# 1240, Thu 9 Feb 95 # # Rule specification file to tally IP packets by port nbr # # Nevil Brownlee, Computer Centre, University of Auckland # SET 4 # RULES SourcePeerType & 255 = IP: Pushto, ip_pkt; SourcePeerType & 255 = dummy: Ignore, 0; # Ignore meter's dummy pkts Null & 0 = 0: GotoAct, Next; SourcePeerType & 255 = 0: CountPkt, 0; # Count packet types # ip_pkt: SourceTransType & 255 = tcp: Pushto, tcp_udp; SourceTransType & 255 = udp: Pushto, tcp_udp; SourceTransType & 255 = icmp: PushtoAct, c_trans_only; SourceTransType & 255 = ospf: PushtoAct, c_trans_only; Null & 0 = 0: GotoAct, t_bad; # Unknown transport type # tcp_udp: s_news: SourceTransAddress & 255.255 = nntp: PushtoAct, c_trans_source; DestTransAddress & 255.255 = nntp: GotoAct, s_news; s_smtp: SourceTransAddress & 255.255 = smtp: PushtoAct, c_trans_source; DestTransAddress & 255.255 = smtp: GotoAct, s_smtp; s_domain: SourceTransAddress & 255.255 = domain: PushtoAct, c_trans_source; DestTransAddress & 255.255 = domain: GotoAct, s_domain; s_telnet: SourceTransAddress & 255.255 = telnet: PushtoAct, c_trans_source; DestTransAddress & 255.255 = telnet: GotoAct, s_telnet; s_ftp_ctrl: SourceTransAddress & 255.255 = ftp: PushtoAct, c_trans_source; DestTransAddress & 255.255 = ftp: GotoAct, s_ftp_ctrl; s_ftp_data: SourceTransAddress & 255.255 = ftpdata: PushtoAct, c_trans_source; DestTransAddress & 255.255 = ftpdata: GotoAct, s_ftp_data; # Null & 0 = 0: GotoAct, t_bad; # 'Unusual' port # t_bad: # End of packet testing SourceTransAddress & 255.255 = 0: PushPkttoAct, Next; DestTransAddress & 255.255 = 0: PushPkttoAct, Next; SourceTransType & 255 = 0: CountPkt, 0; c_trans_source: # SourceTransAddress already pushed SourceTransType & 255 = 0: CountPkt, 0; c_trans_only: SourceTransType & 255 = 0: CountPkt, 0; # FORMAT FlowRuleSet FlowIndex FirstTime " " SourcePeerType SourceTransType SourceTransAddress DestTransAddress " " ToPDUs ToOctets FromPDUs FromOctets; # STATISTICS # # end of file