1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321
|
.\" -*-nroff-*-
.\"
.\" Copyright (C) 1998-2000 Hugo Haas <hugo@via.ecp.fr>
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation; either version 2 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.TH IPPL.CONF 5 "Last change: 11 February 2000"
.SH NAME
ippl.conf \- IP Protocols Logger configuration file
.SH DESCRIPTION
The
.I ippl.conf
file is the only configuration file for the
.BR ippl
logger. It defines what protocols to log, and the kind of packets to
log.
A hash mark (``#'') indicates that the end of the line is a comment
and it will therefore not be read.
.SH USER RUNNING THREADS
.BR ippl
does not run (unless specified) the protocol logging threads as root
for security reasons. You can specify which user should be use with the
.I runas
keyword.
.B Syntax:
runas [user]
.PP
.I user
is a user defined in /etc/passwd. By default, the __DEFAULT_USER
user is used.
.SH PROTOCOLS
Each protocol is run by an different thread. To run a thread, use the:
.B Syntax:
run [protocol] [protocol] ...
.PP
.I protocol
can be:
.I icmp
to specify that the thread logging ICMP messages should be run.
.PP
.I tcp
to specify that the thread logging TCP connections should be run.
.PP
.I udp
to specify that the thread logging UDP datagrams should be run.
.PP
.I all
to log all the protocols.
.SH ADDRESS RESOLUTION
You can enable or disable IP address resolution on a protocol basis.
To enable address resolution, use:
.B Syntax:
resolve [protocol] [protocol] ...
.PP
.I protocol
is the same as in the protocols section.
To disable address resolution, use:
.B Syntax:
noresolve [protocol] [protocol] ...
.PP
.I protocol
is the same as before.
.PP
By default, IP address resolution is disabled for all the protocols.
.SH LOGGING FORMAT
.BR ippl
can log IP protocols in a more or less detailed format. By default, it
only shows the source address and the type or the destination port. A
more detailed version can be used. There is also a shortest version.
.B Syntax:
logformat [format] [protocol] [protocol] ...
.PP
.I format
can be:
.I short
to use a short format for logging.
.PP
.I normal
to use the normal format. This is the default.
.PP
.I detailed
to log more information. This option displays the source and
destination ports and addresses.
.PP
.I protocol
is the same as in the protocols section.
.SH IDENT MECHANISM
To enable the IDENT remote username resolution, use the
.I ident
keyword.
To disable it, use the
.I noident
keyword.
Note that the information returned is *NOT* reliable in general since
it is returned by the remote host. By default, the ident resolution is
off.
.SH TCP CONNECTION TERMINATION
.BR ippl
can detect when a TCP connection is closed. To enable this feature,
use the
.I logclosing
keyword.
To disable it, use the
.I nologclosing
keyword.
By default, TCP connection terminations are ignored.
.SH LOGGING MECHANISM
.BR ippl
can log messages using syslog (using the LOG_DAEMON facility) or it
can write directly into a file. This is specified using
.I log\-in
keyword.
.B Syntax:
log-in [protocol] [filename]
.PP
.I protocol
is the same as in the protocols section.
.I filename
is an absolute path to a file. Note that the file cannot be in the
root directory; it has to be in a directory.
NOTE: when the logs are rotated,
.BR ippl
opens new files when it is sent the SIGHUP signal.
.SH RULES
When a thread is run, it will catch all the packets using the protocol
logged. The user may want to ignore certain packets. This is done with
Apache-like rules.
.PP
There are two different types of rules. The first one describes what
packets to log, and the second one describes the packets that should
be ignored. The syntax of a rule is as follows:
.B Syntax:
[log|ignore] {option [option],[option],...} [protocol] [description]
.I log
means that the packets described should be logged and
.I ignore
is used if the user does not want to log a certain type of packets.
.SS Option
.PP
The
.I option
keyword will permit to override the default values for this rule only.
.I options
is also recognized.
.PP
Valid options are:
.PP
.I resolve
enable IP address resolution.
.PP
.I noresolve
disable IP address resolution.
.PP
.I ident
use ident logging (only for TCP).
.PP
.I noident
disable ident logging (only for TCP).
.PP
.I logclosing
log connection termination (only for TCP).
.PP
.I nologclosing
do not log connection termination (only for TCP).
.PP
.I short
use the short logging format.
.PP
.I normal
use the normal logging format.
.PP
.I detailed
use the detailed logging format.
.SS Protocol
.PP
protocol is one of the supported protocols (see the protocols
section), except the
.I all
keyword, which is not supported.
.SS Description
.PP
.I description
holds the type of packet and the hosts to which the rule
applies.
.PP
.I Type of packet:
.PP
type <number> Specify an ICMP message type.
port <number> Specify a destination TCP or UDP port number.
port <name> Specify a destination TCP or UDP port name.
srcport <number> Specify a source TCP or UDP port number.
srcport <name> Specify a source TCP or UDP port name.
.PP
number is specified like this:
n Number n.
n-- Every number m >= n.
--n Every number m <= n.
l--k Every number m, with l <= m <= k.
string If a string is specified, it is
either the name of a service
(see /etc/services) or an
ICMP message.
Keywords for ICMP messages are:
echo_reply 0
dest_unreach 3
src_quench 4
redirect 5
echo_req 8
router_advert 9
router_solicit 10
time_exceeded 11
param_problem 12
ts_req 13
ts_reply 14
info_req 15
info_reply 16
addr_mask_req 17
addr_mask_reply 18
.PP
.I Source of the packets:
.PP
from <host>
.PP
where host is specifed as follows:
x.x.x.x IP address of a host
x.x.x.x/x.x.x.x IP address, followed by a network mask to specify a
subnet
x.x.x.x/n IP address, followed by the number of 1's at the left side of the network mask
host.net.domain host name (wildcards accepted)
.PP
.I Destination of the packets:
.PP
to <host>
.PP
where host is specified as follows:
x.x.x.x IP address of the local interface
host.net.domain host name of the local interface (*no* wildcards accepted)
.PP
This rule is useful only if you have multiple interfaces connected
to your box, or if you use IP aliasing. This can also be useful if you want
to log or ignore broadcasts. To do so, just use your broadcast address as
destination IP address.
.PP
Please note that rules using IP addresses are faster to check than
rules using host names.
.PP
If you log UDP, it is *strongly* recommended to ignore the broadcasts!
(until we implement an option for that).
.SH EXPIRATION OF DNS CACHE
The time for which
.BR ippl
holds cached DNS data without performing any queries can be changed.
.B Syntax:
expire <time>
defines how often the DNS data expires.
.I time
is specified in seconds (default is 3600).
.SH FILES
__CONFIGURATION_FILE - configuration file
/usr/share/doc/ippl/* - files worth reading if you still have a question
.SH SEE ALSO
ippl(8)
.SH AUTHORS
Hugo Haas (hugo@larve.net)
Etienne Bernard (eb@via.ecp.fr)
|