Cisco ACL monitoring

Dave Edelman dedelman at iname.com
Fri Jan 11 12:35:24 EST 2013


Carter, I can provide the material off-line

 

--Dave

 

From: Carter Bullard [mailto:carter at qosient.com] 
Sent: Friday, January 11, 2013 10:51 AM
To: Dave Edelman
Cc: 'Craig Merchant'; 'Argus'
Subject: Re: [ARGUS] Cisco ACL monitoring

 

Hey Guys,

Named ACLs, line numbering, comments, that doesn't sound like it would be
too hard.

 

If someone provides a config that would be a minimum capabilities config,
then I can update rapolicy().

 

Also, if there are other companies ACL's that people would like to add,

that would be great too.  Juniper anyone?

 

Carter

 

On Jan 11, 2013, at 4:47 AM, Dave Edelman <dedelman at iname.com> wrote:





If you stick to the IOS numbered ACLs in the range 1-99  source, wildcard
(possibly a comparison to a port)

Or 100-199 with source and destination as above it works. It doesn't support
named ACLs, line numbering, comments.

 

--Dave

 

 

From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of Craig Merchant
Sent: Thursday, January 10, 2013 8:43 PM
To: Carter Bullard
Cc: Argus (argus-info at lists.andrew.cmu.edu)
Subject: Re: [ARGUS] Cisco ACL monitoring

 

I don't think the PIX/ASA or the IOS ACL formats have changed dramatically
in 10 years, though the newer versions of the ASA may have expanded the
ability to use objects and object groups in ACLs.

 

The ASA command is here:

 

 
<http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.htm
l#wp1559450>
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html
#wp1559450

 

The IOS extended and standard commands are here:

 

 
<http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID
-9EA733A3-1788-4882-B8C3-AB0A2949120C>
http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-
9EA733A3-1788-4882-B8C3-AB0A2949120C

 

Do you know which syntax is supported by the command?

Thx.


Craig

 

From: Carter Bullard [ <mailto:carter at qosient.com>
mailto:carter at qosient.com] 
Sent: Thursday, January 10, 2013 4:43 PM
To: Craig Merchant
Cc: Argus ( <mailto:argus-info at lists.andrew.cmu.edu>
argus-info at lists.andrew.cmu.edu)
Subject: Re: [ARGUS] Cisco ACL monitoring

 

Hey Craig,

rapolicy() hasn't changed in 10 years, so If there is a new syntax, it won't
support it, but we can and should add that support, no problem.   If you
have pointers for the syntax, I'll take a look.

 

The way it works, very basically, is that flows are compared to the ACL
list, and if there is a match / violation, then it will print out the
record.  The comparisons are a bit complicated to account for some of the
extended rules, like completion.The rule that applies should (at least based
on memory/intent) be added as a label, or it can be printed, if memory
serves.  The -v option reverses the logic.

 

If that doesn't jive, definately send email !!!!

 

Carter


On Jan 10, 2013, at 6:22 PM, Craig Merchant <
<mailto:cmerchant at responsys.com> cmerchant at responsys.com> wrote:

Does the feature in Argus that can monitor traffic against a Cisco ACL
support IOS ACLs (standard or extended) or PIX/ASA ACLs?  The formats are
slightly different.

 

If a flow violates an ACL, how does Argus alert on that?

Thx.


C

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130111/fc94edb6/attachment.html>


More information about the argus mailing list