Cisco ACL monitoring

Carter Bullard carter at qosient.com
Fri Jan 11 10:50:45 EST 2013


Hey Guys,
Named ACLs, line numbering, comments, that doesn't sound like it would be too hard.

If someone provides a config that would be a minimum capabilities config, then I can update rapolicy().

Also, if there are other companies ACL's that people would like to add,
that would be great too.  Juniper anyone?

Carter

On Jan 11, 2013, at 4:47 AM, Dave Edelman <dedelman at iname.com> wrote:

> If you stick to the IOS numbered ACLs in the range 1-99  source, wildcard (possibly a comparison to a port)
> Or 100-199 with source and destination as above it works. It doesn’t support named ACLs, line numbering, comments.
>  
> --Dave
>  
>  
> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of Craig Merchant
> Sent: Thursday, January 10, 2013 8:43 PM
> To: Carter Bullard
> Cc: Argus (argus-info at lists.andrew.cmu.edu)
> Subject: Re: [ARGUS] Cisco ACL monitoring
>  
> I don’t think the PIX/ASA or the IOS ACL formats have changed dramatically in 10 years, though the newer versions of the ASA may have expanded the ability to use objects and object groups in ACLs.
>  
> The ASA command is here:
>  
> http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1559450
>  
> The IOS extended and standard commands are here:
>  
> http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C
>  
> Do you know which syntax is supported by the command?
> 
> Thx.
> 
> Craig
>  
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Thursday, January 10, 2013 4:43 PM
> To: Craig Merchant
> Cc: Argus (argus-info at lists.andrew.cmu.edu)
> Subject: Re: [ARGUS] Cisco ACL monitoring
>  
> Hey Craig,
> rapolicy() hasn't changed in 10 years, so If there is a new syntax, it won't support it, but we can and should add that support, no problem.   If you have pointers for the syntax, I'll take a look.
>  
> The way it works, very basically, is that flows are compared to the ACL list, and if there is a match / violation, then it will print out the record.  The comparisons are a bit complicated to account for some of the extended rules, like completion.The rule that applies should (at least based on memory/intent) be added as a label, or it can be printed, if memory serves.  The -v option reverses the logic.
>  
> If that doesn't jive, definately send email !!!!
>  
> Carter
> 
> On Jan 10, 2013, at 6:22 PM, Craig Merchant <cmerchant at responsys.com> wrote:
> 
> Does the feature in Argus that can monitor traffic against a Cisco ACL support IOS ACLs (standard or extended) or PIX/ASA ACLs?  The formats are slightly different.
>  
> If a flow violates an ACL, how does Argus alert on that?
> 
> Thx.
> 
> C

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130111/47289b65/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130111/47289b65/attachment.bin>


More information about the argus mailing list