00001 ---------------------------------------------------------------------------
00002 -- Snort++ defaults
00003 --
00004 -- include in your snort.lua with a dofile statement
00005 -- after you set HOME_NET and EXTERNAL_NET
00006 --
00007 -- use these by assignment, eg
00008 -- ftp_server = default_ftp_server
00009 ---------------------------------------------------------------------------
00010
00011 ---------------------------------------------------------------------------
00012 -- Set paths, ports, and nets:
00013 --
00014 -- variables with 'PATH' in the name are vars
00015 -- variables with 'PORT' in the name are portvars
00016 -- variables with 'NET' in the name are ipvars
00017 -- variables with 'SERVER' in the name are ipvars
00018 ---------------------------------------------------------------------------
00019
00020 ---------------------------------------------------------------------------
00021 -- default paths
00022 ---------------------------------------------------------------------------
00023 -- Path to your rules files (this can be a relative path)
00024
00025 RULE_PATH = '../rules'
00026 BUILTIN_RULE_PATH = '../builtin_rules'
00027 PLUGIN_RULE_PATH = '../so_rules'
00028
00029 -- If you are using reputation preprocessor set these
00030 WHITE_LIST_PATH = '../lists'
00031 BLACK_LIST_PATH = '../lists'
00032
00033 ---------------------------------------------------------------------------
00034 -- default networks
00035 ---------------------------------------------------------------------------
00036
00037 -- List of DNS servers on your network
00038 DNS_SERVERS = HOME_NET
00039
00040 -- List of SMTP servers on your network
00041 SMTP_SERVERS = HOME_NET
00042
00043 -- List of web servers on your network
00044 HTTP_SERVERS = HOME_NET
00045
00046 -- List of sql servers on your network
00047 SQL_SERVERS = HOME_NET
00048
00049 -- List of telnet servers on your network
00050 TELNET_SERVERS = HOME_NET
00051
00052 -- List of ssh servers on your network
00053 SSH_SERVERS = HOME_NET
00054
00055 -- List of ftp servers on your network
00056 FTP_SERVERS = HOME_NET
00057
00058 -- List of sip servers on your network
00059 SIP_SERVERS = HOME_NET
00060
00061 -- other variables, these should not be modified
00062 AIM_SERVERS =
00063 [[
00064 64.12.24.0/23
00065 64.12.28.0/23
00066 64.12.161.0/24
00067 64.12.163.0/24
00068 64.12.200.0/24
00069 205.188.3.0/24
00070 205.188.5.0/24
00071 205.188.7.0/24
00072 205.188.9.0/24
00073 205.188.153.0/24
00074 205.188.179.0/24
00075 205.188.248.0/24
00076 ]]
00077
00078 ---------------------------------------------------------------------------
00079 -- default ports
00080 ---------------------------------------------------------------------------
00081 -- List of ports you run web servers on
00082 HTTP_PORTS =
00083 [[
00084 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128
00085 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008
00086 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800
00087 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080
00088 50002 55555
00089 ]]
00090
00091 -- List of ports you want to look for SHELLCODE on.
00092 SHELLCODE_PORTS = ' !80'
00093
00094 -- List of ports you might see oracle attacks on
00095 ORACLE_PORTS = ' 1024:'
00096
00097 -- List of ports you want to look for SSH connections on:
00098 SSH_PORTS = ' 22'
00099
00100 -- List of ports you run ftp servers on
00101 FTP_PORTS = ' 21 2100 3535'
00102
00103 -- List of ports you run SIP servers on
00104 SIP_PORTS = ' 5060 5061 5600'
00105
00106 MAIL_PORTS = ' 110 143'
00107
00108 -- List of file data ports for file inspection
00109 FILE_DATA_PORTS = HTTP_PORTS .. MAIL_PORTS
00110
00111 -- List of GTP ports for GTP preprocessor
00112 GTP_PORTS = ' 2123 2152 3386'
00113
00114 RPC_PORTS =
00115 ' 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779'
00116
00117 ---------------------------------------------------------------------------
00118 -- default ftp server
00119 ---------------------------------------------------------------------------
00120
00121 ftp_default_cmds =
00122 [[
00123 ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP CEL CLNT CMD CONF CWD DELE ENC
00124 EPRT EPSV ESTA ESTP FEAT HELP LANG LIST LPRT LPSV MACB MAIL MDTM MIC
00125 MKD MLSD MLST MODE NLST NOOP OPTS PASS PASV PBSZ PORT PROT PWD QUIT
00126 REIN REST RETR RMD RNFR RNTO SDUP SITE SIZE SMNT STAT STOR STOU STRU
00127 SYST TEST TYPE USER XCUP XCRC XCWD XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ
00128 XSEM XSEN XSHA1 XSHA256
00129 ]]
00130
00131 ftp_default_data_chan_cmds =
00132 [[
00133 PORT PASV LPRT LPSV EPRT EPSV
00134 ]]
00135
00136 ftp_default_data_xfer_cmds =
00137 [[
00138 RETR STOR STOU APPE LIST NLST
00139 ]]
00140
00141 ftp_default_file_put_cmds =
00142 [[
00143 STOR STOU
00144 ]]
00145
00146 ftp_default_file_get_cmds =
00147 [[
00148 RETR
00149 ]]
00150
00151 ftp_default_login_cmds =
00152 [[
00153 USER PASS
00154 ]]
00155
00156 ftp_default_encr_cmds =
00157 [[
00158 AUTH
00159 ]]
00160
00161 ftp_format_commands =
00162 [[
00163 ACCT ADAT ALLO APPE AUTH CEL CLNT CMD CONF CWD DELE ENC EPRT EPSV ESTP
00164 HELP LANG LIST LPRT MACB MAIL MDTM MIC MKD MLSD MLST MODE NLST OPTS
00165 PASS PBSZ PORT PROT REST RETR RMD RNFR RNTO SDUP SITE SIZE SMNT STAT
00166 STOR STRU TEST TYPE USER XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ XSEM
00167 XSEN XSHA1 XSHA256
00168 ]]
00169
00170 ftp_command_specs =
00171 {
00172 { command = 'ABOR', length = 0 },
00173 { command = 'CCC', length = 0 },
00174 { command = 'CDUP', length = 0 },
00175 { command = 'ESTA', length = 0 },
00176 { command = 'FEAT', length = 0 },
00177 { command = 'LPSV', length = 0 },
00178 { command = 'NOOP', length = 0 },
00179 { command = 'PASV', length = 0 },
00180 { command = 'PWD', length = 0 },
00181 { command = 'QUIT', length = 0 },
00182 { command = 'REIN', length = 0 },
00183 { command = 'SYST', length = 0 },
00184 { command = 'XCUP', length = 0 },
00185 { command = 'XPWD', length = 0 },
00186
00187 { command = 'APPE', length = 200 },
00188 { command = 'CMD', length = 200 },
00189 { command = 'HELP', length = 200 },
00190 { command = 'NLST', length = 200 },
00191 { command = 'RETR', length = 200 },
00192 { command = 'RNFR', length = 200 },
00193 { command = 'STOR', length = 200 },
00194 { command = 'STOU', length = 200 },
00195 { command = 'XMKD', length = 200 },
00196
00197 { command = 'CWD', length = 256 },
00198 { command = 'RNTO', length = 256 },
00199 { command = 'SIZE', length = 512 },
00200
00201 { command = 'ALLO', length = 200, format = '< int [ char R int ] >' },
00202 { command = 'PORT', length = 400, format = '< host_port >' },
00203
00204 { command = 'EPSV', format = '< [ { char 12 | char A char L char L } ] >' },
00205 { command = 'MACB', format = '< string >' },
00206 { command = 'MDTM', format = '< [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >' },
00207 { command = 'MODE', format = '< char ASBCZ >' },
00208 { command = 'PROT', format = '< char CSEP >' },
00209 { command = 'STRU', format = '< char FRPO [ string ] >' },
00210 { command = 'TYPE',
00211 format = '< { char AE [ char NTC ] | char I | char L [ number ] } >' }
00212 }
00213
00214 default_ftp_server =
00215 {
00216 -- params not specified here get internal defaults
00217 ftp_cmds = ftp_default_cmds,
00218 data_chan_cmds = ftp_default_data_chan_cmds,
00219 data_xfer_cmds = ftp_default_data_xfer_cmds,
00220 file_put_cmds = ftp_default_file_put_cmds,
00221 file_get_cmds = ftp_default_file_get_cmds,
00222 login_cmds = ftp_default_login_cmds,
00223 encr_cmds = ftp_default_encr_cmds,
00224 chk_str_fmt = ftp_format_commands,
00225 cmd_validity = ftp_command_specs
00226 }
00227
00228 ---------------------------------------------------------------------------
00229 -- default smtp configuration
00230 ---------------------------------------------------------------------------
00231
00232 smtp_default_auth_cmds =
00233 [[
00234 AUTH XAUTH X-EXPS
00235 ]]
00236
00237 smtp_default_binary_data_cmds =
00238 [[
00239 BDAT XEXCH50
00240 ]]
00241
00242 smtp_default_data_cmds =
00243 [[
00244 DATA
00245 ]]
00246
00247 smtp_default_normalize_cmds =
00248 [[
00249 RCPT VRFY EXPN
00250 ]]
00251
00252 smtp_default_valid_cmds =
00253 [[
00254 ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO
00255 HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE SOML
00256 STARTTLS TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE XADR XAUTH
00257 XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR
00258 ]]
00259
00260 default_smtp =
00261 {
00262 -- params not specified here get internal defaults
00263 auth_cmds = smtp_default_auth_cmds,
00264 binary_data_cmds = smtp_default_binary_data_cmds,
00265 data_cmds = smtp_default_data_cmds,
00266 normalize_cmds = smtp_default_normalize_cmds,
00267 valid_cmds = smtp_default_valid_cmds,
00268 }
00269
00270 ---------------------------------------------------------------------------
00271 -- default wizard
00272 ---------------------------------------------------------------------------
00273
00274 http_methods = -- build from default_http_methods
00275 {
00276 'OPTIONS', 'GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'TRACE', 'CONNECT',
00277 'VERSION_CONTROL', 'REPORT', 'CHECKOUT', 'CHECKIN', 'UNCHECKOUT',
00278 'MKWORKSPACE', 'UPDATE', 'LABEL', 'MERGE', 'BASELINE_CONTROL',
00279 'MKACTIVITY', 'ORDERPATCH', 'ACL', 'PATCH', 'BIND', 'LINK',
00280 'MKCALENDAR', 'MKREDIRECTREF', 'REBIND', 'UNBIND', 'UNLINK',
00281 'UPDATEREDIRECTREF', 'PROPFIND', 'PROPPATCH', 'MKCOL', 'COPY',
00282 'MOVE', 'LOCK', 'UNLOCK', 'SEARCH', 'BCOPY', 'BDELETE', 'BMOVE',
00283 'BPROPFIND', 'BPROPPATCH', 'NOTIFY', 'POLL', 'SUBSCRIBE',
00284 'UNSUBSCRIBE', 'X_MS_ENUMATTS',
00285 }
00286
00287 ftp_commands = -- build from ftp_default_cmds
00288 {
00289 'ABOR', 'ACCT', 'ADAT', 'ALLO', 'APPE', 'AUTH', 'CCC', 'CDUP', 'CEL',
00290 'CLNT', 'CMD', 'CONF', 'CWD', 'DELE', 'ENC', 'EPRT', 'EPSV', 'ESTA',
00291 'ESTP', 'FEAT', 'HELP', 'LANG', 'LIST', 'LPRT', 'LPSV', 'MACB', 'MAIL',
00292 'MDTM', 'MIC', 'MKD', 'MLSD', 'MLST', 'MODE', 'NLST', 'NOOP', 'OPTS',
00293 'PASS', 'PASV', 'PBSZ', 'PORT', 'PROT', 'PWD', 'QUIT', 'REIN', 'REST',
00294 'RETR', 'RMD', 'RNFR', 'RNTO', 'SDUP', 'SITE', 'SIZE', 'SMNT', 'STAT',
00295 'STOR', 'STOU', 'STRU', 'SYST', 'TEST', 'TYPE', 'USER', 'XCUP', 'XCRC',
00296 'XCWD', 'XMAS', 'XMD5', 'XMKD', 'XPWD', 'XRCP', 'XRMD', 'XRSQ', 'XSEM',
00297 'XSEN', 'XSHA1', 'XSHA256'
00298 }
00299
00300 sip_methods =
00301 {
00302 'INVITE', 'CANCEL', 'ACK', 'BYE', 'REGISTER', 'OPTIONS', 'REFER', 'SUBSCRIBE',
00303 'UPDATE', 'JOIN', 'INFO', 'MESSAGE', 'NOTIFY', 'PRACK'
00304 }
00305
00306 telnet_commands =
00307 {
00308 '|FF F0|', '|FF F1|', '|FF F2|', '|FF F3|',
00309 '|FF F4|', '|FF F5|', '|FF F6|', '|FF F7|',
00310 '|FF F8|', '|FF F9|', '|FF FA|', '|FF FB|',
00311 '|FF FC|', '|FF FD|', '|FF FE|', '|FF FF|'
00312 }
00313
00314 default_wizard =
00315 {
00316 spells =
00317 {
00318 { service = 'ftp', proto = 'tcp', client_first = false,
00319 to_server = ftp_commands, to_client = { '220*FTP' } },
00320
00321 { service = 'http', proto = 'tcp', client_first = true,
00322 to_server = http_methods, to_client = { 'HTTP/' } },
00323
00324 { service = 'imap', proto = 'tcp', client_first = false,
00325 to_server = { 'LOGIN', 'AUTHENTICATE', 'STARTTLS' },
00326 to_client = { '** OK', '** BYE' } },
00327
00328 { service = 'pop3', proto = 'tcp', client_first = false,
00329 to_server = { 'USER', 'APOP' },
00330 to_client = { '+OK', '-ERR' } },
00331
00332 { service = 'sip', proto = 'tcp', client_first = true,
00333 to_server = sip_methods, to_client = { 'SIP/' } },
00334
00335 { service = 'smtp', proto = 'tcp', client_first = false,
00336 to_server = { 'HELO', 'EHLO' },
00337 to_client = { '220*SMTP', '220*MAIL' } },
00338
00339 { service = 'ssh', proto = 'tcp', client_first = true,
00340 to_server = { '*SSH' }, to_client = { '*SSH' } },
00341
00342 { service = 'dce_http_server', proto = 'tcp', client_first = false,
00343 to_client = { 'ncacn_http' } },
00344
00345 { service = 'dce_http_proxy', proto = 'tcp', client_first = true,
00346 to_server = { 'RPC_CONNECT' } },
00347
00348 },
00349 hexes =
00350 {
00351 { service = 'dnp3', proto = 'tcp', client_first = true,
00352 to_server = { '|05 64|' }, to_client = { '|05 64|' } },
00353 --[[
00354 { service = 'modbus', proto = 'tcp', client_first = true,
00355 to_server = { '??|0 0|' } },
00356
00357 { service = 'rpc', proto = 'tcp', client_first = true,
00358 to_server = { '????|0 0 0 0 0 0 0 1|' },
00359 to_client = { '????|0 0 0 0 0 0 0 1|' } },
00360 --]]
00361
00362 { service = 'ssl', proto = 'tcp', client_first = true,
00363 to_server = { '|16 03|' }, to_client = { '|16 03|' } },
00364
00365 { service = 'telnet', proto = 'tcp', client_first = true,
00366 to_server = telnet_commands, to_client = telnet_commands },
00367 },
00368
00369 curses = {'dce_udp', 'dce_tcp', 'dce_smb'}
00370 }
00371
00372 ---------------------------------------------------------------------------
00373 -- default references
00374 ---------------------------------------------------------------------------
00375
00376 default_references =
00377 {
00378 { name = 'bugtraq', url = 'http://www.securityfocus.com/bid/' },
00379 { name = 'cve', url = 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=' },
00380 { name = 'arachNIDS', url = 'http://www.whitehats.com/info/IDS' },
00381 { name = 'osvdb', url = 'http://osvdb.org/show/osvdb/' },
00382 { name = 'McAfee', url = 'http://vil.nai.com/vil/content/v_' },
00383 { name = 'nessus', url = 'http://cgi.nessus.org/plugins/dump.php3?id=' },
00384 { name = 'url', url = 'http://' },
00385 { name = 'msb', url = 'http://technet.microsoft.com/en-us/security/bulletin/' }
00386 }
00387
00388 ---------------------------------------------------------------------------
00389 -- default classifications
00390 ---------------------------------------------------------------------------
00391
00392 default_classifications =
00393 {
00394 { name = 'not-suspicious', priority = 3,
00395 text = 'Not Suspicious Traffic' },
00396
00397 { name = 'unknown', priority = 3,
00398 text = 'Unknown Traffic' },
00399
00400 { name = 'bad-unknown', priority = 2,
00401 text = 'Potentially Bad Traffic' },
00402
00403 { name = 'attempted-recon', priority = 2,
00404 text = 'Attempted Information Leak' },
00405
00406 { name = 'successful-recon-limited', priority = 2,
00407 text = 'Information Leak' },
00408
00409 { name = 'successful-recon-largescale', priority = 2,
00410 text = 'Large Scale Information Leak' },
00411
00412 { name = 'attempted-dos', priority = 2,
00413 text = 'Attempted Denial of Service' },
00414
00415 { name = 'successful-dos', priority = 2,
00416 text = 'Denial of Service' },
00417
00418 { name = 'attempted-user', priority = 1,
00419 text = 'Attempted User Privilege Gain' },
00420
00421 { name = 'unsuccessful-user', priority = 1,
00422 text = 'Unsuccessful User Privilege Gain' },
00423
00424 { name = 'successful-user', priority = 1,
00425 text = 'Successful User Privilege Gain' },
00426
00427 { name = 'attempted-admin', priority = 1,
00428 text = 'Attempted Administrator Privilege Gain' },
00429
00430 { name = 'successful-admin', priority = 1,
00431 text = 'Successful Administrator Privilege Gain' },
00432
00433 { name = 'rpc-portmap-decode', priority = 2,
00434 text = 'Decode of an RPC Query' },
00435
00436 { name = 'shellcode-detect', priority = 1,
00437 text = 'Executable code was detected' },
00438
00439 { name = 'string-detect', priority = 3,
00440 text = 'A suspicious string was detected' },
00441
00442 { name = 'suspicious-filename-detect', priority = 2,
00443 text = 'A suspicious filename was detected' },
00444
00445 { name = 'suspicious-login', priority = 2,
00446 text = 'An attempted login using a suspicious username was detected' },
00447
00448 { name = 'system-call-detect', priority = 2,
00449 text = 'A system call was detected' },
00450
00451 { name = 'tcp-connection', priority = 4,
00452 text = 'A TCP connection was detected' },
00453
00454 { name = 'trojan-activity', priority = 1,
00455 text = 'A Network Trojan was detected' },
00456
00457 { name = 'unusual-client-port-connection', priority = 2,
00458 text = 'A client was using an unusual port' },
00459
00460 { name = 'network-scan', priority = 3,
00461 text = 'Detection of a Network Scan' },
00462
00463 { name = 'denial-of-service', priority = 2,
00464 text = 'Detection of a Denial of Service Attack' },
00465
00466 { name = 'non-standard-protocol', priority = 2,
00467 text = 'Detection of a non-standard protocol or event' },
00468
00469 { name = 'protocol-command-decode', priority = 3,
00470 text = 'Generic Protocol Command Decode' },
00471
00472 { name = 'web-application-activity', priority = 2,
00473 text = 'Access to a potentially vulnerable web application' },
00474
00475 { name = 'web-application-attack', priority = 1,
00476 text = 'Web Application Attack' },
00477
00478 { name = 'misc-activity', priority = 3,
00479 text = 'Misc activity' },
00480
00481 { name = 'misc-attack', priority = 2,
00482 text = 'Misc Attack' },
00483
00484 { name = 'icmp-event', priority = 3,
00485 text = 'Generic ICMP event' },
00486
00487 { name = 'inappropriate-content', priority = 1,
00488 text = 'Inappropriate Content was Detected' },
00489
00490 { name = 'policy-violation', priority = 1,
00491 text = 'Potential Corporate Privacy Violation' },
00492
00493 { name = 'default-login-attempt', priority = 2,
00494 text = 'Attempt to login by a default username and password' },
00495
00496 { name = 'sdf', priority = 2,
00497 text = 'Senstive Data' },
00498
00499 { name = 'file-format', priority = 1,
00500 text = 'Known malicious file or file based exploit' },
00501
00502 { name = 'malware-cnc', priority = 1,
00503 text = 'Known malware command and control traffic' },
00504
00505 { name = 'client-side-exploit', priority = 1,
00506 text = 'Known client side exploit attempt' }
00507 }
00508
00509 ---------------------------------------------------------------------------
00510 -- gtp defaults
00511 ---------------------------------------------------------------------------
00512
00513 gtp_v0_msg =
00514 {
00515 { type = 1, name = "echo_request" },
00516 { type = 2, name = "echo_response" },
00517 { type = 3, name = "version_not_supported" },
00518 { type = 4, name = "node_alive_request" },
00519 { type = 5, name = "node_alive_response" },
00520 { type = 6, name = "redirection_request" },
00521 { type = 7, name = "redirection_response" },
00522
00523 { type = 16, name = "create_pdp_context_request" },
00524 { type = 17, name = "create_pdp_context_response" },
00525 { type = 18, name = "update_pdp_context_request" },
00526 { type = 19, name = "update_pdp_context_response" },
00527 { type = 20, name = "delete_pdp_context_request" },
00528 { type = 21, name = "delete_pdp_context_response" },
00529 { type = 22, name = "create_aa_pdp_context_request" },
00530 { type = 23, name = "create_aa_pdp_context_response" },
00531 { type = 24, name = "delete_aa_pdp_context_request" },
00532 { type = 25, name = "delete_aa_pdp_context_response" },
00533 { type = 26, name = "error_indication" },
00534 { type = 27, name = "pdu_notification_request" },
00535 { type = 28, name = "pdu_notification_response" },
00536 { type = 29, name = "pdu_notification_reject_request" },
00537 { type = 30, name = "pdu_notification_reject_response" },
00538
00539 { type = 32, name = "send_routing_info_request" },
00540 { type = 33, name = "send_routing_info_response" },
00541 { type = 34, name = "failure_report_request" },
00542 { type = 35, name = "failure_report_response" },
00543 { type = 36, name = "note_ms_present_request" },
00544 { type = 37, name = "note_ms_present_response" },
00545
00546 { type = 48, name = "identification_request" },
00547 { type = 49, name = "identification_response" },
00548 { type = 50, name = "sgsn_context_request" },
00549 { type = 51, name = "sgsn_context_response" },
00550 { type = 52, name = "sgsn_context_ack" },
00551
00552 { type = 240, name = "data_record_transfer_request" },
00553 { type = 241, name = "data_record_transfer_response" },
00554
00555 { type = 255, name = "pdu" },
00556 }
00557
00558 gtp_v1_msg =
00559 {
00560 { type = 1, name = "echo_request" },
00561 { type = 2, name = "echo_response" },
00562 { type = 3, name = "version_not_supported" },
00563 { type = 4, name = "node_alive_request" },
00564 { type = 5, name = "node_alive_response" },
00565 { type = 6, name = "redirection_request" },
00566 { type = 7, name = "redirection_response" },
00567
00568 { type = 16, name = "create_pdp_context_request" },
00569 { type = 17, name = "create_pdp_context_response" },
00570 { type = 18, name = "update_pdp_context_request" },
00571 { type = 19, name = "update_pdp_context_response" },
00572 { type = 20, name = "delete_pdp_context_request" },
00573 { type = 21, name = "delete_pdp_context_response" },
00574 { type = 22, name = "init_pdp_context_activation_request" },
00575 { type = 23, name = "init_pdp_context_activation_response" },
00576
00577 { type = 26, name = "error_indication" },
00578 { type = 27, name = "pdu_notification_request" },
00579 { type = 28, name = "pdu_notification_response" },
00580 { type = 29, name = "pdu_notification_reject_request" },
00581 { type = 30, name = "pdu_notification_reject_response" },
00582 { type = 31, name = "supported_ext_header_notification" },
00583 { type = 32, name = "send_routing_info_request" },
00584 { type = 33, name = "send_routing_info_response" },
00585 { type = 34, name = "failure_report_request" },
00586 { type = 35, name = "failure_report_response" },
00587 { type = 36, name = "note_ms_present_request" },
00588 { type = 37, name = "note_ms_present_response" },
00589
00590 { type = 48, name = "identification_request" },
00591 { type = 49, name = "identification_response" },
00592 { type = 50, name = "sgsn_context_request" },
00593 { type = 51, name = "sgsn_context_response" },
00594 { type = 52, name = "sgsn_context_ack" },
00595 { type = 53, name = "forward_relocation_request" },
00596 { type = 54, name = "forward_relocation_response" },
00597 { type = 55, name = "forward_relocation_complete" },
00598 { type = 56, name = "relocation_cancel_request" },
00599 { type = 57, name = "relocation_cancel_response" },
00600 { type = 58, name = "forward_srns_contex" },
00601 { type = 59, name = "forward_relocation_complete_ack" },
00602 { type = 60, name = "forward_srns_contex_ack" },
00603
00604 { type = 70, name = "ran_info_relay" },
00605
00606 { type = 96, name = "mbms_notification_request" },
00607 { type = 97, name = "mbms_notification_response" },
00608 { type = 98, name = "mbms_notification_reject_request" },
00609 { type = 99, name = "mbms_notification_reject_response" },
00610 { type = 100, name = "create_mbms_context_request" },
00611 { type = 101, name = "create_mbms_context_response" },
00612 { type = 102, name = "update_mbms_context_request" },
00613 { type = 103, name = "update_mbms_context_response" },
00614 { type = 104, name = "delete_mbms_context_request" },
00615 { type = 105, name = "delete_mbms_context_response" },
00616
00617 { type = 112, name = "mbms_register_request" },
00618 { type = 113, name = "mbms_register_response" },
00619 { type = 114, name = "mbms_deregister_request" },
00620 { type = 115, name = "mbms_deregister_response" },
00621 { type = 116, name = "mbms_session_start_request" },
00622 { type = 117, name = "mbms_session_start_response" },
00623 { type = 118, name = "mbms_session_stop_request" },
00624 { type = 119, name = "mbms_session_stop_response" },
00625 { type = 120, name = "mbms_session_update_request" },
00626 { type = 121, name = "mbms_session_update_response" },
00627
00628 { type = 128, name = "ms_info_change_request" },
00629 { type = 129, name = "ms_info_change_response" },
00630
00631 { type = 240, name = "data_record_transfer_request" },
00632 { type = 241, name = "data_record_transfer_response" },
00633
00634 { type = 254, name = "end_marker" },
00635 { type = 255, name = "pdu" },
00636 }
00637
00638 gtp_v2_msg =
00639 {
00640 { type = 1, name = "echo_request" },
00641 { type = 2, name = "echo_response" },
00642 { type = 3, name = "version_not_supported" },
00643
00644 { type = 32, name = "create_session_request" },
00645 { type = 33, name = "create_session_response" },
00646 { type = 34, name = "modify_bearer_request" },
00647 { type = 35, name = "modify_bearer_response" },
00648 { type = 36, name = "delete_session_request" },
00649 { type = 37, name = "delete_session_response" },
00650 { type = 38, name = "change_notification_request" },
00651 { type = 39, name = "change_notification_response" },
00652
00653 { type = 64, name = "modify_bearer_command" },
00654 { type = 65, name = "modify_bearer_failure_indication" },
00655 { type = 66, name = "delete_bearer_command" },
00656 { type = 67, name = "delete_bearer_failure_indication" },
00657 { type = 68, name = "bearer_resource_command" },
00658 { type = 69, name = "bearer_resource_failure_indication" },
00659 { type = 70, name = "downlink_failure_indication" },
00660 { type = 71, name = "trace_session_activation" },
00661 { type = 72, name = "trace_session_deactivation" },
00662 { type = 73, name = "stop_paging_indication" },
00663
00664 { type = 95, name = "create_bearer_request" },
00665 { type = 96, name = "create_bearer_response" },
00666 { type = 97, name = "update_bearer_request" },
00667 { type = 98, name = "update_bearer_response" },
00668 { type = 99, name = "delete_bearer_request" },
00669 { type = 100, name = "delete_bearer_response" },
00670 { type = 101, name = "delete_pdn_request" },
00671 { type = 102, name = "delete_pdn_response" },
00672
00673 { type = 128, name = "identification_request" },
00674 { type = 129, name = "identification_response" },
00675 { type = 130, name = "sgsn_context_request" },
00676 { type = 131, name = "sgsn_context_response" },
00677 { type = 132, name = "sgsn_context_ack" },
00678 { type = 133, name = "forward_relocation_request" },
00679 { type = 134, name = "forward_relocation_response" },
00680 { type = 135, name = "forward_relocation_complete" },
00681 { type = 136, name = "forward_relocation_complete_ack" },
00682 { type = 137, name = "forward_access" },
00683 { type = 138, name = "forward_access_ack" },
00684 { type = 139, name = "relocation_cancel_request" },
00685 { type = 140, name = "relocation_cancel_response" },
00686 { type = 141, name = "configuration_transfer_tunnel" },
00687
00688 { type = 149, name = "detach" },
00689 { type = 150, name = "detach_ack" },
00690 { type = 151, name = "cs_paging" },
00691 { type = 152, name = "ran_info_relay" },
00692 { type = 153, name = "alert_mme" },
00693 { type = 154, name = "alert_mme_ack" },
00694 { type = 155, name = "ue_activity" },
00695 { type = 156, name = "ue_activity_ack" },
00696
00697 { type = 160, name = "create_forward_tunnel_request" },
00698 { type = 161, name = "create_forward_tunnel_response" },
00699 { type = 162, name = "suspend" },
00700 { type = 163, name = "suspend_ack" },
00701 { type = 164, name = "resume" },
00702 { type = 165, name = "resume_ack" },
00703 { type = 166, name = "create_indirect_forward_tunnel_request" },
00704 { type = 167, name = "create_indirect_forward_tunnel_response" },
00705 { type = 168, name = "delete_indirect_forward_tunnel_request" },
00706 { type = 169, name = "delete_indirect_forward_tunnel_response" },
00707 { type = 170, name = "release_access_bearer_request" },
00708 { type = 171, name = "release_access_bearer_response" },
00709
00710 { type = 176, name = "downlink_data" },
00711 { type = 177, name = "downlink_data_ack" },
00712
00713 { type = 179, name = "pgw_restart" },
00714 { type = 180, name = "pgw_restart_ack" },
00715
00716 { type = 200, name = "update_pdn_request" },
00717 { type = 201, name = "update_pdn_response" },
00718
00719 { type = 211, name = "modify_access_bearer_request" },
00720 { type = 212, name = "modify_access_bearer_response" },
00721
00722 { type = 231, name = "mbms_session_start_request" },
00723 { type = 232, name = "mbms_session_start_response" },
00724 { type = 233, name = "mbms_session_update_request" },
00725 { type = 234, name = "mbms_session_update_response" },
00726 { type = 235, name = "mbms_session_stop_request" },
00727 { type = 236, name = "mbms_session_stop_response" },
00728 };
00729
00730 -- length = 0 indicates variable length
00731
00732 gtp_v0_info =
00733 {
00734 { type = 1, name = "cause", length = 2 },
00735 { type = 2, name = "imsi", length = 9 },
00736 { type = 3, name = "rai", length = 7 },
00737 { type = 4, name = "tlli", length = 5 },
00738 { type = 5, name = "p_tmsi", length = 5 },
00739 { type = 6, name = "qos", length = 4 },
00740
00741 { type = 8, name = "recording_required", length = 2 },
00742 { type = 9, name = "authentication", length = 29 },
00743
00744 { type = 11, name = "map_cause", length = 2 },
00745 { type = 12, name = "p_tmsi_sig", length = 4 },
00746 { type = 13, name = "ms_validated", length = 2 },
00747 { type = 14, name = "recovery", length = 2 },
00748 { type = 15, name = "selection_mode", length = 2 },
00749 { type = 16, name = "flow_label_data_1", length = 3 },
00750 { type = 17, name = "flow_label_signalling", length = 3 },
00751 { type = 18, name = "flow_label_data_2", length = 4 },
00752 { type = 19, name = "ms_unreachable", length = 2 },
00753
00754 { type = 127, name = "charge_id", length = 5 },
00755 { type = 128, name = "end_user_address", length = 0 },
00756 { type = 129, name = "mm_context", length = 0 },
00757 { type = 130, name = "pdp_context", length = 0 },
00758 { type = 131, name = "apn", length = 0 },
00759 { type = 132, name = "protocol_config", length = 0 },
00760 { type = 133, name = "gsn", length = 0 },
00761 { type = 134, name = "msisdn", length = 0 },
00762
00763 { type = 251, name = "charging_gateway_addr", length = 0 },
00764
00765 { type = 255, name = "private_extension", length = 0 },
00766 }
00767
00768 gtp_v1_info =
00769 {
00770 { type = 1, name = "cause", length = 2 },
00771 { type = 2, name = "imsi", length = 9 },
00772 { type = 3, name = "rai", length = 7 },
00773 { type = 4, name = "tlli", length = 5 },
00774 { type = 5, name = "p_tmsi", length = 5 },
00775
00776 { type = 8, name = "recording_required", length = 2 },
00777 { type = 9, name = "authentication", length = 29 },
00778
00779 { type = 11, name = "map_cause", length = 2 },
00780 { type = 12, name = "p_tmsi_sig", length = 4 },
00781 { type = 13, name = "ms_validated", length = 2 },
00782 { type = 14, name = "recovery", length = 2 },
00783 { type = 15, name = "selection_mode", length = 2 },
00784 { type = 16, name = "teid_1", length = 5 },
00785 { type = 17, name = "teid_control", length = 5 },
00786 { type = 18, name = "teid_2", length = 6 },
00787 { type = 19, name = "teardown_ind", length = 2 },
00788 { type = 20, name = "nsapi", length = 2 },
00789 { type = 21, name = "ranap", length = 2 },
00790 { type = 22, name = "rab_context", length = 10 },
00791 { type = 23, name = "radio_priority_sms", length = 2 },
00792 { type = 24, name = "radio_priority", length = 2 },
00793 { type = 25, name = "packet_flow_id", length = 3 },
00794 { type = 26, name = "charging_char", length = 3 },
00795 { type = 27, name = "trace_ref", length = 3 },
00796 { type = 28, name = "trace_type", length = 3 },
00797 { type = 29, name = "ms_unreachable", length = 2 },
00798
00799 { type =127, name = "charge_id", length = 5 },
00800 { type = 128, name = "end_user_address", length = 0 },
00801 { type = 129, name = "mm_context", length = 0 },
00802 { type = 130, name = "pdp_context", length = 0 },
00803 { type = 131, name = "apn", length = 0 },
00804 { type = 132, name = "protocol_config", length = 0 },
00805 { type = 133, name = "gsn", length = 0 },
00806 { type = 134, name = "msisdn", length = 0 },
00807 { type = 135, name = "qos", length = 0 },
00808 { type = 136, name = "authentication_qu", length = 0 },
00809 { type = 137, name = "tft", length = 0 },
00810 { type = 138, name = "target_id", length = 0 },
00811 { type = 139, name = "utran_trans", length = 0 },
00812 { type = 140, name = "rab_setup", length = 0 },
00813 { type = 141, name = "ext_header", length = 0 },
00814 { type = 142, name = "trigger_id", length = 0 },
00815 { type = 143, name = "omc_id", length = 0 },
00816 { type = 144, name = "ran_trans", length = 0 },
00817 { type = 145, name = "pdp_context_pri", length = 0 },
00818 { type = 146, name = "addi_rab_setup", length = 0 },
00819 { type = 147, name = "sgsn_number", length = 0 },
00820 { type = 148, name = "common_flag", length = 0 },
00821 { type = 149, name = "apn_restriction", length = 0 },
00822 { type = 150, name = "radio_priority_lcs", length = 4 },
00823 { type = 151, name = "rat_type", length = 0 },
00824 { type = 152, name = "user_loc_info", length = 0 },
00825 { type = 153, name = "ms_time_zone", length = 0 },
00826 { type = 154, name = "imei_sv", length = 0 },
00827 { type = 155, name = "camel", length = 0 },
00828 { type = 156, name = "mbms_ue_context", length = 0 },
00829 { type = 157, name = "tmp_mobile_group_id", length = 0 },
00830 { type = 158, name = "rim_routing_addr", length = 0 },
00831 { type = 159, name = "mbms_config", length = 0 },
00832 { type = 160, name = "mbms_service_area", length = 0 },
00833 { type = 161, name = "src_rnc_pdcp", length = 0 },
00834 { type = 162, name = "addi_trace_info", length = 0 },
00835 { type = 163, name = "hop_counter", length = 0 },
00836 { type = 164, name = "plmn_id", length = 0 },
00837 { type = 165, name = "mbms_session_id", length = 0 },
00838 { type = 166, name = "mbms_2g3g_indicator", length = 0 },
00839 { type = 167, name = "enhanced_nsapi", length = 0 },
00840 { type = 168, name = "mbms_session_duration", length = 0 },
00841 { type = 169, name = "addi_mbms_trace_info", length = 0 },
00842 { type = 170, name = "mbms_session_repetition_num", length = 0 },
00843 { type = 171, name = "mbms_time_to_data", length = 0 },
00844
00845 { type = 173, name = "bss", length = 0 },
00846 { type = 174, name = "cell_id", length = 0 },
00847 { type = 175, name = "pdu_num", length = 0 },
00848 { type = 177, name = "mbms_bearer_capab", length = 0 },
00849 { type = 178, name = "rim_routing_disc", length = 0 },
00850 { type = 179, name = "list_pfc", length = 0 },
00851 { type = 180, name = "ps_xid", length = 0 },
00852 { type = 181, name = "ms_info_change_report", length = 4 },
00853 { type = 182, name = "direct_tunnel_flags", length = 0 },
00854 { type = 183, name = "correlation_id", length = 0 },
00855 { type = 184, name = "bearer_control_mode", length = 0 },
00856 { type = 185, name = "mbms_flow_id", length = 0 },
00857 { type = 186, name = "mbms_ip_multicast", length = 0 },
00858 { type = 187, name = "mbms_distribution_ack", length = 4 },
00859 { type = 188, name = "reliable_inter_rat_handover", length = 0 },
00860 { type = 189, name = "rfsp_index", length = 0 },
00861 { type = 190, name = "fqdn", length = 0 },
00862 { type = 191, name = "evolved_allocation1", length = 0 },
00863 { type = 192, name = "evolved_allocation2", length = 0 },
00864 { type = 193, name = "extended_flags", length = 0 },
00865 { type = 194, name = "uci", length = 0 },
00866 { type = 195, name = "csg_info", length = 0 },
00867 { type = 196, name = "csg_id", length = 0 },
00868 { type = 197, name = "cmi", length = 4 },
00869 { type = 198, name = "apn_ambr", length = 0 },
00870 { type = 199, name = "ue_network", length = 0 },
00871 { type = 200, name = "ue_ambr", length = 0 },
00872 { type = 201, name = "apn_ambr_nsapi", length = 0 },
00873 { type = 202, name = "ggsn_backoff_timer", length = 0 },
00874 { type = 203, name = "signalling_priority_indication", length = 0 },
00875 { type = 204, name = "signalling_priority_indication_nsapi", length = 0 },
00876 { type = 205, name = "high_bitrate", length = 4 },
00877 { type = 206, name = "max_mbr", length = 0 },
00878
00879 { type = 251, name = "charging_gateway_addr", length = 0 },
00880
00881 { type = 255, name = "private_extension", length = 0 },
00882 }
00883
00884 gtp_v2_info =
00885 {
00886 { type = 1, name = "imsi", length = 0 },
00887 { type = 2, name = "cause", length = 0 },
00888 { type = 3, name = "recovery", length = 0 },
00889
00890 { type = 71, name = "apn", length = 0 },
00891 { type = 72, name = "ambr", length = 0 },
00892 { type = 73, name = "ebi", length = 0 },
00893 { type = 74, name = "ip_addr", length = 0 },
00894 { type = 75, name = "mei", length = 0 },
00895 { type = 76, name = "msisdn", length = 0 },
00896 { type = 77, name = "indication", length = 0 },
00897 { type = 78, name = "pco", length = 0 },
00898 { type = 79, name = "paa", length = 0 },
00899 { type = 80, name = "bearer_qos", length = 0 },
00900 { type = 81, name = "flow_qos", length = 0 },
00901 { type = 82, name = "rat_type", length = 0 },
00902 { type = 83, name = "serving_network", length = 0 },
00903 { type = 84, name = "bearer_tft", length = 0 },
00904 { type = 85, name = "tad", length = 0 },
00905 { type = 86, name = "uli", length = 0 },
00906 { type = 87, name = "f_teid", length = 0 },
00907 { type = 88, name = "tmsi", length = 0 },
00908 { type = 89, name = "cn_id", length = 0 },
00909 { type = 90, name = "s103pdf", length = 0 },
00910 { type = 91, name = "s1udf", length = 0 },
00911 { type = 92, name = "delay_value", length = 0 },
00912 { type = 93, name = "bearer_context", length = 0 },
00913 { type = 94, name = "charging_id", length = 0 },
00914 { type = 95, name = "charging_char", length = 0 },
00915 { type = 96, name = "trace_info", length = 0 },
00916 { type = 97, name = "bearer_flag", length = 0 },
00917
00918 { type = 99, name = "pdn_type", length = 0 },
00919 { type = 100, name = "pti", length = 0 },
00920 { type = 101, name = "drx_parameter", length = 0 },
00921
00922 { type = 103, name = "gsm_key_tri", length = 0 },
00923 { type = 104, name = "umts_key_cipher_quin", length = 0 },
00924 { type = 105, name = "gsm_key_cipher_quin", length = 0 },
00925 { type = 106, name = "umts_key_quin", length = 0 },
00926 { type = 107, name = "eps_quad", length = 0 },
00927 { type = 108, name = "umts_key_quad_quin", length = 0 },
00928 { type = 109, name = "pdn_connection", length = 0 },
00929 { type = 110, name = "pdn_number", length = 0 },
00930 { type = 111, name = "p_tmsi", length = 0 },
00931 { type = 112, name = "p_tmsi_sig", length = 0 },
00932 { type = 113, name = "hop_counter", length = 0 },
00933 { type = 114, name = "ue_time_zone", length = 0 },
00934 { type = 115, name = "trace_ref", length = 0 },
00935 { type = 116, name = "complete_request_msg", length = 0 },
00936 { type = 117, name = "guti", length = 0 },
00937 { type = 118, name = "f_container", length = 0 },
00938 { type = 119, name = "f_cause", length = 0 },
00939 { type = 120, name = "plmn_id", length = 0 },
00940 { type = 121, name = "target_id", length = 0 },
00941
00942 { type = 123, name = "packet_flow_id", length = 0 },
00943 { type = 124, name = "rab_contex", length = 0 },
00944 { type = 125, name = "src_rnc_pdcp", length = 0 },
00945 { type = 126, name = "udp_src_port", length = 0 },
00946 { type = 127, name = "apn_restriction", length = 0 },
00947 { type = 128, name = "selection_mode", length = 0 },
00948 { type = 129, name = "src_id", length = 0 },
00949
00950 { type = 131, name = "change_report_action", length = 0 },
00951 { type = 132, name = "fq_csid", length = 0 },
00952 { type = 133, name = "channel", length = 0 },
00953 { type = 134, name = "emlpp_pri", length = 0 },
00954 { type = 135, name = "node_type", length = 0 },
00955 { type = 136, name = "fqdn", length = 0 },
00956 { type = 137, name = "ti", length = 0 },
00957 { type = 138, name = "mbms_session_duration", length = 0 },
00958 { type = 139, name = "mbms_service_area", length = 0 },
00959 { type = 140, name = "mbms_session_id", length = 0 },
00960 { type = 141, name = "mbms_flow_id", length = 0 },
00961 { type = 142, name = "mbms_ip_multicast", length = 0 },
00962 { type = 143, name = "mbms_distribution_ack", length = 0 },
00963 { type = 144, name = "rfsp_index", length = 0 },
00964 { type = 145, name = "uci", length = 0 },
00965 { type = 146, name = "csg_info", length = 0 },
00966 { type = 147, name = "csg_id", length = 0 },
00967 { type = 148, name = "cmi", length = 0 },
00968 { type = 149, name = "service_indicator", length = 0 },
00969 { type = 150, name = "detach_type", length = 0 },
00970 { type = 151, name = "ldn", length = 0 },
00971 { type = 152, name = "node_feature", length = 0 },
00972 { type = 153, name = "mbms_time_to_transfer", length = 0 },
00973 { type = 154, name = "throttling", length = 0 },
00974 { type = 155, name = "arp", length = 0 },
00975 { type = 156, name = "epc_timer", length = 0 },
00976 { type = 157, name = "signalling_priority_indication", length = 0 },
00977 { type = 158, name = "tmgi", length = 0 },
00978 { type = 159, name = "mm_srvcc", length = 0 },
00979 { type = 160, name = "flags_srvcc", length = 0 },
00980 { type = 161, name = "mmbr", length = 0 },
00981
00982 { type = 255, name = "private_extension", length = 0 },
00983 }
00984
00985 default_gtp =
00986 {
00987 { version = 0, messages = gtp_v0_msg, infos = gtp_v0_info },
00988 { version = 1, messages = gtp_v1_msg, infos = gtp_v1_info },
00989 { version = 2, messages = gtp_v2_msg, infos = gtp_v2_info },
00990 }
00991
00992 ---------------------------------------------------------------------------
00993 -- port_scan defaults
00994 ---------------------------------------------------------------------------
00995
00996 tcp_low_ports = { scans = 0, rejects = 5, nets = 25, ports = 5 }
00997 tcp_low_decoy = { scans = 0, rejects = 15, nets = 50, ports = 30 }
00998 tcp_low_sweep = { scans = 0, rejects = 5, nets = 5, ports = 15 }
00999 tcp_low_dist = { scans = 0, rejects = 15, nets = 50, ports = 15 }
01000
01001 tcp_med_ports = { scans = 200, rejects = 10, nets = 60, ports = 15 }
01002 tcp_med_decoy = { scans = 200, rejects = 30, nets = 120, ports = 60 }
01003 tcp_med_sweep = { scans = 30, rejects = 7, nets = 7, ports = 10 }
01004 tcp_med_dist = { scans = 200, rejects = 30, nets = 120, ports = 30 }
01005
01006 tcp_hi_ports = { scans = 200, rejects = 5, nets = 100, ports = 10 }
01007 tcp_hi_decoy = { scans = 200, rejects = 7, nets = 200, ports = 60 }
01008 tcp_hi_sweep = { scans = 30, rejects = 3, nets = 3, ports = 10 }
01009 tcp_hi_dist = { scans = 200, rejects = 5, nets = 200, ports = 10 }
01010
01011 udp_low_ports = { scans = 0, rejects = 5, nets = 25, ports = 5 }
01012 udp_low_decoy = { scans = 0, rejects = 15, nets = 50, ports = 30 }
01013 udp_low_sweep = { scans = 0, rejects = 5, nets = 5, ports = 15 }
01014 udp_low_dist = { scans = 0, rejects = 15, nets = 50, ports = 15 }
01015
01016 udp_med_ports = { scans = 200, rejects = 10, nets = 60, ports = 15 }
01017 udp_med_decoy = { scans = 200, rejects = 30, nets = 120, ports = 60 }
01018 udp_med_sweep = { scans = 30, rejects = 5, nets = 5, ports = 20 }
01019 udp_med_dist = { scans = 200, rejects = 30, nets = 120, ports = 30 }
01020
01021 udp_hi_ports = { scans = 200, rejects = 3, nets = 100, ports = 10 }
01022 udp_hi_decoy = { scans = 200, rejects = 7, nets = 200, ports = 60 }
01023 udp_hi_sweep = { scans = 30, rejects = 3, nets = 3, ports = 10 }
01024 udp_hi_dist = { scans = 200, rejects = 3, nets = 200, ports = 10 }
01025
01026 ip_low_proto = { scans = 0, rejects = 10, nets = 10, ports = 50 }
01027 ip_low_decoy = { scans = 0, rejects = 40, nets = 50, ports = 25 }
01028 ip_low_sweep = { scans = 0, rejects = 10, nets = 10, ports = 10 }
01029 ip_low_dist = { scans = 0, rejects = 15, nets = 25, ports = 50 }
01030
01031 ip_med_proto = { scans = 200, rejects = 10, nets = 10, ports = 50 }
01032 ip_med_decoy = { scans = 200, rejects = 40, nets = 50, ports = 25 }
01033 ip_med_sweep = { scans = 30, rejects = 10, nets = 10, ports = 10 }
01034 ip_med_dist = { scans = 200, rejects = 15, nets = 25, ports = 50 }
01035
01036 ip_hi_proto = { scans = 200, rejects = 3, nets = 3, ports = 10 }
01037 ip_hi_decoy = { scans = 200, rejects = 7, nets = 15, ports = 5 }
01038 ip_hi_sweep = { scans = 30, rejects = 3, nets = 3, ports = 7 }
01039 ip_hi_dist = { scans = 200, rejects = 3, nets = 11, ports = 10 }
01040
01041 icmp_low_sweep = { scans = 0, rejects = 5, nets = 5, ports = 5 }
01042 icmp_med_sweep = { scans = 20, rejects = 5, nets = 5, ports = 5 }
01043 icmp_hi_sweep = { scans = 10, rejects = 3, nets = 3, ports = 5 }
01044
01045 default_hi_port_scan =
01046 {
01047 protos = 'all',
01048 scan_types = 'all',
01049
01050 tcp_window = 600,
01051 udp_window = 600,
01052 ip_window = 600,
01053 icmp_window = 600,
01054
01055 tcp_ports = tcp_hi_ports,
01056 tcp_decoy = tcp_hi_decoy,
01057 tcp_sweep = tcp_hi_sweep,
01058 tcp_dist = tcp_hi_dist,
01059
01060 udp_ports = udp_hi_ports,
01061 udp_decoy = udp_hi_decoy,
01062 udp_sweep = udp_hi_sweep,
01063 udp_dist = udp_hi_dist,
01064
01065 ip_proto = ip_hi_proto,
01066 ip_decoy = ip_hi_decoy,
01067 ip_sweep = ip_hi_sweep,
01068 ip_dist = ip_hi_dist,
01069
01070 icmp_sweep = icmp_hi_sweep,
01071 }
01072
01073 default_med_port_scan =
01074 {
01075 protos = 'all',
01076 scan_types = 'all',
01077
01078 tcp_window = 90,
01079 udp_window = 90,
01080 ip_window = 90,
01081 icmp_window = 90,
01082
01083 tcp_ports = tcp_med_ports,
01084 tcp_decoy = tcp_med_decoy,
01085 tcp_sweep = tcp_med_sweep,
01086 tcp_dist = tcp_med_dist,
01087
01088 udp_ports = udp_med_ports,
01089 udp_decoy = udp_med_decoy,
01090 udp_sweep = udp_med_sweep,
01091 udp_dist = udp_med_dist,
01092
01093 ip_proto = ip_med_proto,
01094 ip_decoy = ip_med_decoy,
01095 ip_sweep = ip_med_sweep,
01096 ip_dist = ip_med_dist,
01097
01098 icmp_sweep = icmp_med_sweep,
01099 }
01100
01101 default_low_port_scan =
01102 {
01103 protos = 'all',
01104 scan_types = 'all',
01105
01106 tcp_window = 60,
01107 udp_window = 60,
01108 ip_window = 60,
01109 icmp_window = 60,
01110
01111 tcp_ports = tcp_low_ports,
01112 tcp_decoy = tcp_low_decoy,
01113 tcp_sweep = tcp_low_sweep,
01114 tcp_dist = tcp_low_dist,
01115
01116 udp_ports = udp_low_ports,
01117 udp_decoy = udp_low_decoy,
01118 udp_sweep = udp_low_sweep,
01119 udp_dist = udp_low_dist,
01120
01121 ip_proto = ip_low_proto,
01122 ip_decoy = ip_low_decoy,
01123 ip_sweep = ip_low_sweep,
01124 ip_dist = ip_low_dist,
01125
01126 icmp_sweep = icmp_low_sweep,
01127 }
01128
END OF CODE