# $Id: netward.conf,v 1.15 2009/03/29 19:15:44 jayrfink Exp $ # FILTER ---------------------------------------------------------------------- # This is the pcap filter to pass to netward everytime it starts # up. This can be very involved and take a lot of time to figure out. # XXX-IMPORTANT-XXX - you _must_ exclude either your local network # or the interface IP address as a source otherwise we may flag ourself # as an offended. Also be sure to exclude ports that are actually in use. # All of that said there are some recipe examples below for your perusal. # You can try out your filters right from the command line - after all of # the options have been entered just enter the filter string - double quotes # are not needed when invoking directly. # WORKSTATION # Single workstation that is for some reason connected to the internet and # on a private network of 192.168.1.0: FILTER = "not port 22" # SIMPLE WEBSERVER # Simple DMZ'd webserver on 172.16 network with ports 80 and 22 open #FILTER = "portrange 2-1024 and not net 172.16 and not port 80 and not port 22" # EXCLUDE AN UPDATE SITE # An admin webserver with ports 22 and 8080 open but needs to be able to talk # to a debian update server #FILTER = "portrange 2-1024 and not port 22 and not port 80 and not host updates.debian.org" # INTERFACE ------------------------------------------------------------------- # The short device name for the interface to listen on. This is equivalent to # the -I option of the command line but is here for convienence # osX Default #INTERFACE = "en0" # Linux Default INTERFACE = "eth0" # FreeBSD on vmware #INTERFACE = "em0" # TIMERS ---------------------------------------------------------------------- # These are the timer and sampler rates. They can be very tricky depending # upon the exposure of your host to the wild (or a noisy local network :) # The timing is not precise - it is fuzzied by system and network load. # INTERVAL is the time between reading off samples from the tcp buffers. # also specified with the -i option. # SAMPLES is the number of samples read out of the buffers per interval poll. # also specified with the -s option. INTERVAL = "30" POLLS = "32" THRESHOLD = "16"