NTOP-RULES(8)NTOP-RULES(8)NAME
ntop filter rules
DESCRIPTION
ntop allows users to specify rules to which traffic should
comply. If this does not happen, ntop emit alerts accord
ing to the specified rules. Contrary to rules used with
packet filtering tools and firewall toolkits, ntop rules
do not specify explicit addresses/subnets but they are
general and valid for each host whose traffic is monitored
by ntop.
Comment lines start with '#'. Each rule has the following
format "protocol rule-label rule-options".
protocol
It can be tcp, udp, or icmp.
rule-label
It is a unique (among the specified rules) word that
uniquely identifies the rule.
rule-options
Options vary according to the specified protocols.
Options order is very imporant. Supported options are:
revert
This keyword is used to specify that the rule matches
with shost/sport and dhost/dport arguments reverted a
previous rule. For instance if a rule matched an ICMP
echo and this rule is used to catch ICMP ECHO reply, then
the revert keyword has to be used.
shost/sport dhost/dport
This is used to specify where the matching packet is
originating/destinated. In case of ICMP packets only
shost/dhost is used. Possible values host shost and dhost
are: any (any host), broadcast (a broadcast address),
multicast (a multicast address), gateway (a host that
ntop has identified as gateway because it has been used
by other hosts for routing packets), dns (a host that
ntop has identified as a DNS because it has been used by
other hosts for mapping addresses). Negatio (not) is pec
ified using '!' (for instance !gateway). Please note that
'!any' is an invalid combination. As far sport and dport
are concerned valid values are any (any port), !any (any
port of the target host no matter whether the target port
matches the port of the previous packet matching this
rule), usedport (a port on which ntop has seen traffic
before), !usedport (a port on which ntop has not seen
traffic before).
flags
TCP packets can have some flags set. The syntax used for
flags is a string made of one (or more) of the following
chars: F (FIN), P (PUSH), A (ACK), F (FIN), and R
(RESET). For instance "flags AP" is a valid statement.
ICMP type
ICMP rules need to specify the ICMP packet type. Valid
types are: ICMP_ECHOREPLY, ICMP_ECHO, ICMP_UNREACH,
ICMP_REDIRECT, ICMP_ROUTERADVERT, ICMP_TIMXCEED,
ICMP_PARAMPROB, ICMP_MASKREPLY, ICMP_MASKREQ,
ICMP_INFO_REQUEST, ICMP_INFO_REPLY, ICMP_TIMESTAMP,
ICMP_TIMESTAMPREPLY, ICMP_SOURCE_QUENCH.
type packet/fragment
This statement is used to restrict the match only to
packets or fragments. If not specified, packet is
assumed.
pktsize/pktcount operator value
This statement is used to further restrict the match.
Either pktsize (the size of the current packet) or pkt
count (the number of packets that matched this rule so
far) can be specified. The operator can be '<', '>', or
'=', whereas value is an integer.
unit seconds
This statement is used to specify the amount of time dur
ing which the revious match 'pktcount' should occour. In
other words, it specifies the amount of time in which
ntop should receive the above specified number of packets
matching this rule. For instance 'pktcount > 30 unit 10'
means that ntop must capture at least 30 packets that
match this rule within 10 seconds since the first match.
action
Valid actions executed when the packet matches the rule,
are: alarm (send out an alarm), and mark (mark this
packet for tuture use).
cleans rule-name
The cleans keyword is used with mark (see above) for
cleaning out packets marked using the rule rule-name. A
packet cleans exactly a marked packet (if any). In case a
packet has to clean all the marked packets using rule-
name, the the 'all' keywords can be specified after the
rule-name.
rearm seconds
When a rule is matched, it might be necessary to specify
that the rule is disable for the current
shost/sport/dhost/dport combination for the specified
amount of time. This feature is usefult to limit the num
ber of matches within a specified amount of time.
EXAMPLES
tcp syn any/any any/any flags S action mark expires 60
Mark all the sync packets (any/any means any source port
to any destination. If within 60 seconds they have not
been cleared an event is generated
tcp ack revert any/any any/any flags A clears syn all
The event below clears the "syn" event (see above) all
(i.e. if several "syn" events are waiting to be cleared,
it then clears all of them). The revert keywork means
that the "ack" event clears the "syn" event if the
shost/sport and dhost/dport are reverted (for instance if
host A/sport X sends the "syn" event to host B/dport Y,
then the "ack" event must be sent from host host B/dport
Y to host A/sport X).
icmp route-advertisement ICMP_ROUTERADVERT !gateway/any
action alarm
If an host receives an ICMP Route Redirect from a host
that's not a gateway (or one of the gateways used so far)
then an alarm is generated.
udp new-port-open any/any any/!usedport action mark
Notify when a host received udp traffic on a port on
which ntop has observed no traffic before
udp udp-short-fragment any/any any/any type fragment pkt
size < 256 action alarm
tcp tcp-short-fragment any/any any/any type fragment pkt
size < 256 action alarm
Issue an alarm for fragments whose size is less that 256
bytes
icmp ping-flood ICMP_ECHO any/any pktcount > 30 unit 10
action alarm rearm 90
Send an alarm if an host receives more than 30 ICMP echo
packets within 10 seconds. If the rule is fired, then it
will be re-enabled not before 90 seconds (this avoids
ntop to send too many alarms)
tcp root-ftp any/ftp any/any contains
Send an alarm when a user connects to an FTP server as
root
tcp stealth-scan any/!any any/!any flags S pktcount > 3
unit 20 action alarm
tcp session-reset any/!any any/!any flags R pktcount > 30
unit 20 action alarm rearm 10
If a host receives more than 10 packets with the syn flag
set within 20 seconds, an alarm is generated. Note that
"!any" means any port of the target host no matter
whether the target port matches the port of the previous
packet that also had the syn flag set
tcp tcp-nmap-scan any/!any any/!any flags SF action alarm
This rule is used to identify nmap scans.
NOTES
ntop is based on the libpcap library that can be found at
ftp://ftp.ee.lbl.gov/libpcap.tar.Z. The Win32 version
makes use of libpcap for Win32 that can be downloaded from
http://www.ntop.org/libpcap.html).
SEE ALSOntop(8), ngrep(8)AUTHOR
Please send bug reports to the ntop mailing list
<ntop@ntop.org>. ntop's author is Luca Deri
<deri@ntop.org>.
February 2000 NTOP-RULES(8)
