 |
|
| |
radtool(1) |
FreeBSD General Commands Manual (axa) |
radtool(1) |
radtool — Realtime
Anomaly Detector (RAD) tool
[-dhINV ] [-c
cfile] [-n
config] [-E
ciphers] [-F
fields] [commands]
radtool connects and sends Advanced
Exchange Access (AXA) protocol messages to Realtime Anomaly Detector (RAD)
servers and displays the responses. It can also tunnel SIE data like
radtunnel(1).
radtool is a programming example for the
Advanced Exchange Access (AXA) applications programming interface to RAD
servers, the AXA protocol. It also demonstrates the use of the AXA helper
library, libaxa.a.
Start using radtool with the
connect command described below. Use one or more
anomaly commands to specify interesting patterns of
SIE messages or IP packets. Limit the number of packets or messages
transmitted from the SRA server or displayed with the rate
limit and count commands.
Unless more output is enabled with the
verbose command, most messages or packets are
displayed in two lines. The first line includes the channel number on which
it was received, the SIE message vendor of the message, the name of the
field that caused the message to be selected, and the contents of the field.
The second line is a summary of the message or packet.
When more verbose output is enabled or when
radtool does not understand the message, IP packets
are printed in ASCII and SIE messages are printed in the standard
nmsg presentation format also seen from
nmsgtool(1).
The following arguments are available:
-c
cfile
- reads commands from cfile as if the first command
string on the command line were "source
cfile".
-d
- turns on tracing and debugging reports. Additional
-d turn on more messages.
-E
ciphers
- specifies the TLS encryption ciphers to use with apikey connections.
-I
- enables insecure mode for apikey authentication. When enabled, client
connections will not be performed via TLS.
-n
config
- overrides the default location of the config file
that contains AXA client configuration data. Details are below. The
default is ~/.axa/config.
-F
fields
- overrides the default location of the fields file
that defines relationships among and semantics among SIE message fields.
The default is $AXACONF/fields,
~/.axa/fields, or
/usr/local/etc/axa/fields.
-h
- display options summary.
-N
- instructs
radtool to not display a command line
prompt.
-V
- displays the version of
radtool and its preferred
version of the AXA protocol.
- commands
- are optional commands strings that are executed before
radtool starts accepting commands from the use.
There can be more than one string of commands. Multiple commands within a
string are separated by semicolons.
radtool executes commands read from the
standard input. Command history is available if the standard input is a
terminal. Multiple commands can be specified at once by separating them with
semicolons. The following commands are available:
accounting
- Tell the server to report counts of packets seen, missed, sent, and
lost.
alias
- List the available connection aliases (culled from the axa client config
file).
buffer
- Toggle NMSG output buffering. By default, this is enabled, which buffers
network writes until the container is full. If disabled, NMSG payloads are
emitted as quickly as possible.
ciphers
[cipher-list]
- set the list of ciphers for the next TLS connection or show the current
contents of the list.
connect
[AraliasSmon|Arapikey:Ar<apikey>@Arhost,portSmon|Artcp:OoAruser@OcArhost,portSmon|Arunix:OoAruser@OcAr/ud/socketSmon]
- By itself
connect shows the current
connection.Otherwise connect to the specified RAD server.
alias: use a connection alias specified
in the AXA config file (see FILES).
apikey: identify and authenticate the
user via a Farsight Security provided apikey.
tcp: identify the user for clear text
communication via the TCP/IP host,port pair.
unix: identify the user for
communication over a local UNIX domain socket.
count [N|off]
- sets terminal output to stop displaying packets after anumber of packets
(including immediately with a number of 0),show the currently remaining
count,or turn off the packet count limit.
debug [on|off|quiet|N]
- increases, decreases or shows the level of debugging and tracing
messagesthat is also controlled
by
-d .Debug quiet turns
off reports of successful AXA commands.
disconnect
- disconnects from the RAD server.
errormode [disconnect|off]
- disconnects from the RAD server and exitswhen the server reports an error
or the connection breaks.In the default modeerror mode
off,errors are only reported.
exit
- Ends the program.
go
- Tell the RAD server to resume sending
data.
radtool .
help [command]
- lists all commands or describes a single command.
mode [SRA|RAD]
- Show the current command mode orexpect to connect to an SRA or RAD
server.The default command mode is set by the name of the program.
nop
- sends a command to the server that does nothing but test the
connection.
forward
- Start, stop or show the state of forwarding packets received from the
server.Received NMSG messages and IP packets can be forwarded as NMSG
messages toa TCP or UDP port.Received IP packets can be forwarded as a
pcap stream to a file,to a FIFO created with separately
withmkfifo(1),or
in Ethernet frames on a named network interface to a 48-bit address.
nmsg: [tcp: |udp: ]host,port
Op Ar count
- sends nmsg messages to the UDP or optional TCP host name and port
number host,port. UDP is the default. IP packets
are converted to NMSG messages.
nmsg:file: path Op Ar
count
- sends binary nmsg messages to the file named
path. IP packets are converted to nmsg
messages.
nmsg:file_json: path Op
Ar count
- sends nmsg newline-delimited json blobs to the file named
path. Note that newline-delimited json outputs
can incur a slight performance penalty versus binary nmsg outputs for
"high-velocity" outputs. This is because the underlying nmsg
json output object is unbuffered and results a filesystem write for
every forwarded nmsg.
pcap [-fifo ]:path
Op Ar count
- sends IP packets to a file or FIFO named path
for examination with
tcpdump(1)
or another packet tracing tool. An ordinary file is the default. Only
IP packets but not nmsg messages are sent.
pcap-if: [dst/]ifname
Op Ar count
- transmits IP packets on the network interface named
ifname for examination with
tcpdump(1)
or another packet tracing tool. dst optionally
specifies a destination 48-bit Ethernet address other than all
0:0:0:0:0:0 default. This output usually requires that
radtool be run by root. Only IP packets but
not nmsg messages are sent.
If count is present, forwarding stops
after that many packets.
pause
- Tell the RAD server to stop sending data.
rate
limit [[-|MAX|per-sec]
[-|NEVER|report-secs]]
- Tell the RAD server to report its per-second packet rate limit or set the
rate limit and the minimum interval between rate limit reports. Hits in
excess of the rate limit are discarded by the server.
radd
- Change to RAD mode.
sample
[X%]
- Get and optionally set the percentage of hits that the RAD servers
sends.
sleep
x.y
- Do nothing for x.y seconds.
source
filename
- reads and executes commands from a file.
srad
- Change to SRA mode.
status
- Show information about the current connection state including time
connected.
trace
N
- Set the server trace level to N.
user
name
- sends a username to the server.
verbose
[on | off | N]
- controls the length of SIE message and IP packet descriptions. The
default, verbose off, generally displays one line
summaries.
version
- displays the version of
radtool and its version of
the AXA protocol.
window
[bufsize]
- Get and optionally set the TCP output buffer size or maximum send window
used by the server.
zlib
- Toggle NMSG zlib container compression.
- [tag]
delete
[anomaly [all]]
- With a tag (numeric label), stop or delete the specified anomaly. Without
a tag (or with the keyword "all"), delete all anomalies.
- [tag]
stop
[anomaly [all]]
- Synonym for the
delete command.
- tag
watch
{ip=IP[/N][(shared) |
dns=[*.]dom[(shared)]}
- Specify IP addresses or domain names relevant to the anomaly detection
modules specified by subsequent
anomaly commands
with the same tag. The optional [(shared)] suffix
marks IP addresses or domains that are not exclusively used by the RAD
client.
-
- ip=IP[/n]
- The IPv4 or IPv6 address IP specifies a host
address unless a prefix length is specified.
-
- dns=[*.]dom
- watches for the domain anywhere in the IP packets or SIE messages on
the enabled channels. A wild card watches for occurrences of the
domain and all sub-domains.
- tag
anomaly
name [parameters]
- Start the named anomaly detector module. The relevant domains and IP
addresses are specified by preceding
watch
commands with the same tag. The parameters for each module are described
it its man page. Tag is a number that labels the
module and the relevant watches as well as other modules using the same
watches.
- [tag]
list
- If a tag is present, list the set of watches and anomaly detection modules
with that tag. Without a tag, list all active as well as available anomaly
detection modules.
- [tag]
get
- Synonym for the
list command.
runits
- Ask the server to report user's current RAD Units balances.
- fields
- defines relationships among and meanings of SIE message fields. Its
contents should rarely if ever need to be changed.
- ~/.axa/config
- contains AXA client configuration data. Currently supported are connection
aliases that provide the user with a facility to create shortcut mnemonics
to specify the RAD server connection string. For example:
$ cat ~/.axa/config
# RAD
alias:rad-apikey=apikey:<elided>@example.com,1012
If the user wanted to connect to RAD, she would only have to
remember "rad-apikey" and could do:
$ radtool
sra> connect rad-apikey
This config file is shared for
radtool , sratool, sratunnel, and radtunnel.
Because this file can contain sensitive information such as apikeys, it
must not be readable or writeable to anybody other than
"owner" or sratool will not load.
- ~/.sratool_history
- contains the command history from previous
radtool
and/or sratool invocations
If set, AXACONF specifies the AXA configuration directory instead
of, ~/.axa or
/usr/local/etc/axa.
Visit the GSP FreeBSD Man Page Interface. Output converted with ManDoc.
|