Description:

This is a network security tool designed to collect statistical
information regarding network traffic, as well as, collect the traffic
itself in pcap format, all for the purpose of: auditing, historical
analysis, and network activity discovery. Rules can be used to
distinguish normal from abnormal traffic and support tagging
connections with: rule id, node id, and status id. From an intrusion
detection standpoint, every connection is an event that must be
validated through some means. Sancp uses rules to identify, record, and
tag traffic of interest. 'Tagging' a connection is a new feature since
v1.4.0 Connections ('stats') can be loaded into a database for further
analysis.

Sancp rules control three types of logging for a connection: pcap,
stats, and realtime 'pcap' refers to packet data collected on the
connection in tcpdump format, 'stats' refers to a single line summary
of an entire connection once it is 'closed' 'realtime' is a snapshot of
'stats' based on the initial packet, for immediate reporting Both
'stats' and 'realtime' contain a number of fields used for recording
packet statistics, TCP flags, p0f data, and other vitals about how we
handle the connection.