#  1300, Fri 20 Oct 95
#
#  Rules to look at protocols by port
#
#  Nevil Brownlee,  ITSS Technology Development,  The University of Auckland
#
#  This rule set demonstrates a better way to classify IP ports.
#    It uses two groups of tests on SourceTransAddress and 
#    DestPeerAddress; these are optimised into hashed searches
#    by the meter.  Note: this means we're telling the meter 
#    that the well-known port is the source of the packet!
#
SET 5
#
RULES
   SourcePeerType & 255 = Novell:     Pushto, Novell_pkt;
   Null & 0 = 0:  Ignore, 0;
#
Novell_pkt:  # Novell 
  SourceTransAddress & FF-FF = 04-51:  PushtoAct, n_trans_source;
  SourceTransAddress & FF-FF = 04-52:  PushtoAct, n_trans_source;
  SourceTransAddress & FF-FF = 04-53:  PushtoAct, n_trans_source;
  SourceTransAddress & FF-FF = 04-55:  PushtoAct, n_trans_source;
  SourceTransAddress & FF-FF = 40-03:  PushtoAct, n_trans_source;
  SourceTransAddress & FF-FF = 40-08:  PushtoAct, n_trans_source;
#
  DestTransAddress & 255.255 = 1105:   Retry, 0;
  DestTransAddress & 255.255 = 1106:   Retry, 0;
  DestTransAddress & 255.255 = 1107:   Retry, 0;
  DestTransAddress & 255.255 = 1109:   Retry, 0;
  DestTransAddress & 255.255 = 16387:  Retry, 0;
  DestTransAddress & 255.255 = 16392:  Retry, 0;
#
  Null & 0 = 0:  GotoAct, n_bad;  #  'Unusual' port
n_bad:
  DestTransAddress   & 255.255 = 0: PushPktToAct, Next;
  SourceTransAddress & 255.255 = 0: PushPktToAct, Next;
n_trans_source:
  SourcePeeraddress & 255.255.255.255.255.255.255.255.255.255 = 0: PushPkttoAct, Next;
  DestPeeraddress & 255.255.255.255.255.255.255.255.255.255 = 0: PushPkttoAct, Next;
  SourceTransType & 255 = 0:      CountPkt, 0;
#
#
FORMAT
   FirstTime
   ToPDUs ToOctets "  " FromPDUs FromOctets "   "
   SourcePeerType SourcePeerAddress DestPeerAddress "  "
   SourceTransType SourceTransAddress DestTransAddress;
#
# end of file