# Ruleset to watch response for mice and elephants
#
# Nevil Brownlee, Tue 29 Aug 00

define PP_NO_TEST       =   0;  # Don't build streams

define PP_ICMP_ECHO     =   1;
define PP_OTHER         =   7;  # Build streams, don't try to match packets
define PP_UDP_DNS       =  11;

define PP_TCP           = 192;  # 0xC0 plus low-order bits as follows .. 
define PP_OK_SYNACK     =   1;  #   ->SYN,  <-SYN+ACK pairs
define PP_OK_SYNRST     =   2;  #   ->SYN,  <-SYN+RST pairs

define PP_OK_MULTI      =   8;  #   ->DATA, <-ACK for more than one packet
define PP_OK_SINGLE     =  16;  #   ->DATA, <-ACK 'lone' packet
define PP_OK_INGROUP    =  32;  #   ->DATA, <-ACK single packet in a group


define UCSD_SUB       = 132.239/16;      # 'Asymmetric' netblocks ..
define UCSD_EXTRN     = 137.110/16;
define UCSD_CERF      = 199.105.0/18;

define CAIDA          = 192.172.226/24;
define SDSC_APOLLO    = 192.31.21/24;
define SDSCNET_CBLK   = 198.202.64/18;   # Salk Institute

define UCSD           = 128.54/16;       # 'Symmetric' netblocks ..
define MPL106         = 192.135.237/24;
define MPL4           = 192.135.238/24;

define SDSC2          = 132.249/16;
define SCRIPPSNET_BIG = 137.131/16;      # Scripps Research Institute
define HYPERNET       = 153.105/16;      # Dimension Systems, Poway
define NET_NSI        = 198.133.185/24;  # Neurosciences institute
define SDSCFDDIDMZ    = 198.17.46/24;

define UCSD_NETS = 
   UCSD, UCSD_SUB, UCSD_EXTRN, MPL106, MPL4, UCSD_CERF;
define SDSC_NETS =
   SDSC2, SCRIPPSNET_BIG, HYPERNET, SDSC_APOLLO, CAIDA, SDSCFDDIDMZ, 
   SDSCNET_CBLK, NET_NSI;

#define SOURCE_NETS = UCSD_NETS, SDSC_NETS;  # All the netblocks


define SOURCE_NETS =  # For UCSD ('university') meter
   UCSD_SUB,   # 132.239/16
   UCSD_EXTRN, # 137.110/16
   UCSD_CERF;  # 199.105.0/18

define WWW = 80;  # www port number

optimise 3;

   if SourcePeerType == IPv4 save;
   else ignore;
   if SourceTransType == TCP save,
      store FlowKind := 2;
   else if SourceTransType == UDP save,
      store FlowKind := 1;
   else ignore;

   if SourcePeerAddress == (SOURCE_NETS) {  # To means 'away from SOURCE'

      if DestPeerAddress == (SOURCE_NETS)  # Internal UCSD flow
         ignore;  # Can cause ambiguous flows in meter!

      if SourceTransType == TCP {
         if SourceTransAddress == WWW && DestTransAddress == WWW
            store FlowKind := 5;  # Shouldn't happen
         else if DestTransAddress == WWW
            store FlowKind := 3;  # Web server outside UCSD
         else if SourceTransAddress == WWW
            store FlowKind := 4;  # Web server inside UCSD
         }

      save ToFlowOctets   = 50.0.0!0 & 2.2.1!1000;  # 100..100k B
      save FromFlowoctets = 50.0.0!0 & 2.2.1!1000;  # 100..100k B
         # 50 buckets, PP_NO_TEST, log
#      save ToFlowPDUs   = 50.0.0!0 & 2.0.1!500;  # 1..500 packets
#      save FromFlowPDUs = 50.0.0!0 & 2.0.1!500;  # 1..500 packets
#         # 50 buckets, PP_NO_TEST, log
      save FlowTime = 50.0.0!0 & 2.4.1!12000;  # 10 ms .. 120 s
         # 50 buckets, PP_NO_TEST, log
      count;
      }

set flow_test_u1;
format
  FlowRuleSet FlowIndex FirstTime SourcePeerType SourceTransType
  "  " FlowKind FlowClass
  "  " ToPDUs FromPDUs "  " ToOctets FromOctets
  "  (" ToFlowOctets ") (" FromFlowOctets
  ") (" FlowTime
  ")";