forked from cybermaggedon/cyberprobe
-
Notifications
You must be signed in to change notification settings - Fork 0
/
config.xml
92 lines (70 loc) · 3.2 KB
/
config.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
<?xml version="1.0" encoding="ISO-8859-1"?>
<configuration>
<!-- Management port. Uncomment to enable. -->
<!--
<control port="8888" username="x" password="x"/>
-->
<!-- Set of interfaces to use for collection. -->
<interfaces>
<!-- filter element is optional. Can be used to make sure you don't
sniff the outbound streams. -->
<interface name="eth0" filter="not port 10001 and not port 10002"/>
<interface name="eth1"/>
</interfaces>
<!-- Statically targeted addresses. -->
<targets>
<target address="192.168.1.1" liid="123456"/>
<target address="192.168.1.2" liid="123981"/>
<target address="10.2.0.0/16" liid="9123780"/>
<target address="10.1.1.0" liid="591875"/>
<target address="10.1.1.2" liid="492895"/>
<target address="10.1.1.3" liid="591875"/>
<target address="10.1.1.4" liid="591875"/>
<target address="10.1.1.5" liid="591875"/>
<target address="10.1.1.6" liid="591875"/>
<target address="10.1.1.7" liid="591875"/>
<target address="10.1.1.8" liid="591875"/>
<target address="10.1.1.9" liid="591875"/>
<target address="10.1.1.10" liid="591875"/>
<target address="aaaa:bbbb:cccc:dddd::4:5:6" class="ipv6" liid="983898"/>
<target address="aaaa:bbbb:cccc::/48" class="ipv6" liid="983898"/>
</targets>
<!-- Endpoints for delivery of collected packets. -->
<endpoints>
<!-- Send collected packets to monitor1:10001 in NHIS 1.1 stream. -->
<endpoint hostname="monitor1" port="10001" type="nhis1.1"/>
<!-- Send collected packets to monitor2:10002 in ETSI LI stream. -->
<endpoint hostname="monitor2" port="10002" type="etsi"/>
</endpoints>
<!-- Set of parameters, primarily used to configure the metadata in
ETSI LI metadata. -->
<parameters>
<!-- Value used for deliveryCountryCode and authorizationCountryCode
in LI PS PDU. Should be 2-character string. -->
<parameter key="country" value="DE"/>
<!-- Value used for operatorIdentifier in LI PS PDU. A string up to 16
characters. -->
<parameter key="operator" value="Cyber"/>
<!-- Value used for networkElementIdentifier in LI PS PDU. String up
to 16 characters in length. -->
<parameter key="network_element" value="10.8.2.4"/>
<!-- Value used for interceptionPointID in LI PS PDU. String up
to 8 characters in length. -->
<parameter key="interception_point" value="abcd1234"/>
<!-- Username values used in IPIRI connection. Key form is
"username." plus the LIID -->
<parameter key="username.123456" value="[email protected]"/>
<parameter key="username.123981" value="[email protected]"/>
<parameter key="username.981235" value="[email protected]"/>
<!-- Parameters in this form are used select the LIID which is used
when packets are collected on Snort alerts. Basically, this maps
the Snort signature ID to a LIID. -->
<parameter key="snort.1.liid" value="SNORT1"/>
<parameter key="snort.2.liid" value="SNORT2"/>
</parameters>
<!-- Optional element. Listens for Snort alerts, and dynamically targets
addresses for 60 seconds. -->
<!--
<snort_alert socket="/var/log/snort/snort_alert" duration="60"/>
-->
</configuration>