Cisco ACL monitoring

Dave Edelman dedelman at iname.com
Fri Jan 11 04:47:29 EST 2013 

If you stick to the IOS numbered ACLs in the range 1-99  source, wildcard (possibly a comparison to a port)

Or 100-199 with source and destination as above it works. It doesn’t support named ACLs, line numbering, comments.

 

--Dave

 

 

From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of Craig Merchant
Sent: Thursday, January 10, 2013 8:43 PM
To: Carter Bullard
Cc: Argus (argus-info at lists.andrew.cmu.edu)
Subject: Re: [ARGUS] Cisco ACL monitoring

 

I don’t think the PIX/ASA or the IOS ACL formats have changed dramatically in 10 years, though the newer versions of the ASA may have expanded the ability to use objects and object groups in ACLs.

 

The ASA command is here:

 

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1559450

 

The IOS extended and standard commands are here:

 

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C

 

Do you know which syntax is supported by the command?

Thx.


Craig 

 

From: Carter Bullard [mailto:carter at qosient.com] 
Sent: Thursday, January 10, 2013 4:43 PM
To: Craig Merchant
Cc: Argus (argus-info at lists.andrew.cmu.edu)
Subject: Re: [ARGUS] Cisco ACL monitoring

 

Hey Craig,

rapolicy() hasn't changed in 10 years, so If there is a new syntax, it won't support it, but we can and should add that support, no problem.   If you have pointers for the syntax, I'll take a look.

 

The way it works, very basically, is that flows are compared to the ACL list, and if there is a match / violation, then it will print out the record.  The comparisons are a bit complicated to account for some of the extended rules, like completion.The rule that applies should (at least based on memory/intent) be added as a label, or it can be printed, if memory serves.  The -v option reverses the logic.

 

If that doesn't jive, definately send email !!!!

 

Carter


On Jan 10, 2013, at 6:22 PM, Craig Merchant <cmerchant at responsys.com> wrote:

Does the feature in Argus that can monitor traffic against a Cisco ACL support IOS ACLs (standard or extended) or PIX/ASA ACLs?  The formats are slightly different.

 

If a flow violates an ACL, how does Argus alert on that?

Thx.


C

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130111/b2513296/attachment.html>

More information about the argus mailing list