ÎúíþX ðt__text__TEXTÌt“ã€__bss__DATA__StaticInit__TEXT̤@$¨º €__data__DATAp ä$__cstring__TEXT€ emô$__mod_init_func__DATAè\’ðº __mod_term_func__DATAì`’øº __eh_frame__TEXTðÄd’» h__picsymbolstub2__TEXT´ŽK(“»€__la_sym_ptr2__DATAÿŽ s“ ¼__nl_symbol_ptr__DATA €“__constructor__TEXTˆ“__destructor__TEXTˆ“__textcoal_nt__TEXTˆ“ @X¼1¤¾¨ P''+8¼U‰åWVSèõÿÿÿƒì,»u ³• ‹ƒ‰|$‰$舎‹Õ ‰L$‰$èvŽ‰$‰t$èjŽ‹!!‰$³5!‰L$èRŽ‰|$‰$èFŽ‰t$‰$è:Ž‹u!‰L$³Õ!‰$è"Ž‰t$³"‰$莉t$‰$莋5"‰L$‰$èò‹•"‰$‰L$èà‰t$‰$èÔ‹Õ"‰L$‰$è‹5#‰$‰L$è°‹•#‰L$‰$螉$‰t$è’‹Õ#‰$³!$‰L$èz‰|$‰$èn‰|$‰$èb‰t$‰$èV‹0$‰L$‰$èD³U$‰|$‰$è2‰t$³µ$‰$è ‹%‰L$‰$è‰$‰t$è‹U%³µ%‰$‰L$èꌉt$‰$èÞŒ‹Õ%‰L$‰$èÌŒ‰$‰|$èÀŒ³&‰|$‰$讌‰t$³!&‰$蜌‰t$‰$茋5&‰L$‰$è~Œ‹u&‰$‰L$èlŒ‰|$‰$è`Œ‹©&‰L$‰$èNŒ‹µ&‰$‰L$è<Œ‹Õ&‰L$‰$è*Œ‹'‰$‰L$茋u'‰L$‰$茉$‰|$èú‹‹­'‰$‰L$è苉t$‰$³Õ'èÖ‹‰$‰t$èÊ‹‹5(³u(‰$‰L$貋‰t$‰$見‰|$‰$èš‹‹µ(‰L$³æ(‰$è‚‹‰t$³)‰$èp‹‹U)‰L$‰$è^‹‰$‰t$èR‹‹µ)³õ)‰$‰L$è:‹‰t$‰$è.‹‰|$‰$è"‹‰|$‰$è‹‹5*‰L$‰$苳u*‰|$‰$èòŠ‰t$³µ*‰$èàŠ‹+‰L$‰$èΊ‰$‰t$芋U+³•+‰$‰L$誊‰t$‰$螊‹õ+‰L$³5,‰$膊‰t$³µ,‰$ètŠ‹õ,‰L$‰$èbŠ‰$‰t$èVŠ‹U-³µ-‰$‰L$è>Š‰t$‰$è2Š‹.‰L$³•.‰$芉t$³Õ.‰$芋5/‰L$‰$èö‰‰$‰|$èꉉ$‰t$èÞ‰‰$‰|$èÒ‰³r/‰|$‰$èÀ‰‰t$‰$è´‰‹•/‰L$‰$袉‹õ/‰$‰L$艉|$‰$脉‰t$‰$èx‰‹U0‰L$‰$èf‰‹µ0‰$‰L$èT‰‹51‰L$‰$èB‰‰$‰|$è6‰‹u1‰$‰L$è$‰‹˜1‰L$‰$艉$‰|$艋±1‰$‰L$èôˆ‹Õ1‰L$‰$è∋2‰$‰L$èЈ‹U2‰L$‰$辈‹µ2‰$‰L$謈‹õ2‰L$‰$蚈‹53‰$‰L$興‹u3‰L$‰$èvˆ‹Õ3‰$‰L$èdˆ‹54‰L$‰$èRˆ‹•4‰$‰L$è@ˆ‹õ4‰L$‰$è.ˆ‹U5‰$‰L$舋Õ5‰L$‰$è ˆ‹56‰$‰L$èø‡‹•6‰L$‰$è懋õ6‰$‰L$èÔ‡‹57‰L$‰$臋o7‰$‰L$è°‡‹•7‰L$‰$螇‹õ7‰$‰L$茇‹U8‰L$‰$èz‡‹µ8‰$‰L$èh‡‹õ8‰L$‰$èV‡‹U9‰$‰L$èD‡‰|$‰$è8‡‹•9‰L$‰$è&‡‹Õ9‰$‰L$臋5:‰L$‰$臋•:‰$‰L$èð†‹Õ:‰L$‰$èÞ†‹5;‰$‰L$è̆‰|$‰$èÀ†‰|$‰$è´†‹†;‰L$‰$袆‹˜;‰$‰L$膋ª;‰L$‰$è~†‹µ;‰$‰L$èl†‹<‰L$‰$èZ†‹U<‰$‰L$èH†‹µ<‰L$‰$è6†‰$‰|$è*†‰$‰t$膋õ<³U=‰$‰L$膉t$‰$èú…‹•=‰L$³õ=‰$èâ…‰t$³5>‰$èÐ…‰|$‰$èÄ…‹u>‰L$‰$è²…‰$‰t$覅‹¨>‰$³Õ>‰L$莅‰|$‰$è‚…‰t$‰$èv…‹5?‰L$³u?‰$è^…‰t$³µ?‰$èL…‹õ?‰L$‰$è:…‰$‰t$è.…‹U@³•@‰$‰L$è…‰t$‰$è …‹Õ@‰L$³A‰$èò„‰t$³UA‰$èà„‹•A‰L$‰$è΄‰$‰t$è„‹ÕA³B‰$‰L$誄‰t$‰$èž„‹uB‰L$³µB‰$膄‰t$³C‰$èt„‹uC‰L$‰$èb„‰$‰t$èV„‹µC³õC‰$‰L$è>„‰t$‰$è2„‹UD‰L$³µD‰$脉t$³E‰$è„‹UE‰L$‰$èöƒ‰$‰t$èꃋ•E³ÕE‰$‰L$èÒƒ‰t$‰$èƃ‹F‰L$³UF‰$讃‰t$³•F‰$蜃‹ÕF‰L$‰$芃‰$‰t$è~ƒ‹G‰$³UG‰L$èfƒ‰|$‰$èZƒ‰t$‰$èNƒ‹µG‰L$‰$è<ƒ³H‰|$‰$è*ƒ‰t$³uH‰$胋µH‰L$‰$胉$‰t$èú‚‹I³UI‰$‰L$è₉t$‰$èÖ‚‹•I‰L$³ÕI‰$辂‰t$³J‰$謂‹UJ‰L$‰$èš‚‰$‰t$莂‹•J‰$³ÕJ‰L$èv‚‰|$‰$èj‚‰t$‰$è^‚‹5K‰L$³•K‰$èF‚‰t$³ÕK‰$è4‚‹5L‰L$‰$è"‚‰$‰t$è‚‹µL³5M‰$‰L$èþ‰t$‰$èò‹µM‰L$³5N‰$èÚ‰t$³uN‰$èȉ|$‰$輋ÕN‰L$‰$誉$‰t$èž‹5O³uO‰$‰L$膉t$‰$èz‹ÕO‰L$³5P‰$èb‰t$³uP‰$èP‹µP‰L$‰$è>‰$‰t$è2‹Q‰$³UQ‰L$è‰|$‰$è‰t$‰$苵Q‰L$³R‰$èꀉt$³uR‰$èØ€‹µR‰L$‰$èÆ€‰$‰t$躀‹õR³5S‰$‰L$袀‰t$‰$è–€‹uS‰L$³ÕS‰$è~€‰t$³5T‰$èl€‹uT‰L$‰$èZ€‰$‰t$èN€‹µT³U‰$‰L$è6€‰t$‰$è*€‹uU‰L$³µU‰$耉t$³õU‰$耋UV‰L$‰$èî‰$‰t$èâ‹ÕV³5W‰$‰L$èʉt$‰$辋•W‰L$³õW‰$覉t$³UX‰$蔉|$‰$舉|$‰$è|‰|$‰$èp‹r/‰L$‰$è^‰$‰t$èR‹µX³Y‰$‰L$è:‰t$‰$è.‰|$‰$è"‰|$‰$è‰|$‰$è ‰|$‰$èþ~‹UY‰L$³•Y‰$èæ~‰t$³ÕY‰$èÔ~‰|$‰$èÈ~‰|$‰$è¼~‹UZ‰L$‰$èª~‰$‰t$èž~‰$‰|$è’~‰$‰|$è†~‹·Z³ÆZ‰$‰L$èn~‰uä‰t$‰$è_~‹õZ³U[‰$‰L$èG~‰t$‰$è;~‹Õ[‰L$³5\‰$è#~‰t$³•\‰$è~‹]‰L$‰$èÿ}‰$‰t$èó}³|]‰$‰t$èá}‹•]‰L$‰$èÏ}‹õ]‰$‰L$è½}‹5^‰L$‰$è«}‹•^‰$‰L$è™}‹Õ^‰L$‰$è‡}‹_‰$‰L$èu}‹u_‰L$‰$èc}‹Õ_‰$‰L$èQ}‹5`‰L$‰$è?}‰$‰t$è3}³•`‰$‰t$è!}‹Õ`‰L$‰$è}³a‰|$‰$èý|‰t$³5a‰$èë|‹Mä‰L$‰$èÜ|‰$‰t$èÐ|‹a³œa‰$‰L$è¸|‰t$‰$è¬|‹¶a‰L$³Ða‰$è”|‰t$³êa‰$è‚|‹b‰L$‰$èp|‰$‰t$èd|‹b³0b‰$‰L$èL|‰t$‰$è@|‹Ub‰L$³µb‰$è(|‰t$³õb‰$è|‹c‰L$‰$è|‰$‰t$èø{‰$‰|$èì{‹2c‰$‰L$èÚ{‹uä‰t$‰$èË{‹Uc³µc‰$‰L$è³{‰t$‰$è§{‹õc‰L$³ud‰$è{‰t$³õd‰$è}{‹Ue‰L$‰$èk{‰$‰t$è_{‰$‰|$èS{‹Õe‰$³f‰L$è;{‰|$‰$è/{‰t$‰$è#{‹ f‰L$³.f‰$è {‰t$³=f‰$èùz‹Kf‰L$‰$èçz‰$‰t$èÛz‹\f³uf‰$‰L$èÃz‰t$‰$è·z‰|$‰$è«z‰|$‰$èŸz‹—f‰L$‰$èz‹uä‰$‰t$è~z‰|$‰$èrz‹µf‰L$³õf‰$èZz‰t$³g‰$èHz‹5g‰L$‰$è6z‰$‰t$è*z‹jg³•g‰$‰L$èz‰t$‰$èz‹àg‰L$³h‰$èîy‰t$³Uh‰$èÜy‰|$‰$èÐy‹µh‰L$‰$è¾y‰$‰t$è²y‹Ui³•i‰$‰L$èšy‰t$‰$èŽy‹õi‰L$‰$è|y‰$‰|$èpy³uj‰|$‰$è^y‰t$³µj‰$èLy‰t$‰$è@y‰|$‰$è4y‹õj‰L$‰$è"y‹Uk‰$‰L$èy‹Ÿk‰L$‰$èþx‹Õk‰$‰L$èìx‹l‰L$‰$èÚx‹Fl‰$‰L$èÈx‹ul‰L$‰$è¶x‹µl‰$‰L$è¤x‹èl‰L$‰$è’x‹m‰$‰L$è€x‹Um‰L$‰$ènx‹•m‰$‰L$è\x‹õm‰L$‰$èJx‹:n‰$‰L$è8x‹Un‰L$‰$è&x‹µn‰$‰L$èx‹o‰L$‰$èx‹uo‰$‰L$èðw‹Õo‰L$‰$èÞw‹5p‰$‰L$èÌw‰|$‰$èÀw‹•p‰L$‰$è®w‰$‰t$è¢w‰$‰|$è–w‹Õp³5q‰$‰L$è~w‰t$‰$èrw‹•q‰L$³õq‰$èZw‰t$³Ur‰$èHw‹Õr‰L$‰$è6w‰$‰t$è*w‰$‰|$èw‰$‰|$èw‹5s‰$³zs‰L$èúv‰|$‰$èîv‰|$‰$èâv‰|$‰$èÖv‰t$‰$èÊv‹s‰L$‰$è¸v‰$‰|$è¬v³ s‰|$‰$èšv‰t$³µs‰$èˆv‰|$‰$è|v‹õs‰L$‰$èjv‰$‰|$è^v‰$‰t$èRv‹ut³µt‰$‰L$è:v‰t$‰$è.v‹õt‰L$³5u‰$èv‰t$³uu‰$èv‹Õu‰L$‰$èòu‰$‰|$èæu‰$‰t$èÚu‹v³uv‰$‰L$èÂu‰t$‰$è¶u‰|$‰$èªu‹µv‰L$³w‰$è’u‰t$³•w‰$è€u‰|$‰$ètu‹õw‰L$‰$èbu‰$‰t$èVu‹Ux³µx‰$‰L$è>u‰t$‰$è2u‹y‰L$³uy‰$èu‰t$³õy‰$èu‹z‰L$‰$èöt‰$‰t$èêt‰$‰|$èÞt‹uz³Õz‰$‰L$èÆt‰t$‰$èºt‹5{‰L$³u{‰$è¢t‰t$³Õ{‰$èt‰|$‰$è„t‹5|‰L$‰$èrt‰$‰t$èft‰$‰|$èZt‹•|»õ|‰$‰L$èBt³5}‰|$‰$è0t‰$‰t$è$t‹•}»õ}‰$‰L$è t³u~‰|$‰$èús‰$‰t$èîs‹Õ~»‰$‰L$èÖs‰|$‰$»u èÄs³U‰|$‰$è²s‰t$³µ‰$è s‹5€‰L$‰$èŽs‰$‰t$è‚s‹•€‰$³õ€‰L$èjs‰|$‰$è^s‰t$‰$èRs‹K‰L$‰$è@s³u‰|$‰$è.s‰t$³•‰$ès‰t$‰$ès‹™‰L$‰$èþr‰$‰t$èòr‹Õ‰$‰L$èàr‹5‚‰L$‰$èÎr‹u‚‰$‰L$è¼r‹Õ‚‰L$‰$èªr‹5ƒ‰$‰L$è˜r‹•ƒ‰L$‰$è†r‰$‰t$èzr‹æƒ‰$‰L$èhr‹„‰L$‰$èVr‰$‰|$èJr‹5„‰$‰L$è8r‰t$‰$è,r‹u„‰L$‰$èr‰$‰t$èr‹Õ„‰$‰L$èüq‰t$‰$èðq‹…‰L$‰$èÞq‹u…‰$‰L$èÌq‰t$‰$èÀq‹µ…‰L$‰$è®q‰$‰t$è¢q‹õ…‰$‰L$èq‹U†‰L$‰$è~q‰$‰t$èrq‹µ†‰$‰L$è`q‰t$‰$èTq‹õ†‰L$‰$èBq‹U‡‰$‰L$è0q‹•‡‰L$‰$èq‹õ‡‰$‰L$è q‰t$‰$èq‹5ˆ‰L$‰$èîp‹•ˆ‰$‰L$èÜp‰t$‰$èÐp‹‰‰L$‰$è¾p‰$‰t$è²p‹Õ‰‰$‰L$è p‹Š‰L$‰$èŽp‹.Š‰$‰L$è|p‰|$‰$èpp‰t$‰$èdp‹UŠ‰L$³Š‰$èLp‰t$³•Š‰$è:p‹ÕŠ‰L$‰$è(p‰$‰t$èp‰$‰|$èp‹‹³U‹‰$‰L$èøo‰t$‰$èìo‰|$‰$èào‹‡‹‰L$³µ‹‰$èÈo‰t$³õ‹‰$è¶o‰|$‰$èªo‹5Œ‰L$‰$è˜o‰$‰t$èŒo‹uŒ³µŒ‰$‰L$èto‰t$‰$èho‰|$‰$è\o‹õŒ‰L$³5‰$èDo‰t$‰$è8o‰|$‰$è,o‹u‰L$‰$èo‹µ‰$‰L$èo‰|$‰$èün‰|$‰$èðnƒÄ,[^_]ÃU‰åƒì(‰uø‹u ‰]ô‰}üèàÿÿ‹}þÿÿ”Àƒÿ”Á„Èu/þÿÿ”À…ÿ”Á„Èu ‹]ô‹uø‹}ü‰ì]ó9o‰4$è§nëã“9o‰$è°nëÁU‰åƒìÇD$ÿÿÇ$èzÿÿÿÉÃU‰åƒìÇD$ÿÿÇ$è^ÿÿÿÉà **Security Analyst Network Connection Profiler [sancp] - v ************************************************************************** 1.6.1-stable** A TCP/IP statistics and pcap collection tool * ************************************************************************ * * Copyright (C) 2003,2004 John Curry * * * * This program is distributed under the terms of version 1.0 of the * * Q Public License. See LICENSE.QPL for further details. * * This program is distributed in the hope that it will be useful, * * but WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * *********************************************************************** About SANCP: ------------ Without specifying any options, SANCP (pronounced san-cee-pee) collects SANCP creates three types of output files (pcap, realtime, and stats) all network traffic on the default pcap interface 'any' in the current directory. Filenames contain the interface (-i) and timestamp, both are optional. All three output types are optional see: -R -P -S cmdline options pcap: ----- We record all pcap data in tcpdump format, as it arrives. Filename format: pcap.. realtime: --------- We record a 'realtime' entry upon seeing the first packet of each unique connection. The 'realtime' format is changable. Filename format: realtime.. stats: We record a 'stats' entry when a connection terminates or times out. The 'stats' format is changable Filename format: stats.. debug_pcap_raw: (Fourth output for Debug mode) --------------- -before- any rule or packet manipulation occurs. When the -A option is given, log all pcap data to a second pcap file See: 'default debug_pcap_raw enable' Filename format: debug_pcap_raw.. *Important Notes about how SANCP handles pcap files* SANCP may actively log to multiple files -at the same time-. is written to the same pcap file. SANCP does this by associating SANCP will log all pcap data (for a given connection) each connection with the 'current' pcap output filehandle. Pcap files will remain open until all connections associated with it either terminate or timeout SANCP will append pcap data to 'pre-existing' pcap files (ref: rule directive 'pcap filename') a pcap header for new/empty files. However ,preexisting files need to have valid pcap headers since SANCP will only create When managing SANCP pcap files, always check to see if the file is in use before handling it in a destructive manner. If you destroy a SANCP output file, while actively in use, SANCP will not recreate the file on the disk for subsequent logging. SANCP assumes files that it opens are always present. i.e. use a system command such as 'fuser' to check whether a process is using an output file. This is done so that SANCP can write pcap data quickly. HINT: If write rules to define your normal traffic with 'realtimes=pass' set on each, then all abnormal activity will be appear in the realtime log. 'Tuning' sancp consists of running it, extracting new activity from realtime files, creating rules to identify the normal activity and having sancp re-read the configuration file (Using kill -HUP ). Command Line Options: (cmdline) --------------------- -? or -h this help screen -c specify the configuration/rules filename -d specify the directory for output files -i set the network device to listen on (default: 'any') -g set a group identity -u set a user identity -r pcap file to read (overrides -i) -B "" set a bpf expression (alternative to -F ) -D (daemon) forks, prints msgs to syslog only and overrides -C option -K (console) enable additional printing of 'realtimes' to stdout (suppressed by option -D) -F file containing a bpf filter expression, overrides (alternative to -B) -H --human-readable write IP addresses in dotted notation and TCPflag fields in hex -R Set default for realtime to 'pass' (default is 'log') disables realtime, but rules can override -S Set default for stats to 'pass' (default is 'log') disables stats, but rules can override -P Set default for pcap to 'pass' (default is 'log') disables pcap, but rules can override -I or --enable_icmp_mixed record 'code' and 'type' fields for ICMP to the fields 's_port' and 'd_port'. note: affects how related icmp packets are correlated -V display version --shift (debug) force interpretation of packet starting at byte[2] normally performed when reading from the 'any' interface --strip-80211 strip 802.1Q headers from 802.1Q packets; used to decode 802.1Q encapsulated packets - affects -A option, --log-facility where facility can be 'LOCAL1' - 'LOCAL7' The default log facility used by SANCP is LOG_DAEMON # Debug mode for pcap data logging -A records ALL traffic frames to a pcap file named 'debug_pcap_raw' (despite rules). Packets are logged here prior to decoding or handling. Use -F or -B option to restrict what is collectedi. Pcap data logged using this option is affected by the --strip-80211 cmdline option The configuration file equivalent to this is 'default debug_pcap_raw enable' Kill Signals: ------------- -HUP re-read rules configuration file and open new output files (sets new used for new output files) -USR1 print running configuration (with counters for rule matches) -USR2 print -all ongoing- connections to stdout Run sancp something like this to have access the kill signal output in daemon mode sancp -D -H >> sancp.output & This way you can view it 'cat sancp.output' and then clear it '> sancp.output' and sancp will continue to output to this file as normal. (Some realtime fields are naturally blank, i.e. counters) Output Fields: for 'realtime' and 'stats' files -------------- 1: 64bit sancp id: based on timeptr.tv_sec and timeptr.tv_usec 2: 32bit start time: unix timestamp for first packet 3: 32bit end time: unix timestamp for last packet 5: 16bit hw_proto: layer 2 protocol number 4: 32bit erased time: unix timestamp for when connection was cleared from memory 6: 8bit proto: layer 3 protocol (if IP proto is layer 2) 7: 32bit source address: dotted notation IP address 8: 16bit source port: i.e. udp, tcp also used for icmp 'type' (see: --enable_icmp_mixed) 10: 16bit destination port: i.e. udp, tcp 9: 32bit destination address: dotted notation IP address also used for icmp 'code' (see: --enable_icmp_mixed) 11: 32bit duration: seconds the connection remained active (difference between start and end times) 12: 16bit timeout: applicable timeout value for the connection 14: 64bit destination packets: packets received from destination 13: 64bit source packets: packets received from source 15: 64bit source bytes: bytes received from source 16: 64bit destination bytes: bytes received from destination The next two fields contain 8bit values representing 8 possible TCP flags cumulativeily seen from source and destination throughout the connection 1: Reserved bit 1 from source 8Bit order is 12UAPRSF, where: 2: Reserved bit 2 from source U: Urgent Pointer bit from source A: ACK bit from source P: Push bit from source S: SYN bit from source R: Reset bit from source F: FIN bit from source 17: 8bit sflags: cumlative tcp flags from source (bit order: 12UAPRSF) 18: 8bit dflags: cumlative tcp flags from dest (bit order: 12UAPRSF) The next field contains an 8bit value representing 6 possible TCP close session flags 8Bit order is 00AARRFF/00DSDSDS, where: from the source and destination. The first 2 significant bits are unused.) DA: Close ACK seen from destination SA: Close ACK seen from source DR: Close Reset seen from destination SR: Close Reset seen from source SF: Close FIN seen from source DF: Close FIN seen from destination 19: 8bit closed flags (bit order: 00AARRFF/00DSDSDS) The next 8 fields contain p0F information gathered from initial TCP packet 20: 16bit wss: window segment size (initial packet, tcp only) 21: 8bit ttl: time to live (initial packet, tcp only) 23: Y/N df: don't fragment bit was set (initial packet, tcp only) 22: 16bit mss: maximum segment size (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS 24: 8bit wscale: window scale (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS 25: Y/N sack_ok: sack_ok flag was set (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS 26: Y/N nop: 'no op' was seen (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS 27: 16bit len: ip length (initial packet, tcp only) 28: 16bit wss2: window segment size (second packet, tcp only) The next 8 fields contain p0F information gathered from second TCP packet 29: 8bit ttl2: time to live (second packet, tcp only) 30: 16bit mss2: maximum segment size (second packet, tcp only) 31: Y/N df2: don't fragment bit was set (second packet, tcp only) 32: 8bit wscale2: window scale (second packet, tcp only) 34: Y/N nop2: 'no op' was seen (second packet, tcp only) 33: Y/N sack_ok2: sack_ok flag was set (second packet, tcp only) 35: 16bit len2: ip length (second packet, tcp only) The last 7 fields contain information about how we handled the connection 36: 8bit reversed: did we reverse the ip addresses seen in the initial packet? 0=no, 1=yes, 2=no(both ports were known), 37: 8bit collect: what mode was used for collecting: 3=no(both ports were unknown) none, both, from_src, from_dst (0,1,2,3 respectively) 38: 64bit collected: how much data did we collect 39: 64bit limit: how much data were we limited to collecting 40: 16bit tcplag value: seconds to wait for straggler packets, after the connection 'ends' (does not apply to data recorded using the -A option) 41: Y/N pcap enabled: did we record data to a pcap file 42: Y/N realtime enabled: did we record the connection to a realtime file 43: Y/N stats enabled: did we record the connection to a stats file 44: 16bit hash value: used for tuning (developer's choice) 45: 64bit total_bytes: useful for overall statistics 47: 8bit status: status assigned to this connection i.e. assigned by rule 46: 32bit rid: rule id assoc. w/ the network profile rule that this connection matched on ('0' is default) 48: 16bit node: node/network interface/sancp instance associated this connection i.e. assigned globally as a 'default' or, specifically, by a rule 49: 17byte src-mac: source ethernet address in ascii format i.e. xx:xx:xx:xx:xx:xx 50: 17byte dst_mac: destination ethernet address in ascii format i.e. xx:xx:xx:xx:xx:xx Check fields 41-43 to see what kind of logging was performed on the connection at a glance i.e. 'Was a realtime logged' (a.k.a 'have we seen this traffic before') i.e. 'Did we collect any data' (a.k.a '') Configuration and Rule Syntax: (one rule per line) ----------------------------- These four characters may be used liberally as rule-beautifying delimiters; they are treated spaces. The configuration file designates the characters: ',' and '=' as word separators var syntax: -----------------------: Use vars to avoid having to use protocol numbers in rules i.e. var icmp 1 Vars are used to define 4 kinds of values: ethernet protocols, ip addresses, ip protocols, and ports These values are present in the connection rules and the known_ports definition These vars remain present when sancp prints the running configuration (generally, you may get parse errors or the running configuration output will appear incorrect.) Var 'names' should be unique nnd represent only one kind of value, else rule behavior is undefined Vars have valid value ranges depending on the kind of value they are to represent; ethernet protocols: 0x0-0xFFFF (0-65535) ip addresses: 0.0.0.0/255.255.255.255 (0.0.0.0/32) ip protocols: 0x0-0xFF (0-255) ports: 0x0-0xFFFF (0-65535) Values outside these ranges may be trunicated or otherwise result in a rule error You can represent all but 'dotted-ip' values in decimal, hex or octal. One single range should be specified in a var. In the case of an IP address, you will want to use a normal ipaddress/mask to represent a 'network range' var |]}> Define for use in place of IP addresses in proceding rules 'default' syntax: default (defaults specified here override command line options keywords: pcap {log|pass} realtime {log|pass} stats {log|pass} timeout limit tcplag status pcapfilter [ bpf expression ] (read only once at start-up) strip-80211 { disable|enable } debug_pcap_raw { disable|enable } node known_port syntax: known_ports [] [{-}{,}{,...}] Define a list of 'known tcp and/or udp server ports' SANCP will use these lists to help 'resolve/guess' the direction of ambiguous tcp/udp connections Lists should only be provided to help reduce the occurrance of logging 'reversed' connections. Or just create and use vars for them i.e. 'var tcp 6','var udp 17' And were going to make this one hurt... you have to specify '6' or '17' for the Short Example of using vars in conjuntion with known_ports: var tcp 6 var udp 17 var http 80 var dns 53 var https 443 known_ports udp dns known_ports tcp dns,http,https connection rule syntax: A connection rule consists of two central parts: 1) network connection profile 2) options i.e. ether proto, ip address, ip proto and ports a) collection options i.e. stats=pass, pcap=pass, realtime=pass, timeout=120 or limit=1500 b) tagging options i.e. status=16 rid=1112 node=2 [{-[]}] [{-[]}] [[-] [|}>] [|}>] [{tcp|udp|icmp|[-] }] { ignore | stats [{log|pass}] | realtime [{log|pass}] | pcap [ {log|pass|rule|connection|{filename|tsfilename} []} { logdst|logsrc } { timeout []|limit []|tcplag []|retro|status <0-255>|rid |node } Description for connection options: -------------------------------------- timeout - set delay after last packet before expiring the connection limit - set max bytes of pcap data to record per connection realtime (option): pass - do not log realtime for this traffic log - log realtime for this traffic stats (option): pass - do not log statistics for this traffic log - log statistics for this traffic pcap (option): pass - do not record pcap data log - record pcap data to the default 'pcap' output file rule - record pcap data to output file; filename derived from rule connection - record pcap data to a output file; filename derived from the connection filename - record pcap data to a specific output filename (names starting with '/' are considered absolute). logsrc - only record pcap data from the source (default is both) logdst - only record pcap data from the destination (default is both) ignore - set realtime, stats, and pcap to 'pass' (ignores any logdst or logsrc options) retro - apply this rule to -all- ongoing connections, not just new ones Description of 'tagging' options: status - status to be assigned to matching connections rid - rule id (32bit) for this rule (assign to matching connections) node - node id (8bit) number to assign to matching connections the node id is formed from the notion that more than one network could be monitored to help tag traffic as belonging to a certain network interface; i.e. consider '-i any' by one or more instances of sancp on the same system. Node id can be handy in rules NOTE: Malformed rules are reported to syslog and simply ignored Basic Examples: --------------- Notes: Output Type Mode 1 Mode 2 Mode 3 Mode 4 Mode 5 Below is a matrix outlining how the three different output types are used for four different modes of operation. ----------------------------------------------------- pcap log log pass pass * realtime log pass pass pass * stats log log log pass * These modes can be obtained by setting their 'defaults' in the sancp.conf debug_pcap_raw disable disable disable disable enable or by providing the command line option: -P -S and -R to disable pcap, stats and realtime, respectively IMPORTANT NOTE: the configuration file overides the cmdline options to ensure SANCP can be controlled through configuration file changes (use: kill -HUP to re-read the config) Use a set of rules which define your network. Disable realtime for uninteresting traffic. Mode 1: Default Monitoring Mode: allow full access to 'realtime', 'stats' and 'pcap' data Use collection options to reduce collection effort on certain traffic Use realtime entries as 'alerts' to notify you of new and interesting traffic Modify rules real-time so sancp can stay current with your changing collection requirements Use rule identifiers (rid)'s to mark connections as matching a different kinds (profiles) of traffic of certain kinds of traffic Storing rules with rule id's in the same database allows for quick access to connections Mode 2: Batch Analysis Mode: for (re)processing pcap files - realtime disabled Use a set of rules to extract interesting traffic from large tcpdump files; Create a 'pcap' file containing only traffic of interest. Use the 'stats' file as an index to the data available in 'pcap' file. Rules may be needed to exclude certain IP traffic you don't care about. Mode 3: Connection Profiling Mode: (output only a stats log from a pcap file) Mode 4: Pcap Split Mode: turns off all default output modes, uses rules to control which files matching traffic should be written to. Use the 'pcap filename ' rule option to specify an output file. The 'pcap rule' option will create a filename based on/derived from the rule itself i.e. -:-_-:-_-. The 'pcap uniq' option will write to a pcap file whose filename is based on/derived from the connection itself: i.e. :_:-. Mode 5: Debug Pcap Raw Mode: additionally, records all traffic to a 'debug_pcap_raw' file This is enabled via command line (-A) or via config file (default debug_pcap_raw enable) regardless of any rules. 80211 headers are still stripped, if configured to do so It can subsequently be disabled via config file (default debug_pcap_raw disable) **To use the configuration file to dynamically (re)configure sancp while running** see: 'kill signals' ----------------------------- # # Example sancp.conf file # Define known_ports to help sancp determine connection direction # for pre-existing udp and tcp connections (i.e. at startup) # We set these only as we need them. They are used for half-open TCP connections # (ie. if we missed the syn or syn-ack), and for all udp connections # The 'reversed' field in the connection (profile) output will tell you if # SANCP recorded the direction opposite that of the initial packet (i.e. '1'). # known_ports tcp 80,443 # known_ports udp 53 # Override default logging for stats, pcap, and realtime # ** The sancp configuration file can be re-loaded dynamically while running ** # Configure default mode for 'stats' logging #default stats log # sets default mode to 'log stats' (*default mode) # # use 'pass' to set default mode to 'do not log stats' # Configure default mode for 'pcap' logging #default pcap log # sets default mode to 'record pcap data' (*default mode) # # use 'pass' to set default mode to 'do not record pcap data' # Configure default mode for 'realtime' logging #default realtime log # create a realtime when we record pcap data (*default mode) # # use 'pass' set default to 'not create' realtime # Note: You can add the 'realtime log' option to a rule to 'force' all matches to log a # realtime regardless of whether we record pcap data #default debug_pcap_raw disable # enable|disable debug pcap logging mode for online debugging # # if set to 'enable' we will record packets to a 'debug_pcap_raw' file, regardless of rules #default status 0 # sets default 8bit status (0-255) for all connections which do not match a rule, or where a status is not specified for a rule(default = 0) # Define local vars (used for IP/MASK combinations only) var HOME_NET 192.168.1.0/24 var ip 8 # The following rule syntax is supported: # Rule format: # any any any any any pcap none # sip dip proto sp dp options # Ignore outbound HTTP (ignore both pcap and stats) ip HOME_NET any tcp any 80 pcap pass stats pass # Do not record ssh data ip HOME_NET any tcp any 22 pcap pass # we ignore UDP > 1024 with few a exceptions # Streaming media can kill your logging so ip any HOME_NET udp any 1025-32769 pcap pass ip any HOME_NET udp any 32781- pcap pass # Don't log ICMP at all (no stats, pcap, or realtime) ip any any icmp any any ignore # Ignore incoming blaster scans ip any HOME_NET tcp any 135 ignore 8 T zPR|  ˆ0 ¸‘ÿÿl„ † ‡ƒ(T¸qÿÿÌ„ ƒ†‡ €Ä‘ÿÿ„  ¤¼‘ÿÿ„ èGqÿÿ‹Fÿâ€FPé3qÿÿè.qÿÿ‹1ÿâ€1Péqÿÿèqÿÿ‹ÿâ€PéqÿÿÁŽÚŽóŽ‹$Ë$ÃÀ ´ ¨ œ¤À¡ – Š¤€¡ „ x l d¤@¡ Z¤¡ T H < 0¤ÀŒ¡ *¤€Œ¡ $   ¤@Œ¡  ú ò¤Œ¡ è à¤À‹¡ Ö¤’‹¡ Ð Ä ¸ ¬¤`‹¡ ¦¤ ‹¡   ” ˆ |¤àŠ¡ v n¤ Š¡ d \¤ŒŠ¡ R¤`Š¡ L @ 4 (¤9Š¡ " ¤Š¡  ¤à‰¡ þ ò æ¤ ‰¡ à Ô È¤ ˆ¡  ¶¤@ˆ¡ ° ¤ ˜¤ˆ¡ ’ †¤ ‡¡ € t¤`‡¡ n b¤‡¡ \ P D¤À†¡ > 2 &¤`†¡  ¤†¡   ö¤À…¡ ð ä ؤ€…¡ Ò Æ¤ …¡ À ´ ¨¤à„¡ ¢ – Š¤€„¡ „ x l¤@„¡ f Z N¤ „¡ H <¤ñƒ¡ 6 * ¤ ƒ¡   ¤@ƒ¡  ú¤à‚¡ ô 褀‚¡ â Ö¤@‚¡ РĤࡠ¾ ² ¦¤¤¡   ” Œ¤ ¡ ‚ v¤€¡ p d¤V¡ ^ R F =¤¡ 4¤ €¡ . " ¤@€¡  ¤À¡ þ ò¤`¡ ì 礀 ¡ Ú Î¤ ¡ Ȥà~¡  ¶ ª¤€~¡ ¤ ˜¤~¡ ’¤ }¡ Œ € t¤@}¡ n b¤}¡ \¤ |¡ V J > 2¤@|¡ ,   ¤à{¡  ¤€{¡ ü¤@{¡ ö ê Þ¤àz¡ ؤ€z¡ Ò Æ º ®¤ z¡ ¨  ¤z¡ – Ž¤€y¡ „¤ y¡ ~ r f¤Àx¡ `¤`x¡ Z N B¤x¡ < 0 (¤ w¡  ¤ w¡ ¤Àv¡  ú î ⤀v¡ ܤ v¡ Ö Ê ¾ ²¤àu¡ ¬ ¤¤€u¡ š ’¤@u¡ ˆ¤u¡ ‚ v j¤Àt¡ d¤€t¡ ^ R F :¤t¡ 4 (  ¤Às¡   ¤«s¡  ø 줘s¡ æ Ú Î Â ¶ ­¤…s¡ ¤¤@s¡ ž ’ † z n¤àr¡ h `¤`r¡ V N¤r¡ D¤ q¡ > 2 &¤@q¡ ¤àp¡    ö¤ p¡ ð ä ؤ@p¡ Ò Æ¤ào¡ À ´¤€o¡ ® ¢¤ o¡ œ ¤Àn¡ Š ~¤`n¡ x l¤En¡ f Z¤n¡ T H¤ m¡ B 6¤`m¡ 0 $¤ m¡  ¤ól¡  ¤Àl¡ ú l¡ è ܤQl¡ Ö Ê¤ l¡ Ä ¸¤àk¡ ² ¦¤ªk¡   ”¤`k¡ Ž ‚¤k¡ | p d \¤Àj¡ R F¤€j¡ @ 4 (¤j¡ "   ¤ i¡ ¤`i¡ þ ò æ¤Àh¡ à Ô Ì¤`h¡  º¤ h¡ °¤ëg¡ ª ž ’¤ g¡ Œ¤ug¡ † z n¤@g¡ h `¤#g¡ V N¤g¡ D¤Àf¡ > 2 # ¤¢f¡   ù í ᤀf¡ Û¤gf¡ Õ É ½¤Vf¡ · ¯¤Hf¡ ¥ ¤9f¡ “¤+f¡   u l¤f¡ c¤àe¡ ] Q E 9¤`e¡ 3 +¤e¡ ! ¤€d¡ ¤d¡  ý ñ¤Àc¡ ë¤`c¡ å Ö Ê¤=c¡ Ä ¸ ¬  ¤)c¡ š ’¤c¡ ˆ €¤Àb¡ v¤`b¡ p d X¤;b¡ R¤#b¡ L @ 4¤ b¡ . &¤õa¡  ¤Ûa¡ ¤Áa¡  ø 줧a¡ 椘a¡ à Ô Å ½¤@a¡ ³ §¤)a¡ ¡ •¤à`¡  ƒ¤ `¡ } q e¤@`¡ _ S¤à_¡ M A¤€_¡ ; /¤ _¡ ) ¤à^¡   ¤ ^¡  ù¤@^¡ ó ç¤^¡ á Õ¤ ]¡ Ï Ã¤‡]¡ ½ ± ¥¤ ]¡ Ÿ —¤ \¡  …¤@\¡ {¤à[¡ u i ]¤`[¡ W¤[¡ Q B 6¤ÑZ¡ 0¤ÂZ¡ *    ú¤`Z¡ ô è Ü Ô¤àY¡ Ê Â¤ Y¡ ¸¤`Y¡ ² ¦ š Ž ‚ v j¤ Y¡ d¤ÀX¡ ^ R F¤}/¡ @ 4 (  ¤`X¡  ¤X¡ ø¤ W¡ ò æ Ú¤@W¡ Ô¤àV¡ Î Â ¶¤`V¡ ° ¨¤V¡ ž –¤ÀU¡ Œ¤€U¡ † z n¤ U¡ h¤ÀT¡ b V J¤€T¡ D <¤@T¡ 2 *¤àS¡ ¤€S¡   ¤@S¡ ü ¤S¡ ö ê Þ ¤ÀR¡ Ø Ð ¤€R¡ Æ ¾ ¤ R¡ ´ ¤ÀQ¡ ® ¢ –  ¤`Q¡ „ ¤ Q¡ ~ r f ¤ÀP¡ ` X ¤€P¡ N F ¤@P¡ < ¤àO¡ 6 *  ¤€O¡  ¤@O¡   ú ¤àN¡ ô è à ¤€N¡ Ö Î ¤@N¡ Ä ¤ÀM¡ ¾ ² ¦ ¤@M¡   ¤ÀL¡ š Ž ‚ ¤@L¡ | t ¤àK¡ j b ¤ K¡ X ¤@K¡ R F : 1 ¤àJ¡ ( ¤ J¡ "   ¤`J¡  ü ¤ J¡ ò ê ¤àI¡ à ¤ I¡ Ú Î  ¤`I¡ ¼ ¤ I¡ ¶ ª ž ¤ÀH¡ ˜  ¤€H¡ † z ¤ H¡ t h ¤ÀG¡ b V J A ¤`G¡ 8 ¤ G¡ 2 &  ¤àF¡   ¤ F¡  ú ¤`F¡ ð ¤ F¡ ê Þ Ò ¤àE¡ Ì ¤ E¡ Æ º ® ¤`E¡ ¨   ¤ E¡ – Ž ¤ÀD¡ „ ¤`D¡ ~ r f ¤D¡ ` ¤ÀC¡ Z N B ¤€C¡ < 4 ¤ C¡ * " ¤ÀB¡  ¤€B¡   ú ¤ B¡ ô ¤àA¡ î â Ö ¤ A¡ Ð È ¤`A¡ ¾ ¶ ¤ A¡ ¬ ¤à@¡ ¦ š Ž ¤ @¡ ˆ ¤`@¡ ‚ v j ¤@¡ d \ ¤À?¡ R J ¤€?¡ @ ¤@?¡ : . "  ¤à>¡  ¤³>¡ þ ò¤€>¡ ì à ؤ@>¡ ΠƤ>¡ ¼¤ =¡ ¶ ª ž¤`=¡ ˜¤=¡ ’ † z n¤À<¡ h \¤`<¡ V J¤ <¡ D 8¤À;¡ 2 &¤µ;¡  ¤£;¡  ¤‘;¡ ü ð ä ؤ@;¡ Ò Æ¤à:¡ À ´¤ :¡ ® ¢¤@:¡ œ ¤à9¡ Š ~¤ 9¡ x l `¤`9¡ Z N¤9¡ H <¤À8¡ 6 *¤`8¡ $ ¤8¡  ¤ 7¡  ô¤z7¡ î â¤@7¡ Ü Ð¤7¡ Ê ¾¤ 6¡ ¸ ¬¤@6¡ ¦ š¤à5¡ ” ˆ¤`5¡ ‚ v¤5¡ p d¤ 4¡ ^ R¤@4¡ L @¤à3¡ : .¤€3¡ ( ¤@3¡   ¤3¡  ø¤À2¡ ò æ¤`2¡ à Ô¤ 2¡ Π¤à1¡ ¼ °¤¼1¡ ª ž ’¤£1¡ Œ €¤€1¡ z n b¤@1¡ \ P¤À0¡ J >¤`0¡ 8 ,   ¤0¡  ¤ /¡ ü ð ä¤}/¡ Þ Ò Æ º ®¤@/¡ ¨  ¤à.¡ – Ž¤ .¡ „¤ .¡ ~ r f¤À-¡ `¤`-¡ Z N B¤-¡ < 4¤À,¡ * "¤@,¡ ¤,¡   ú¤ +¡ ô¤`+¡ î â Ö¤ +¡ РȤÀ*¡ ¾ ²¤€*¡ ¬  ¤@*¡ š Ž ‚ v j¤*¡ d¤À)¡ ^ R F¤`)¡ @ 8¤ )¡ . &¤ñ(¡ ¤À(¡    þ ò¤€(¡ ì¤@(¡ æ Ú Õ¤à'¡ È ¼¤¸'¡ ¶ ª ž¤€'¡ ˜ Œ¤ '¡ † z¤à&¡ t h¤À&¡ b V¤´&¡ P D 8¤€&¡ 2 &¤@&¡    ¤,&¡  ö¤$&¡ ð ä ؤà%¡ Ò Æ º¤À%¡ ´¤`%¡ ® ¢ –¤ %¡  ˆ¤À$¡ ~ r¤`$¡ l `¤;$¡ Z N B 6 -¤,$¡ $¤à#¡   ¤ #¡  ô¤@#¡ î â¤à"¡ Ü Ð Ĥ "¡ ¾ ²¤@"¡ ¬   ˜¤ "¡ Ž †¤à!¡ |¤€!¡ v j ^ U¤@!¡ L¤,!¡ F : .¤à ¡ ( ¤¡ ¤  ¡ ¤€ ¡ * ž‚f ^¤¡ãV N¤¡ã* ¨¤T ¡˜Ž¤¤”Ž¡ð„¤8 ¡tŽ€¤pŽ¡ðX¤¡HŽT¤DŽ¡ð$¤Ì¡Ž ¤Ž¡ð¤ ¡ŽG0 A¤¡ëŽ9¤¡ëŽ3) .0 (¤¡ÒŽ ¤¡ÒŽ) 0 ¤ÿŽ¡¹Ž¤ÿŽ¡¹Ž)    .,+.,+/-îd)d1<@OÌDÌ€„DMæ©$Ìæ€ò '  9€D@V$lW„DDDÄ_$p$Ìq8 ‡„D8 °$8 Ì$ÍT DT ã$T ÿ$(M€€»-€9ðC ŽvlŽŽŽ¦dÌ$@Ž1€€Õ¼xƒbI___i686.get_pc_thunk.bx__Z5usagev_Z5usagev.eh___i686.get_pc_thunk.axdyld_stub_binding_helper___gxx_personality_v0__ZSt4cout__ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc__ZNSt8ios_base4InitD1Ev__ZNSt8ios_base4InitC1Ev/mnt/gmirror/ports/security/sancp/work/sancp-1.6.1-stable/help.ccgcc2_compiled.__ZSt8__ioinit__Z41__static_initialization_and_destruction_0ii/usr/include/gcc/darwin/3.3/c++/iostream_Z41__static_initialization_and_destruction_0ii:f(0,1)=(0,1)void:t(0,1)__initialize_p:p(0,2)=r(0,2);-2147483648;2147483647;__priority:p(0,2)int:t(0,2)__priority:r(0,2)help.cc_Z5usagev:F(0,1)__GLOBAL__I__Z5usagev/usr/include/gcc/darwin/3.3/c++/iostream_GLOBAL__I__Z5usagev:f(0,1)__GLOBAL__D__Z5usagev_GLOBAL__D__Z5usagev:f(0,1)__ioinit:S(0,3)=xsInit:Init:T(0,3)=s1_S_ios_base_init:/0(0,2):_ZNSt8ios_base4Init16_S_ios_base_initE;_S_synced_with_stdio:/0(0,4)=@s8;-16;:_ZNSt8ios_base4Init20_S_synced_with_stdioE;operator=::(0,5)=#(0,3),(0,6)=&(0,3),(0,7)=*(0,3),(0,8)=&(0,9)=k(0,3),(0,1);:_ZNSt8ios_base4InitaSERKS0_;2A.;__base_ctor::(0,10)=#(0,3),(0,1),(0,7),(0,8),(0,1);:_ZNSt8ios_base4InitC2ERKS0_;2A.;__comp_ctor::(0,10):_ZNSt8ios_base4InitC1ERKS0_;2A.;__base_ctor::(0,11)=#(0,3),(0,1),(0,7),(0,1);:_ZNSt8ios_base4InitC2Ev;2A.;__comp_ctor::(0,11):_ZNSt8ios_base4InitC1Ev;2A.;__base_dtor::(0,11):_ZNSt8ios_base4InitD2Ev;2A.;__comp_dtor::(0,11):_ZNSt8ios_base4InitD1Ev;2A.;_S_ios_create::(0,12)=f(0,1):_ZNSt8ios_base4Init13_S_ios_createEb;2A?;_S_ios_destroy::(0,13)=f(0,1):_ZNSt8ios_base4Init14_S_ios_destroyEv;2A?;;ios_base::Init:Tt(0,3)bool:t(0,4)EH_frame1_Z41__static_initialization_and_destruction_0ii.eh_GLOBAL__I__Z5usagev.eh_GLOBAL__D__Z5usagev.eh