Requirements:

gcc/g++ compiler
Libpcap: www.tcpdump.org   http://www.tcpdump.org/release/libpcap-0.8.3.tar.gz

Download the latest tar file (version 1.6.1) [beta]:
[ fix bug with compiling on BSD (introduced in 1.6.0), increased counters to 64bit ]
http://sancp.sourceforge.net/sancp-1.6.1.tar.gz (md5)

Two patches released: patches.README Download from: here

Purpose:
This is a network security tool designed to collect statistical information
regarding network traffic, as well as, collect the traffic itself in pcap
format, all for the purpose of: auditing, historical analysis, and network
activity discovery. Rules can be used to distinguish normal from abnormal
traffic and support tagging connections with: rule id, node id, and status id.
From an intrusion detection standpoint, every connection is an event that
must be validated through some means. Sancp uses rules to identify, record,
and tag traffic of interest. 'Tagging' a connection is a new feature since v1.4.0
Connections ('stats') can be loaded into a database for further analysis.

Sancp rules control three types of logging for a connection: pcap, stats, and realtime
'pcap' refers to packet data collected on the connection in tcpdump format,
'stats' refers to a single line summary of an entire connection once it is 'closed'
'realtime' is a snapshot of 'stats' based on the initial packet, for immediate reporting
Both 'stats' and 'realtime' contain a number of fields used for recording
packet statistics, TCP flags, p0f data, and other vitals about how we handle the connection


Nov 15, 2005 - uploaded current release and patches to http://sancp.sourceforge.net


Nov 14, 2005 - two patches released see: http://sancp.sourceforge.net/patches.README



Nov 1, 2004 - version 1.6.1
Fixed compile problem with BSD (struct ether_addr in net/ethernet.h )
problem introduced in version 1.6.0 with addition of src_mac and dst_mac
-reported by Bamm and Rich

Fixed bug in sample init.d/sancpd startup script
-reported on #snort-gui

Increased counters from 32bit to 64bit values:
src_pkts, dst_pkts, src_bytes, dst_bytes, total_bytes, collected, and climit

New to v1.6.0 (Sep 13, 2004)

Fixed major bug with reading from a pcap file using -r option affecting
how packets are decoded.
symptom: munged tcp/ip header values in stats and realtime output when
reading from a pcap file
New default output fields added: src_mac and dst_mac; see columns 49 and 50
Updated doc/fields.LIST


New to v1.5.7 (Sep 2, 2004)

Disabled (additional) logging of realtimes to console, use -K to re-enable this 'feature.'
Added forking -D (daemon) mode and suppresses -K, if enabled

New to v1.5.6 - (May 26, 2004)

Resolved permission error when using options -u and -g to change the effective UID and GID.
error msg: "Unable to read from interface any (socket: Operation not permitted)"

New to v1.5.5 - (May 6, 2004)

Increased byte and packet counters to 64bit values, rather than 32 bit
Database tables supporting these as 32bit values should be changed to support 64bit values.
The statistical output fields affected by this change are:
src_pkts
dst_pkts
src_bytes
dst_bytes
climit
collected

New to v1.5.4 - (May 5, 2004)
Bug fixes:
Increased byte and packet counters to 32bit, rather than 16bit
Fixed incorrect behavior of -R ('no realtimes') command line switch

New to v1.5.3 -
Fixed bugs with -v and pcapfilter options, and examples in contrib/sancp.conf
fixes default values for tcp option 'wscale'

New to v1.5.2 -
Added 'default use_pcap_time=enable|disable' option to use pcap header timestamps rather than the
system time to determine when flush_interval has transpired (i.e. for offline batch processing)
Corrected mysql schema output field types to reflect proper field sizes int1, int2, int4, int8, char(1), etc...
Multi-line rule support (use '\' immediately preceding a line feed)
Bug fixes with new configuration options (expire_interval and flush_interval) (incorrect data size)

New to v1.5.1 -
default flush_interval , default burst_mode enable|disable allow for a timer
to be specified to write stats data to file and to close the file after writing, respectively
Supports --schemas option to print mysql table schema for current stats and realtime output format(s)

New to v 1.5.0
Allows custom 'format' (field layout) to be specified for stats and realtime output
Added rgid and zone fields for rules
FileHandle bug-fixes

New to v1.4.0 -
Rules support three new output log fields; 'status', 'node', 'rid'.
Include these in your rules to tag connections with information specific to the profile
rule that it matches on.
'rid' set the rule identification number field for a connection summary
'status' set the initial status field for a connection summary
'node' set the node field for a connection summary
Rules can be written for all ethernet protocols (bare minimum support for non IP/TCP/UDP)
'any' is the only symbolic name supported in rules. it represents all possible values.
Rules require all other symbolic names to be defined as using VAR before they can be used
i.e. var ip 8
Vars can be created for all rule fields (eth_proto src_ip dst_ip ip_proto src_port dst_port)
i.e. var http 80
var home_net 192.168.1.0/24
var tcp 6
Use kill -USR1 to view complete running configuration with rule counters
(The configuration is rebuilt from scratch, using any 'vars' currently defined)
Fixed a couple of bugs with 'abandoned' filehandles and 'insufficient' filehandles

Other Features include:
 *  BPF filters are supported
 *  'p0F' information is also recorded from initial two packets of TCP connections
 *  Culmulative TCP session flags are recorded throughout the duration of a connection
 *  'stats' and 'realtime' logs are in pipe-delimited format
 *  'pcap' logs contain packets in tcpdump format
 *  The config file can be (re)read by sancp while running; kill -HUP
 *  'retro' keyword forces a rule to be applied to 'ongoing' connections, useful with -HUP
 *  Output files have timestamps, kill -HUP also causes a new set of files to be opened
 *  Optimized for handling large amounts of traffic with minimal drag
 *  Provides support for dealing with dropped packets, typical to blame for causing 'reversed' connections

This tool can read from a pcap file. Use it to split-up one pcap data file into multiple files based on a set of rules.

View the README for more information about features and usage.

Download previous beta releases: (historical -unpatched- archive)
http://www.metre.net/files/sancp-1.6.0.tar.gz (md5)
http://www.metre.net/files/sancp-1.5.7.tar.gz (md5)
http://www.metre.net/files/sancp-1.5.6.tar.gz (md5)
http://www.metre.net/files/sancp-1.5.5.tar.gz (md5)
http://www.metre.net/files/sancp-1.5.4.tar.gz (md5)
http://www.metre.net/files/sancp-1.5.3.tar.gz (md5)
http://www.metre.net/files/sancp-1.5.1.tar.gz (md5)
http://www.metre.net/files/sancp-1.5.0.tar.gz (md5)
http://www.metre.net/files/sancp.1.2.tgz (md5)
http://www.metre.net/files/sancp-1.2.1.tar.gz (md5)
http://www.metre.net/files/sancp-1.3.0.tar.gz (md5)
http://www.metre.net/files/sancp-1.3.1.tar.gz (md5)

Download the Test BSD Port (for version 1.2.1)
[This is has not been updated since 1.2.1]
http://www.metre.net/files/sancp-port-1.2.1.tar.gz (md5)



Let me know if you find any problems.
Thanks, jlc

Author: John Curry [ john dot curry at metre dot net ]      This code is distributed under the QPL LICENSE