # Override default logging for stats, pcap, and realtime \n"
461 << " #\n"
462 << " # ** The sancp configuration file can be re-loaded dynamically while running **\n"
463 << " #\n"
464 << " # Configure default mode for 'stats' logging\n"
465 << " #\n"
466 << " #default stats log # sets default mode to 'log stats' (*default mode)\n"
467 << " # # use 'pass' to set default mode to 'do not log stats'\n"
468 << " #\n"
469 << " # Configure default mode for 'pcap' logging \n"
470 << " #\n"
471 << " #default pcap log # sets default mode to 'record pcap data' (*default mode)\n"
472 << " # # use 'pass' to set default mode to 'do not record pcap data' \n"
473 << " #\n"
474 << " # Configure default mode for 'realtime' logging \n"
475 << " #\n"
476 << " #default realtime log # create a realtime when we record pcap data (*default mode)\n"
477 << " # # use 'pass' set default to 'not create' realtime \n"
478 << " # Note: You can add the 'realtime log' option to a rule to 'force' all matches to log a \n"
479 << " # realtime regardless of whether we record pcap data\n"
480 << " #\n"
481 << " #default debug_pcap_raw disable # enable|disable debug pcap logging mode for online debugging\n"
482 << " # # if set to 'enable' we will record packets to a 'debug_pcap_raw' file, regardless of rules \n"
483 << " #\n"
484 << " #default status 0 # sets default 8bit status (0-255) for all connections which do not match a rule, or where a status is not specified for a rule(default = 0)\n"
485 << " #\n"
486 << " # Define local vars (used for IP/MASK combinations only)\n"
487 << " var HOME_NET 192.168.1.0/24\n"
488 << " var ip 8\n"
489 << "\n"
490 << " #\n"
491 << " # The following rule syntax is supported:\n"
492 << " # Rule format:\n"
493 << " # sip dip proto sp dp options\n"
494 << " # any any any any any pcap none\n"
495 << "\n"
496 << " # Ignore outbound HTTP (ignore both pcap and stats)\n"
497 << " ip HOME_NET any tcp any 80 pcap pass stats pass\n"
498 << "\n"
499 << " # Do not record ssh data\n"
500 << " ip HOME_NET any tcp any 22 pcap pass\n"
501 << "\n"
502 << " # Streaming media can kill your logging so\n"
503 << " # we ignore UDP > 1024 with few a exceptions\n"
504 << " ip any HOME_NET udp any 1025-32769 pcap pass\n"
505 << " ip any HOME_NET udp any 32781- pcap pass\n"
506 << "\n"
507 << " # Don't log ICMP at all (no stats, pcap, or realtime) \n"
508 << " ip any any icmp any any ignore\n"
509 << "\n"
510 << " # Ignore incoming blaster scans\n"
511 << " ip any HOME_NET tcp any 135 ignore\n"
512 << "\n"
513 << "\n";
514 }
515