-
Notifications
You must be signed in to change notification settings - Fork 0
/
sample.conf
171 lines (133 loc) · 2.84 KB
/
sample.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
slice securitymetrics {
bpf = "host 204.238.82.25"
}
slice malware {
bpf = "net 91.0.0.0/8"
}
slice arp {
bpf = "arp"
}
slice dhcp {
bpf = "udp dst port 67 or udp dst port 68"
}
slice samba {
bpf = "dst host adhost1 and (dst portrange 137-139 or tcp dst port 445)"
options = "nosave"
}
slice nfs-tcp {
bpf = "dst host nfs-1 and tcp dst port 2049";
options = "nosave"
}
slice ad-kerberos {
bpf = "dst host adhost1 and dst port kerberos"
}
slice ad-tcp-1026 {
bpf = "dst host adhost1 and tcp dst port 1026"
}
slice web-proxy {
bpf = "tcp port 3128 and dst squid-1"
options = "nosave"
}
slice msrdp {
bpf = "dst host windoze-box and tcp dst port 3389"
options = "nosave"
}
slice mssql {
bpf = "dst host omgwtfbbq and (tcp dst port 1433 or tcp dst port 1186)"
}
slice ssh-internal {
bpf = "tcp port 22"
options = "nosave"
}
slice ipsec-vpn {
bpf = "(host vpn-gw1 and host vpn-gw2 and esp)"
options = "nosave"
}
slice internal-smtp {
bpf = "src net 192.168.0.0/16 and dst host smtp and tcp dst port 25"
}
slice inbound-smtp {
bpf = "tcp dst port 25 and
((dst public-ip-1 or dst public-ip-2) or
(dst host smtp and not src net 192.168.0.0/16))"
}
slice smtp-outbound-supranet {
bpf = "src host smtp and dst host ext-smtp-smarthost-1 and tcp dst port 25"
options = "nosave"
}
slice smtp-escaping {
bpf = "src net 192.168.0.0/16 and not dst net 192.168.0.0/16 and tcp dst port 25"
}
slice dns {
bpf = "udp dst port 53"
}
slice wpad {
bpf = "dst host wpad and tcp dst port 80"
}
slice jabber {
bpf = "dst host jabber and tcp dst port 5222"
options = "nosave"
}
slice ntp {
bpf = "udp dst port 123"
}
slice cacti-ntp {
bpf = "udp dst port ntp and dst net 192.168.0.0/16 and src net 192.168.0.0/16"
}
slice cacti-snmp {
bpf = "src host cacti and udp dst port snmp"
}
slice cact-udp-ping {
bpf = "src host cacti and udp dst port 23"
}
slice snmp-other {
bpf = "udp dst port snmp"
}
slice ping-internal {
bpf = "((icmp[icmptype] = icmp-echo) or (icmp[icmptype] = icmp-echoreply)) and (src net 192.168.0.0/16) and (dst net 192.168.0.0/16)"
options = "nomirror"
}
slice pgsql {
bpf = "(dst net 10.2.0.64/29) and tcp dst port 5432"
options = "nosave"
}
slice syslog {
bpf = "dst host syslog and dst port 514"
options = "nosave"
}
slice jetdirect {
bpf = "tcp dst port 9100 and dst net 10.2.5.0/24"
options = "nosave"
}
slice misc-samba {
bpf = "(dst portrange 137-139 or tcp dst port 445)"
}
slice vonage-external {
bpf = "udp and ((dst net 216.115.16.0/20) or (dst net 69.59.224.0/19))"
}
slice misc-tcp {
bpf = "tcp"
}
slice misc-udp {
bpf = "udp"
}
slice misc-icmp {
bpf = "icmp"
}
slice misc-igmp {
bpf = "igmp"
}
slice misc-ip {
bpf = "ip"
}
slice misc-ipv6 {
## bpf = "ip6"
bpf = "ether proto 0x86dd"
}
## http://www.kehlet.cx/articles/186.html
slice cisco-cdp {
bpf = "ether[20:2] == 0x2000"
}
slice uncategorized {
bpf = ""
}