#  1300, Fri 20 Oct 95
#
#  Rules to look at IP flows by Class C subnet
#
#  Nevil Brownlee,  ITSS Technology Development,  The University of Auckland
#
SET 5
#
RULES
   SourcePeerType & 255 = IP:  PushtoAct, IP_pkt;
   Null & 0 = 0:  Ignore, 0;
#
IP_pkt:
  SourcePeerAddress & 255.255.255.0 = 0.0.0.0: PushPkttoAct, Next;
  DestPeerAddress   & 255.255.255.0 = 0.0.0.0: PushPktto, Next;
#
  SourceTransType & 255 = tcp:    Pushto, tcp_udp;
  SourceTransType & 255 = udp:    Pushto, tcp_udp;
  SourceTransType & 255 = icmp:   PushtoAct, c_trans_only;
  SourceTransType & 255 = ospf:   PushtoAct, c_trans_only;
  Null & 0 = 0:  GotoAct, c_bad;  #  Unknown transport type
#
tcp_udp:
s_domain:
  SourceTransAddress & 255.255 = domain:  PushtoAct, c_trans_source;
s_finger:
  SourceTransAddress & 255.255 = 79:      PushtoAct, c_trans_source;
s_ftp:
  SourceTransAddress & 255.255 = ftp:     PushtoAct, c_trans_source;
s_ftpdata:
  SourceTransAddress & 255.255 = ftpdata: PushtoAct, c_trans_source;
s_gopher:
  SourceTransAddress & 255.255 = gopher:  PushtoAct, c_trans_source;
s_imap:
  SourceTransAddress & 255.255 = 113:     PushtoAct, c_trans_source;
s_login:
  SourceTransAddress & 255.255 = 513:     PushtoAct, c_trans_source;
s_netbios:
  SourceTransAddress & 255.255 = 138:     PushtoAct, c_trans_source;
s_news:
  SourceTransAddress & 255.255 = nntp:    PushtoAct, c_trans_source;
s_nfs
  SourceTransAddress & 255.255 = 2049:    PushtoAct, c_trans_source;
s_ntp:
  SourceTransAddress & 255.255 = ntp:     PushtoAct, c_trans_source;
s_pop:
  SourceTransAddress & 255.255 = 110:     PushtoAct, c_trans_source;
s_printer:
  SourceTransAddress & 255.255 = 515:     PushtoAct, c_trans_source;
s_smtp:
  SourceTransAddress & 255.255 = smtp:    PushtoAct, c_trans_source;
s_snmp:
  SourceTransAddress & 255.255 = snmp:    PushtoAct, c_trans_source;
s_telnet:
  SourceTransAddress & 255.255 = telnet:  PushtoAct, c_trans_source;
s_www:
  SourceTransAddress & 255.255 = www:     PushtoAct, c_trans_source;
s_xwin
  SourceTransAddress & 255.255 = 6000:    PushtoAct, c_trans_source;
#
  DestTransAddress & 255.255 = domain:    GotoAct, s_domain;
  DestTransAddress & 255.255 = 79:        GotoAct, s_finger;
  DestTransAddress & 255.255 = ftp:       GotoAct, s_ftp;
  DestTransAddress & 255.255 = ftpdata:   GotoAct, s_ftpdata;
  DestTransAddress & 255.255 = gopher:    GotoAct, s_gopher;
  DestTransAddress & 255.255 = 113:       GotoAct, s_imap;
  DestTransAddress & 255.255 = 513:       GotoAct, s_login;
  DestTransAddress & 255.255 = 138:       GotoAct, s_netbios;
  DestTransAddress & 255.255 = nntp:      GotoAct, s_news;
  DestTransAddress & 255.255 = 2049:      GotoAct, s_nfs;
  DestTransAddress & 255.255 = ntp:       GotoAct, s_ntp;
  DestTransAddress & 255.255 = 110:       GotoAct, s_pop;
  DestTransAddress & 255.255 = 515:       GotoAct, s_printer;
  DestTransAddress & 255.255 = smtp:      GotoAct, s_smtp;
  DestTransAddress & 255.255 = snmp:      GotoAct, s_snmp;
  DestTransAddress & 255.255 = telnet:    GotoAct, s_telnet;
  DestTransAddress & 255.255 = www:       GotoAct, s_www;
  DestTransAddress & 255.255 = 6000:      GotoAct, s_xwin;
#
  Null & 0 = 0:  GotoAct, c_bad;  #  'Unusual' port
c_bad:
  SourceTransAddress & 255.255 = 0: PushPktToAct, Next;
  DestTransAddress   & 255.255 = 0: PushPktToAct, Next;
c_trans_source:
c_trans_only:
  SourceTransType    & 255 = 0:     CountPkt, 0;
#
#
FORMAT
  ToPDUs ToOctets "  " FromPDUs FromOctets "  "
  SourcePeerType SourceTransType SourceTransAddress DestTransAddress "\t"
  SourcePeerAddress DestPeerAddress;
#
# end of file