Cisco ACL monitoring

[Craig Merchant]

I don’t think the PIX/ASA or the IOS ACL formats have changed dramatically in 10 years, though the newer versions of the ASA may have expanded the ability to use objects and object groups in ACLs.

The ASA command is here:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1559450

The IOS extended and standard commands are here:

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C

Do you know which syntax is supported by the command?

Thx.

Craig

From: Carter Bullard [mailto:carter at qosient.com]
Sent: Thursday, January 10, 2013 4:43 PM
To: Craig Merchant
Cc: Argus (argus-info at lists.andrew.cmu.edu)
Subject: Re: [ARGUS] Cisco ACL monitoring

Hey Craig,
rapolicy() hasn't changed in 10 years, so If there is a new syntax, it won't support it, but we can and should add that support, no problem.   If you have pointers for the syntax, I'll take a look.

The way it works, very basically, is that flows are compared to the ACL list, and if there is a match / violation, then it will print out the record.  The comparisons are a bit complicated to account for some of the extended rules, like completion.The rule that applies should (at least based on memory/intent) be added as a label, or it can be printed, if memory serves.  The -v option reverses the logic.

If that doesn't jive, definately send email !!!!

Carter

On Jan 10, 2013, at 6:22 PM, Craig Merchant <cmerchant at responsys.com<mailto:cmerchant at responsys.com>> wrote:
Does the feature in Argus that can monitor traffic against a Cisco ACL support IOS ACLs (standard or extended) or PIX/ASA ACLs?  The formats are slightly different.

If a flow violates an ACL, how does Argus alert on that?

Thx.

C
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130111/a986ad55/attachment.html>