Bug#339025: ITP: sancp -- network security tool designed to collect statistical information from network traffic
Owner: Lars Bahner <firstname.lastname@example.org>
* Package name : sancp
Version : 1.6.1
Upstream Author : John Curry [ john dot curry at metre dot net ]
* URL : http://www.metre.net/sancp.html
* License : QPL
Description : network security tool designed to collect statistical information from network traffic
I am querying upstream for a new license.
This is a network security tool designed to collect statistical
information regarding network traffic, as well as, collect the
traffic itself in pcap format, all for the purpose of: auditing,
historical analysis, and network activity discovery. Rules can
be used to distinguish normal from abnormal traffic and support
tagging connections with: rule id, node id, and status id.
>From an intrusion detection standpoint, every connection is an
event that must be validated through some means. Sancp uses rules
to identify, record, and tag traffic of interest. 'Tagging' a
connection is a new feature since v1.4.0 Connections ('stats')
can be loaded into a database for further analysis.
Sancp rules control three types of logging for a connection: pcap,
stats, and realtime 'pcap' refers to packet data collected on the
connection in tcpdump format, 'stats' refers to a single line
summary of an entire connection once it is 'closed' 'realtime' is
a snapshot of 'stats' based on the initial packet, for immediate
reporting. Both 'stats' and 'realtime' contain a number of fields
used for recording packet statistics, TCP flags, p0f data, and
other vitals about how we handle the connection.