constcast
/
vermont
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vermont/configs/analysis/rbsworm_vermont.xml

142 lines
3.2 KiB
XML
Raw Blame History

<ipfixConfig>
<sensorManager id="99">
<checkinterval>1</checkinterval>
</sensorManager>
<observer id="1">
<interface>eth1</interface>
<pcap_filter>ip</pcap_filter>
<next>3</next>
</observer>
<packetQueue id="3">
<maxSize>1000</maxSize>
<next>6</next>
</packetQueue>
<packetAggregator id="6">
<rule>
<templateId>998</templateId>
<flowKey>
<ieName>sourceIPv4Address</ieName>
</flowKey>
<flowKey>
<ieName>destinationIPv4Address</ieName>
</flowKey>
<flowKey>
<ieName>protocolIdentifier</ieName>
</flowKey>
<flowKey>
<ieName>sourceTransportPort</ieName>
</flowKey>
<flowKey>
<ieName>destinationTransportPort</ieName>
</flowKey>
<nonFlowKey>
<ieName>flowStartMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>flowEndMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>octetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>packetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>tcpControlBits</ieName>
</nonFlowKey>
</rule>
<expiration>
<inactiveTimeout unit="sec">10</inactiveTimeout>
<activeTimeout unit="sec">60</activeTimeout>
</expiration>
<pollInterval unit="msec">1000</pollInterval>
<next>7</next>
</packetAggregator>
<ipfixAggregator id="7">
<rule>
<templateId>998</templateId>
<biflowAggregation>1</biflowAggregation>
<flowKey>
<ieName>sourceIPv4Address</ieName>
</flowKey>
<flowKey>
<ieName>destinationIPv4Address</ieName>
</flowKey>
<flowKey>
<ieName>protocolIdentifier</ieName>
</flowKey>
<flowKey>
<ieName>sourceTransportPort</ieName>
</flowKey>
<flowKey>
<ieName>destinationTransportPort</ieName>
</flowKey>
<nonFlowKey>
<ieName>flowStartMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>flowEndMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>octetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>packetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>tcpControlBits</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revflowStartMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revflowEndMilliSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revoctetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revpacketDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revtcpControlBits</ieName>
</nonFlowKey>
</rule>
<expiration>
<inactiveTimeout unit="sec">10</inactiveTimeout>
<activeTimeout unit="sec">1</activeTimeout>
</expiration>
<pollInterval unit="msec">1000</pollInterval>
<next>2</next>
</ipfixAggregator>
<ipfixQueue id="2">
<maxSize>1000</maxSize>
<next>8</next>
</ipfixQueue>
<rbsWormDetector id="8">
<analyzerid>rbswormdetector</analyzerid>
<idmeftemplate>idmef/templates/rbsdetector_template.xml</idmeftemplate>
<hashbits>20</hashbits>
<subnet>131.188.0.0/16</subnet>
<timeexpirepending>1800</timeexpirepending>
<timeexpireworm>1800</timeexpireworm>
<timeexpirebenign>601</timeexpirebenign>
<timeadaptinterval>600</timeadaptinterval>
<timecleanupinterval>300</timecleanupinterval>
<lambdaratio>4</lambdaratio>
<next>9</next>
</rbsWormDetector>
<idmefExporter id="9">
<sendurl>http://localhost</sendurl>
<destdir>idmef_work</destdir>
</idmefExporter>
</ipfixConfig>
Reference in New Issue View Git Blame Copy Permalink