# Rulesetfile for the "fluid" applet and the "nifty" flow analyzer. # Derived from Nevil Brownlee's "nifty" ruleset file. # # If your meter hostname was "ksoc3mon" and your SNMP community name # was ``frieder'', you would upload this file using either # "nifty" or "NeMaC" to a NeTraMet meter with one of the following commands: # # nifty -c 120 -r myxrules ksoc3mon frieder # NeMaC -c 120 -r myxrules ksoc3mon frieder # # (c) Siegfried Loeffler 07/97 # SET 2 # RULES SourcePeerType & 255 = dummy: Ignore, 0; SourcePeerType & 255 = IP: Pushto, IP_pkt; SourcePeerType & 255 = 4: Pushto, IP_pkt; SourcePeerType & 255 = Other: PushToAct, other_pkt; # Null & 0 = 0: GotoAct, Next; # Not IP or Other FlowKind & 255 = 3: PushtoAct, Next; # Plot as SQUARE SourceInterface & 255 = 0: PushPkttoAct, Next; SourcePeerType & 255 = 0: CountPkt, 0; # other_pkt: # We want to know ethertype/LSAP (in source/dest Peer) FlowKind & 255 = 3: PushtoAct, Next; # Plot as SQUARE SourceInterface & 255 = 0: PushPkttoAct, Next; SourcePeerAddress & 255.255 = 0: PushPktToAct, Next; DestPeerAddress & 255.255 = 0: CountPkt, 0; # IP_pkt: SourceTransType & 255 = tcp: Pushto, tcp_udp; SourceTransType & 255 = udp: Pushto, tcp_udp; SourceTransType & 255 = icmp: GotoAct, c_icmp; Null & 0 = 0: GotoAct, Next; # Not TCP or UDP SourceTransType & 255 = 0: PushPkttoAct, Next; FlowKind & 255 = 3: PushtoAct, count_IP; # Plot as SQUARE # tcp_udp: SourceTransAddress & 255.255 = domain: Retry, 0; # Want WKP as dest SourceTransAddress & 255.255 = 22: Retry, 0; SourceTransAddress & 255.255 = 79: Retry, 0; SourceTransAddress & 255.255 = ftp: Retry, 0; SourceTransAddress & 255.255 = ftpdata: Retry, 0; SourceTransAddress & 255.255 = gopher: Retry, 0; SourceTransAddress & 255.255 = 143: Retry, 0; SourceTransAddress & 255.255 = 513: Retry, 0; SourceTransAddress & 255.255 = 137: Retry, 0; # NETBIOS Name Service SourceTransAddress & 255.255 = 138: Retry, 0; # NETBIOS Datagram SourceTransAddress & 255.255 = 139: Retry, 0; # NETBIOS Session SourceTransAddress & 255.255 = nntp: Retry, 0; SourceTransAddress & 255.255 = 2049: Retry, 0; SourceTransAddress & 255.255 = ntp: Retry, 0; SourceTransAddress & 255.255 = 110: Retry, 0; SourceTransAddress & 255.255 = 515: Retry, 0; SourceTransAddress & 255.255 = smtp: Retry, 0; SourceTransAddress & 255.255 = snmp: Retry, 0; SourceTransAddress & 255.255 = 1080: Retry, 0; # UA socks gateway SourceTransAddress & 255.255 = telnet: Retry, 0; SourceTransAddress & 255.255 = www: Retry, 0; SourceTransAddress & 255.255 = 3128: Retry, 0; # Squid cache SourceTransAddress & 255.255 = 3130: Retry, 0; # Squid cache control SourceTransAddress & 255.255 = 8080: Retry, 0; # UA WWW proxy SourceTransAddress & 255.255 = 6000: Retry, 0; # DestTransAddress & 255.255 = domain: GotoAct, c_domain; DestTransAddress & 255.255 = 22: GotoAct, c_ssh; DestTransAddress & 255.255 = 79: GotoAct, c_finger; DestTransAddress & 255.255 = ftp: GotoAct, c_ftp; DestTransAddress & 255.255 = ftpdata: GotoAct, c_ftpdata; DestTransAddress & 255.255 = gopher: GotoAct, c_gopher; DestTransAddress & 255.255 = 143: GotoAct, c_imap; DestTransAddress & 255.255 = 513: GotoAct, c_login; DestTransAddress & 255.255 = 137: GotoAct, c_netbios; # Name DestTransAddress & 255.255 = 138: GotoAct, c_netbios; # Datagram DestTransAddress & 255.255 = 139: GotoAct, c_netbios; # Session DestTransAddress & 255.255 = nntp: GotoAct, c_news; DestTransAddress & 255.255 = 2049: GotoAct, c_nfs; DestTransAddress & 255.255 = ntp: GotoAct, c_ntp; DestTransAddress & 255.255 = 110: GotoAct, c_pop; DestTransAddress & 255.255 = 515: GotoAct, c_printer; DestTransAddress & 255.255 = smtp: GotoAct, c_smtp; DestTransAddress & 255.255 = snmp: GotoAct, c_snmp; DestTransAddress & 255.255 = 1080: GotoAct, c_socks; # UA socks DestTransAddress & 255.255 = 3130: GotoAct, c_squid_control; DestTransAddress & 255.255 = 3128: GotoAct, c_squid_data; DestTransAddress & 255.255 = telnet: GotoAct, c_telnet; DestTransAddress & 255.255 = www: GotoAct, c_www; DestTransAddress & 255.255 = 8080: GotoAct, c_www; # UA WWW proxy DestTransAddress & 255.255 = 6000: GotoAct, c_xwin; # Null & 0 = 0: GotoAct, c_tcp_udp; # 'Unusual' port # c_domain: FlowKind & 255 = 'D': PushtoAct, count_IP; c_ftp: c_ftpdata: FlowKind & 255 = 'F': PushtoAct, count_IP; c_imap: FlowKind & 255 = 'I': PushtoAct, count_IP; c_netbios: FlowKind & 255 = 'B': PushtoAct, count_IP; c_news: FlowKind & 255 = 'N': PushtoAct, count_IP; c_pop: FlowKind & 255 = 'P': PushtoAct, count_IP; c_smtp: FlowKind & 255 = 'M': PushtoAct, count_IP; #c_socks: # FlowKind & 255 = 'S': PushtoAct, count_IP; c_ssh: FlowKind & 255 = 'S': PushtoAct, count_IP; c_squid_data: FlowKind & 255 = 'C': PushtoAct, count_IP; c_squid_control: FlowKind & 255 = 'c': PushtoAct, count_IP; c_telnet: FlowKind & 255 = 'T': PushtoAct, count_IP; c_www: FlowKind & 255 = 'W': PushtoAct, count_IP; c_xwin FlowKind & 255 = 'X': PushtoAct, count_IP; # c_finger: FlowKind & 255 = 'f': PushtoAct, count_IP; c_gopher: c_login: c_nfs c_ntp: c_printer: c_snmp: c_socks: # c_tcp_udp: Null & 0 = 0: Goto, Next; # Not a well-known TCP or UDP port SourceTransType & 255 = tcp: GotoAct, c_tcp; Null & 0 = 0: GotoAct, c_udp; c_udp: FlowKind & 255 = 2: PushtoAct, count_IP; # Plot as PLUS c_tcp: FlowKind & 255 = 1: PushtoAct, count_IP; # Plot as DIAMOND c_icmp: FlowKind & 255 = '*': PushtoAct, count_IP; # count_IP: SourceInterface & 255 = 0: PushPkttoAct, Next; SourcePeerAddress & 255.255.255.255 = 0: PushPkttoAct, Next; DestPeerAddress & 255.255.255.255 = 0: PushPkttoAct, Next; SourceTransAddress & 255.255 = 0: PushPkttoAct, Next; DestTransAddress & 255.255 = 0: CountPkt, 0; # # #FORMAT # FlowRuleSet FlowIndex FirstTime " " # SourcePeerType " " # SourcePeerAddress DestPeerAddress " " # SourceTransAddress DestTransAddress " " # ToPDUs ToOctets " " FromPDUs FromOctets " " # FirstTime LastTime # # end of file