1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
#
# Sample configuration file for specter
#
# Each execution group (the same you specify with iptables options
# --ulog-nlgroup or --set-mark, depending on grouping method chosen)
# has its separate block, enclosed within curly brackets, so you can
# specify different options for different groups independently.
#
# Refer to specter.conf(5) manual for more information.
#
# This is special block that decides about global options
global {
# loglevel: low value = verbose logging
loglevel 1
# logfile: can point to a file or to stdout/stderr (this applies
# to almost any file option in different plugins)
logfile /var/log/specter.log
# socket receive buffer size (should be at least the size of the
# in-kernel buffer (ipt_ULOG 'nlbufsiz' parameter)
rmem 130K
# libipulog receive buffer size, should be > rmem
bufsize 150K
# grouping mode - can be netlink or nfmark
#grouping nfmark
# when not in netlink grouping mode, you can set single nlgroup to listen to
#nlgroup 1
}
# This block sets paths to plugins
plugins {
BASE @libdir@/specter_BASE.so
LOCAL @libdir@/specter_LOCAL.so
HTTP @libdir@/specter_HTTP.so
PWSNIFF @libdir@/specter_PWSNIFF.so
OPRINT @libdir@/specter_OPRINT.so
PCAP @libdir@/specter_PCAP.so
LOGEMU @libdir@/specter_LOGEMU.so
MYSQL @libdir@/specter_MYSQL.so
PGSQL @libdir@/specter_PGSQL.so
SYSLOG @libdir@/specter_SYSLOG.so
EXEC @libdir@/specter_EXEC.so
}
# nlgroup 1, here used for debugging
1 {
# specter_BASE: most important input plugin, needed very often
:BASE
# specter_LOCAL: return current time and hostname
:LOCAL
# specter_HTTP: parses http requests and replies
:HTTP
# specter_PWSNIFF: looks for FTP/POP3 login information
:PWSNIFF
# specter_OPRINT: drops all packet info into a file
:OPRINT
# logfile: where drop packets to
logfile /var/log/specter.oprint
}
# nlgroup 2, fast pcap dropping
2 {
:BASE
# specter_PCAP: save packets into pcap-style file
:PCAP
# logfile: where packets should be saved?
logfile /var/log/specter.pcap
# sync: will cause file synchronization after every packet
# (that's boolean value, no arguments needed)
sync
}
# nlgroup 3, logemu facility
3 {
:BASE
:LOCAL
# specter_LOGEMU: simulates old netfilter's LOG target
:LOGEMU
# where save packets?
logfile /var/log/specter.logemu
# print tcp options?
#tcp_options
# print tcp sequence numbers?
#tcp_seq
# print ip options?
#ip_options
# print mac addresses?
mac_header
}
# nlgroup 4, mysql logging
# delete hashes if you want it to work
#4 {
# :BASE
# :MYSQL
# db mydb
# host localhost
# user specter
# pass foobar
# table ip
# buffsize 2M
# ssl_enable
# ssl_key /etc/ssl/private/specter-key.pem
# ssl_cert /etc/ssl/private/specter-cert.pem
# ssl_ca /etc/ssl/certs/myca.pem
# ssl_capath /etc/ssl/certs
# ssl_cipher ALL:-AES:-EXP
#}
# nlgroup 5, log into syslog
5 {
:BASE
:LOCAL
# specter_SYSLOG: work like LOGEMU, but reports packets to syslog
:SYSLOG
# for valid facilities/levels see documentation
facility daemon
level info
}
|