'Script Arguments' { Text: SANCP, Font size (pixels): 150, Font: Sans Bold, Glow color: afc3a8 }

Security Analyst Network Connection Profiler
SANCP (pronounced: săn-cee-pee)

Current version (stable): 1.6.1-stable

      Next version (beta): 1.6.2-candidate.C.5 [ see Related-Tools below added 20080313 ]

Description:

SANCP is a network security tool designed to collect statistical information regarding network traffic, as well as, record the traffic itself to file in pcap format for the purpose of: auditing, historical analysis, and network activity discovery. Rules can be used to distinguish normal traffic from abnormal traffic and support tagging connections with: rule id, node id, and status id.

From an intrusion detection standpoint, every connection is an event that must be validated through some means. SANCP uses rules to identify, record, and tag traffic of interest. Connection 'stats' can be loaded into a database for further analysis.

Download links:

Current version 1.6.1 (stable) - supports linux and bsd

    sancp-1.6.1-stable.tar.gz     Download from sourceforge or metre.net (md5: ffa64f2fdb49afd7ef16fbefda21e251 )

Anonymous CVS version 1.6.1 (beta) - requires patches a, b, c and d to be applied from sancp.sourceforge.net

        cvs -d:pserver:anonymous@sancp.cvs.sourceforge.net:/cvsroot/sancp login
        cvs -d:pserver:anonymous@sancp.cvs.sourceforge.net:/cvsroot/sancp co sancp

Development version 1.6.2 (beta) - supports linux, bsd and solaris

   sancp-1.6.2-candidate.C.5.tar.gz     Download from metre.net (md5: 26cb63b846f0ce7addb39945c787168a )

        - add new output field value for 'reversed' (5 == 'MAYBEREVERESED'); indicates
                when option 'nosrc_pktsok' was applied to force the direction
        - add default nosrc_pktsok = 0, set to 1 to enable, does not REREVERSE connections which have
                closed with no packets collected from the assumed source...
        - add 'nosrc_pktsok' rules option support to force the 'known_ports' direction preference for
                connections which receive no packets from the assumed source
        - add custom prelude output support to rules for output control
        - fix bug reported in #snort-gui with stats files not being created
        - fix bug for compiling prelude support reported by Sebastien Tricaud
        - add solaris support
        - add console output; (e.g. used to print running configuration and ongoing connections)
        - add new output fields to include sample of payload data from source or destination for stats and realtime
        - add pcap index support; created to support locating packets in large pcap files without parsing.
                 (new output fields: output_filename, start_pos and stop_pos )
        - add prelude compile-time support
                (edit Makefile, uncomment: PRELUDE_CFLAGS, PRELUDE_LIBS, PRELUDE_SUPPORT )
        - improve daemon mode to store process id in file name 'sancp.pid'
        - improve signal-handling (set flag and return method allows for timely processing of signal requests)
        - remove README from binary to docs/ to reduce footprint and code maintenance
        - replace all typographical references to '80211' with '8021Q'
        - add -p <pidfile> support
        - update README documentation
- improve configuration output to include output formats (see: --config)
        - add three new output fields: silence (seconds since last packet), timeleft (seconds until timeout) and expired (internal state flag)

Related Tools:

getpcapfromsancpindex.pl - Perl script for retrieving packets from SANCP pcap files index (read usage here)

Usage:

sancp -i <interface> -d <logging-directory> -c <configuration-file> -F <bpf-expression-file> -r <pcapfile>

where:
    <interface> = network interface name to monitor
   <logging-directory> = directory for writing all output files
   <configuration-file> = text file containing configuration options
   <bpf-expression-file> = text file containing a valid bpf expression in the first line
   <pcapfile> = packet capture file to read, use instead of '-i <interface>'

Rules Syntax:

# sancp.conf version 1.6.1+

#
# 1 - Define variables to use in subsequent rules - vars are context sensitive ( eth_proto, ip, ip_proto, port )
# 

var ip 8
var icmp 1
var tcp 6
var udp 17
var dns 53

#
# 2 - Define known ports for udp and tcp/ip traffic
# 
# These values will be used to reverse the (source and destination-related values) to change the apparent
# direction of connections which commonly appear 'reverse' that of their commonly presumed direction.
#

known_ports udp dns
known_ports tcp 25, dns, 80, 443

#
# 3 - Define rules 
#
# Rule Format: {PROFILE} {OPTIONS}
#
# Where
# PROFILE contains six fields: (Use the field-keyword 'any' to indicate all possible field values)
#
# <eth_proto.num> <src_ip.dotted[/mask]> <dst_ip.dotted[/mask]> <ip_proto.num> <src_port.num> <dst_port.num> 
# 
# OPTIONS may be any of the following:
#
# realtime <log|pass>, stats <log|pass>, pcap <log|pass|filename|tsfilename|connection>,
# rid <N>, rgid <N>, limit <N>, tcplag <N>, timeout <N>, retro
#
#

ip any any tcp any 443; limit 1500
ip any any udp any any; realtime pass
ip any any icmp any any; realtime pass

#
# Note: comments (/#.*$/), commas, semi-colons, equal-signs, tabs and extra spaces are ignored in configuration files
#

Configuration file option defaults for Version 1.6.1 (stable):

# sancp.conf version 1.6.1+

default use_icmp_mixed=disable # enable to log icmp values of 'type' and 'code' to fields 'src_port' and 'dst_port ', respectively, from icmp packets

default use_pcap_time=disable # enable to set clock to timestamps contained in packet headers rather than the system clock

default strip-80211=disable # enable to remove 8021Q headers from packets (note: 80211 is not related to 8021Q, this association is a typo that resides only within the source code)

default debug_pcap_raw=disable # enable to record packets to output file name pcap_raw prior to packet decoding (use for debugging)

default realtime=tsfilename realtime # sets realtime output filename format to 'realtime.<interface>.<unixtimestamp>'; set to pass to disable

default stats=tsfilename stats # sets stats output filename format to 'stats.<interface>.<unixtimestamp>'; set to pass to disable

default pcap=tsfilename pcap # sets pcap output filename format to 'pcap.<interface>.<unixtimestamp>'; set to pass to disable

format realtime=delimiter=|, start_time_gmt, duration, src_ip_dotted, dst_ip_dotted, ip_proto, src_port, dst_port, src_pkts, dst_pkts, src_bytes, dst_bytes, total_bytes, collect, climit, collected, pcap, realtime, stats, retro, src_mac, dst_mac

format stats=delimiter=|, sancp_id, start_time_gmt, stop_time_gmt, erased_time_gmt, eth_proto, ip_proto, src_ip_decimal, src_port, dst_ip_decimal, dst_port, duration, timeout, src_pkts, dst_pkts, src_bytes, dst_bytes, sflags, dflags, cflags, total_bytes, collect, collected, climit, tcplag, pcap, realtime, stats, reversed, hash, rid, rgid, node, zone, status, retro, src_mac, dst_mac

default flush_interval=1800 # flush to disk every N seconds

default expire_interval=10 # check for expired connections every N seconds

default burst_mode=enable # force close of stats output file after every flush_interval to create new output file, set to disable to continue logging to same file until program ends

default status=0 # set default status id to N

default node=0 # set default node id to N

default zone=0 # assign default zone id to N

default rid=0 # assign default rule id to N

default rgid=0 # assign default rule group id to N

default limit=0 # limit pcap data collected per connection to N bytes

default timeout=300 # expire connections after N seconds of inactivity

default tcplag=0 # extend timeout N seconds before expiring tcp connections

Configuration file option defaults added in Version 1.6.2 (beta-test):

# sancp.conf version 1.6.2+

default sample_src_length=0 # set to number of initial bytes of data to sample from source payload to N

default sample_dst_length=0 # set to number of initial bytes of data to sample from destination payload to N

default strip_8021q=disable # enable to remove 8021Q (VLAN) headers from packets (obsoletes strip-80211 option)

default arprarp_decode=disable # enable to log values to certain ip fields from arp and rarp packets, records arp/rarp ip addresses to src_ip and dest_ip, operation to ip_proto, and then hardware and protocol types and lengths to source and dest port and byte fields, respectively.

default index=pass # set to log to enable logging of start and stop positions of packets written to pcap files

format index wildchar='\s' sancp_id, output_filename, start_pos, stop_pos

format console wildchar='\s' delimiter = \s, sancp_id, start_time_local, src_mac, dst_mac, src_ip_dotted, dst_ip_dotted, eth_proto, ip_proto, src_port, dst_port, src_pkts, dst_pkts, src_bytes, dst_bytes, timeout, total_bytes, output_session_id, sflags_hex, dflags_hex, cflags_hex, duration, sample_src_asc

format realtime wildchar='\s' delimiter = |, start_time_gmt, duration, src_ip_dotted, dst_ip_dotted, ip_proto, src_port, dst_port, src_pkts, dst_pkts, src_bytes, dst_bytes, total_bytes, collected, sample_src_len, sample_src_hex, sample_src_asc

format stats wildchar='\s' delimiter = |, sancp_id, start_time_gmt, stop_time_gmt, erased_time_gmt, eth_proto, ip_proto, src_ip_decimal, src_port, dst_ip_decimal, dst_port, duration, timeout, src_pkts, dst_pkts, src_bytes, dst_bytes, sflags, dflags, cflags, total_bytes, collect, collected, climit, tcplag, pcap, realtime, stats, reversed, hash, rid, rgid, node, zone, status, retro, src_mac, dst_mac, sample_src_len, sample_dst_len, sample_src_hex, sample_dst_hex

default nosrc_pktsok = 0 # 'default' and 'rules' option support to force the 'known_ports' direction preference for connections which receive no packets from the assumed source

8 any any 6 any 80 nosrc_pktsok=1 # force known_ports preference for HTTP connections that we did not collect packets from the assumed source, by default these connections would be re-reversed prior to logging

Development timeline:



 Oct 16, 2007 - Version 1.6.2-candidate.C.5 (released as beta)
 - updated docs/CHANGES
 - updated docs/README

 Oct 09, 2007 - Version 1.6.2-candidate.C.5 

 - added 'nosrc_pktsok' rules option support to force the 'known_ports' direction preference for
 connections which receive no packets* from the assumed source
 - added new output field value for 'reversed' (5 == 'MAYBEREVERESED'); indicates
 when option 'nosrc_pktsok' was applied to force the direction*
 - added default nosrc_pktsok = 0, set to 1 to enable, does not REREVERSE connections which have
 closed with no packets collected from the assumed source, 'reversed' connections
 typically result when the initial packet is dropped by the collection engine,
 or when packets appear to be coming from known_ports (i.e. network scans, or third-party DDOS RESET packets)

 *nosrc_pktsok is not applied to TCP connections whose first packet contained a SYN flag or SYN-ACK flag combination, in which case, the inferred TCP direction is preferred over known_ports 6.


 Sep 30, 2007 - Version 1.6.2-candidate.C.4 (not released, beta)

 - resolve problem not printing known_ports setting in configuration output (i.e. --config)
 - added new output format option 'wildchar=\s'; used by fields sample_src_asc and sample_dst_asc
 sets character to print in place of nonprintable characters, i.e. 'wildchar=.'


 Sep 24, 2007 - Version 1.6.2-candidate.C.3 (released as beta)

 - document additional prelude-related rule options available in docs/README


  Sep 06, 2007 - Version 1.6.2-candidate.C.3-customoutput (not released - to be released as 1.6.2-candidate.C.3 )

 modify apply_rules.cc, build_acl.cc, check_packet.cc, sancp.cc, gvars.h, sancp.h
 - add custom prelude output support to rules for output control; requested by Dean Takemori, forwarded by Sebastian Tricaud
 i.e.
 var trusty 10.0.0.1
 8 trusty any 6 any 22 prelude pass # disable prelude output on matching secure shell connections
 8 any any 6 any 22 prelude log # enable prelude output on matching secure shell connections

Aug 21, 2007 - Version 1.6.2-candidate.C.2 - released as beta

         - update prelude compile-time support
                (To enable edit Makefile, uncomment define statements for: PRELUDE_CFLAGS, PRELUDE_LIBS, PRELUDE_SUPPORT )

        modify build_acl.cc
        - add --strip_8021q option, deprecate --strip_8021Q,
        - remove backwards compatible option --strip_80211
        - fix debug compile errors (ref: #DEBUG=1 in gvars.h )
        - fix build_acl() to read 'strip_8021q' or 'strip_8021Q' setting from configuration file
        - update print_acl() to print output formats in output from --config output

        modified outputFileHandle.cc
        -add private member 'filetype',
        -add method printFormat()
        -modify all constructor calls to pass output name to be set as filetype.

        modified Makefile
        -add alternate CFLAGS and LFLAGS with -Xlinker support

        modify sancp.cc and gvars.h
        -add output fields
          'silence' - seconds since last packet
          'timeleft' - seconds until timeout
          'expired' - has expired
        -add check whether we received the exit signal before processing packets
                to avoid logging packets to realtimes and pcap during shutdown

        modify statefull_logging.cc
        - fix bug reported in #snort-gui with stats files not being created
        - add 'output_filename' field to --schemas output

        modify docs/SCHEMAS
        - update documentation for index and console output types

        modify docs/HELP
        - update documentation

Aug 16, 2007 - Version 1.6.2-candidate.C.1 (not released)
        applied patch from Sebastien Tricaud to correct compile issue for prelude support
        modify makefile to include /usr/local/lib/pcap (per newsgroup)

Jul 06, 2007 - Version 1.6.1-stable - sancp-1.6.1-stable.tar.gz - released as stable
       uploaded version 1.6.1-stable on sourceforge

Jul 05, 2007 - Version 1.6.2-candidate.C - sancp-1.6.2-candidate.C.tar.gz - released as Beta
       integrate prelude-support requested by Frank Van Vliet on 09/19/2005

Sep 26, 2006 - Version 1.6.1-candidate.B.4 - sancp-1.6.2.candidate.B.4.tar.gz - released as Alpha
       fix issue discovered on 09/25/2006, add new signal handling code

Sep 22, 2006 - Version 1.6.2-candidate.B.3 - sancp-1.6.2.candidate.B.3.tar.gz - released as Alpha
        fix issue discovered on 09/21/2006

Sep 20, 2006 - Version 1.6.2-candidate.B.2 - sancp-1.6.2.candidate.B.2.tar.gz - released as Alpha
        fix issue discovered on 09/20/2006

Sep 19, 2006 - Version 1.6.2-candidate.B.1 - sancp-1.6.2.candidate.B.tar.gz - released as Alpha
        Add pcap index output support requested by Martin Holste on 09/19/2006
        this will record the sancp_id, output_filename, start_pos, stop_pos for each packet written to pcap

Sep 17, 2006 - Version 1.6.2-candidate.B - sancp-1.6.2-candidateB.20060917.tar.gz - not released
        incorporate changes from unreleased 1.7.0 branch into 1.6.2, enable logging sampled payload data

Aug 24, 2006 - Version 1.6.2-candidate-A - sancp-1.6.2.candidate.A.tar.gz - released as Alpha
        Combine solaris branch of 1.6.1 with patches a, b, c, and d as 1.6.2 candidate A
        Solaris testing support provided by Sean MacLeod to resolve library compile issues and segfault due signal handling
        Implement --use-pcap-time to use timestamps in pcap files to avoid calls to alarm() on solaris

Aug 11, 2006 - Version 1.6.1-dev-solaris - sancp-1.6.1.solaris.20060811.tar.gz - not released
final set of solaris modifications dropped from 1.6.1; due to problems with signal handling
        continue solaris development with 1.6.2 version

Aug 09, 2006 - Version 1.6.1-dev-solaris - sancp-1.6.1.solaris.20060809.tar.gz - not released
       third set of solaris modifications

Jul 05, 2006 -  Update sancp.sourcefourge.net with current version and patches
        sancp-1.6.1.fix200511.a.patch - posted to sancp.sourceforge.net as Beta
        sancp-1.6.1.fix200511.b.patch - posted to sancp.sourceforge.net as Beta
        sancp-1.6.1.fix200601.c.patch - posted to sancp.sourceforge.net as Beta
      sancp-1.6.1.fix200606.d.patch - posted to sancp.sourceforge.net as Beta
      sancp-1.6.1.fix200606.bd.patch - posted to sancp.sourceforge.net as Beta
        sancp-1.6.1.tar.gz - posted to sancp.sourceforge.net as Beta

Jun 30, 2006 - Version 1.6.1 patch BD - sancp-1.6.1-fix200606.bd.patch - released as Beta
        Combined patches contained in sancp-1.6.1-fix200511.b.patch and sancp-1.6.1-fix200606.d.patch

Jun 30, 2006 - Version 1.6.1 patch D - sancp-1.6.1.fix200606.d.patch - released as Beta
        Provides fix for 100% CPU utilization issue reported by Clemente Aguiar on 04/03/2006
        Removes tcpoption parsing code from main source, disabling decoding 'wscale' (TCP window scale)
        NOTE: This patch was reported as faulty (will not compile with EXPERIMENTAL_TCPOPTIONS defined)
        and was recreated 07/05/06, copies of this patch dated earlier than 07/05/06 may not work -
        reported by Devin Kowatch 06/30/06

Jun 16, 2006 - Version 1.6.1-dev-solaris - sancp-1.6.1.solaris.20060616.tar.gz - not released
        Resume development of solaris compatability on Sparc Ultra 10 received from Anthony Spina
        Resolve byte-order issues in stats and realtimes output fields
        Identify problems with runtime segfault due to problems with signal handing

Jun 14, 2006 - Version 1.6.1 patch C - sancp-1.6.1.fix200601.c.patch - released as Beta
        Resolve compiler issues on x86-64 platform reported by Tomislav Kolanovic on 01/13/2006

Apr 21, 2006 - Version 1.6.1 patch tcpoption -  patch sancp.experimental_tcpoption.patch.1.6.1 - released as Beta
        Fix segfault, removed section for parsing tcpoptions

Dec 13, 2005 - Version 1.6.1-dev-solaris - sancp-1.6.1.solaris.tar.gz - not released
        Began work on solaris compatability at request of Anthony Spina and others - resolved basic compilation errors
        Identified byte-order issue with stats and realtimes output fields, delays due to remote access issues to environment

Nov 12, 2005 - Version 1.6.1 patch B - sancp-1.6.1-fix200511.b.patch - released as Beta
        Provides fix for seg-fault at decode:69 reported by Bamm on 10/17/2005

Nov 12, 2005 - Version 1.6.1 patch A - sancp-1.6.1-fix200511.a.patch - released as Beta
        Provides fix for duplicate connection id at check_packet:187 reported by Richard Bejtlich 11/12/2005

Nov 01, 2005 - Version 1.7.0-alpha - sancp-1.7.0j.tgz - not released
        Discard bin output
        End development of branch 1.7.0-alpha
     Code to be incorporated into future version 1.6.2

Oct 14, 2005 - Version 1.7.0-alpha - sancp-1.7.0i.tgz - not released
        Continue development of different formats of sampled payload data hex, ascii, bin

Oct 13, 2005 - Version 1.7.0-alpha - sancp-1.7.0h.tgz - not released
        Create separate fields for sampled payload data from source and destination

May 11, 2005 -  Version 1.7.0-alpha - sancp-1.7.0g.tgz - not released
        Begin development of new branch for adding sample of payload data as stats field

Nov 01, 2004 - Version 1.6.1 - sancp-1.6.1.tar.gz - released as Beta
        Fixed problem introduced in version 1.6.0 with addition of src_mac and dst_mac reported by Bamm and Rich
        Fixed bug in sample init.d/sancpd startup script reported on #snort-gui
        Increased counters from 32bit to 64bit values:src_pkts, dst_pkts, src_bytes, dst_bytes, total_bytes, collected, and climit

Sep 13, 2004 - Version 1.6.0 - sancp-1.6.0.tar.gz - released as Beta
        Fixed major bug when reading from a pcap file using -r option affecting how packets are decoded.
        New default output fields added: src_mac and dst_mac; see columns 49 and 50

Sep 02, 2004 - Version 1.5.7 - sancp-1.5.7.tar.gz - released as Beta
        Disabled additional logging of realtimes to console, use -K to re-enable this 'feature.'
        Added forking -D (daemon) mode and suppresses -K, if enabled

May 26, 2004 - Version 1.5.6 - sancp-1.5.6.tar.gz - released as Beta
       Resolved permission error when using options -u and -g to change the effective UID and GID.

May 06, 2004 - Version 1.5.5 - sancp-1.5.5.tar.gz - released as Beta
        Increased byte and packet counters to 64bit values, rather than 32 bit
        Database tables supporting these as 32bit values should be changed to support 64bit values.
        src_pkts, dst_pkts, src_bytes, dst_bytes, climit, collected

May 05, 2004 - Version 1.5.4 - sancp-1.5.4.tar.gz - released as Beta
        Increased byte and packet counters to 32bit values, rather than 16 bit
        Fixed incorrect behaviour of -R command line switch

Jan 19, 2004 - Version 1.5.3 - sancp-1.5.3.tar.gz - released as Beta

Jan 19, 2004 - Version 1.5.2.1 - sancp-1.5.2.1.tar.gz - released as Beta

Jan 19, 2004 - Version 1.5.2 - sancp-1.5.2.tar.gz - released as Beta

Jan 17, 2004 - Version 1.5.1 - sancp-1.5.1.tar.gz - released as Beta

Jan 15, 2004 - Version 1.5.0 - sancp-1.5.0.tar.gz - released as Beta

Jan 01, 2004 - Version 1.4.1- released as Beta
        Added ability to track last connection id assigned. Stored as 64bit value in .cnxid file
        Added -C (--last_cnxid) option to specify the last connection id assigned, must be greater
        than the value stored in the .cnxid file.

Dec 15, 2003 - Version 1.4.0 - sancp-1.4.0.tgz - released as Beta
        Expanded rules to handle ethernet protocol numbers; but only IP is parsed beyond the ethernet header
        Concept of a 'default' rule is more clearly expressed in the configuration file itself
        New rules format - we now require ethernet protocol to be specified
        Add var support for rules and known_ports definition
        Var support includes: ethernet protocol, ip address, ip protocol, tcp/udp ports
        Added three new 'default' and rule options: rule id (rid), status number, and node id
          -support for rule management and connection profile tagging: use 'rid'
          -support for a connection classification system: use 'status'
          -support for multiple instance/multiple interface support: use 'node'
        Expanded rule delimiters to include space, tab, comma, and equal signs
        BPF filter can be specified in the configuration file
        Extensive work done on configuration dump output. It now prints in a re-usable
        format, displays all defaults, known_ports, vars, and rules.
        Fixed memory leak issues with vars.
        Fixed open file handle issues

Nov 30, 2003 - Version 1.3.1 - released as Beta
        Re-combined conf and rules (rewrote code to handle both interchangably)
        Standardized the argument and rules parsers
        Fixed problem with -F and -r options (when used together)
        Fixed some fileHandle class problems regarding storing filenames

Nov 26, 2003 - Version 1.3.0 - released as Beta
        Split configuration and rules into two files sancp.conf, sancp.rules
        Redesigned rules
        Changed many command line options, removed others
        Renamed output files (stats,pcap,realtime)
        Updated the documentation
        Made many code changes to support new configuration and rule options

Nov 17, 2003 -
        Add syslog support for LOG_LOCAL1 - 7; default is LOG_DAEMON.
            i.e. --log_facility "LOCAL1"
        Specify user and group for sancp to run under
        GMT supported (as default), use --local_time to use local timezone
        Created gvars structure

Oct 21, 2003 - Version 1.2.1 - released as Beta
        Add os_info fields for destination to connection log output
        Add -NO2 option which disables printing this additional
         information (for backwards compatability)
        Fixed bad mss value

Oct 13, 2003 - Version 1.2.0 - released as Beta
        ncp changes name to sancp
        Added 'lag' option
        Changed error messages to go to syslog
        Made a few corrections to documentation
        Updated Makefile
        Made a few changes to rule parsing routine
        Added quiet_mode
        Added daemon_mode
        Cleaned up pcapFileHandle.cc
        Cleaned up fileHandle.cc
        Added a few more global variables to gVars

Sept 28, 2003 - Version 1.2 - released as Beta
        ncp posted to metre.net

This page was designed using Nvu.