1RAPOLICY(1) General Commands Manual RAPOLICY(1)
2
3
4
6 rapolicy - compare a argus(8) data file/stream against a Cisco Access
7 Control List.
8
10 rapolicy -r argus-file [raoptions] [-- filter-expression]
11
13 Rapolicy reads argus data from an argus-file list, and tests the argus
14 data stream against a Cisco access control list configuration file
15 Rapolicy can do many things as defined by its configuration file. The
16 configuration file in not optional and the example below is well com‐
17 mented. The ACL file is specified in the configuration file.
18
20 Rapolicy, like all ra based clients, supports a large number of
21 options. Options that have specific meaning to rapolicy are:
22
23 -f <rapolicy configuration file> defines the actions of the client.
24 -D 3 Print the output of the state event machine.
25
26 See ra(1) for a complete description of ra options.
27
29 rapolicy -f rapolicy.conf -r argus.file
30
32 Rapolicy handles both standard and extended, numbered and named Cisco
33 Access Control Lists
34
36 This example is provided as an example only.
37
38
39 #
40 # Argus Software
41 # Copyright (c) 2000-2016 QoSient, LLC
42 # All rights reserved.
43 #
44 # This program is free software; you can redistribute it and/or modify
45 # it under the terms of the GNU General Public License as published by
46 # the Free Software Foundation; either version 2, or (at your option)
47 # any later version.
48 #
49 # This program is distributed in the hope that it will be useful,
50 # but WITHOUT ANY WARRANTY; without even the implied warranty of
51 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
52 # GNU General Public License for more details.
53 #
54 # You should have received a copy of the GNU General Public License
55 # along with this program; if not, write to the Free Software
56 # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
57 #
58 #
59 # Example rapolicy.conf
60 #
61 # Rapolicy, like most ra* programs, can read a program specific
62 # configuration file. This is an example configuration for rapolicy()
63 # that provides the opportunity to modify the default behavior of
64 # parsing a Cisco ACL definition, and reporting on flows that match
65 # aspects of the policy defined by the ACL.
66 #
67 # This file is read by rapolicy() from the command line using the
68 # " -f rapolicy.conf " option.
69 #
70 # RA_POLICY_DUMP_POLICY is a debugging aid. If it is set to yes, then rapolicy() will read
71 # and parse the ACL file and output an English language description of the actions associated
72 # with each ACL entry. After outputting the explaination, rapolicy will exit.
73
74 RA_POLICY_DUMP_POLICY="yes"
75
76 # The rapolicy client parses a Cisco IOS ACL and constructs a filter which is used
77 # to permit or deny flows. Under normal circumstances the packets meeting the
78 # criteria for a permit rule are output by the client. There are circumstances where
79 # it is useful to see the flows that are dropped. RA_POLICY_SHOW_WHICH can be set
80 # to a value of "deny" in these cases.
81
82 RA_POLICY_SHOW_WHICH="permit"
83
84 # Under normal operating conditions, only the flow records that match a permit
85 # or a deny rule (depending on the value of RA_POLICY_SHOW_WHICH) are output. In
86 # some instance like baselining the actions of an ACL, the goal is to have a fully
87 # labeled set of flows regardless of the ACL's permit or deny determination. In these
88 # instances, a value of yes for RA_POLICY_JUST_LABEL will allow the full processing of
89 # the flows and will label them according to the settings of the label flags but all of
90 # the flows handled by the ACL will be output
91
92 RA_POLICY_JUST_LABEL="no"
93
94 # A Cisco IP ACL normally has no impact on non-IP traffic eg: ARP, DDCMP, Slotted-Aloha
95 # RA_POLICY_PERMIT_OTHERS can be set to "yes" for the normal behavior or "no" to block
96 # non-IP traffic
97
98 RA_POLICY_PERMIT_OTHERS="yes"
99
100
101 # The rapolicy client can add a label to a flow indicating the action (permit, deny,
102 # or implictDeny), the ACL name or number) and the line within the ACL that caused the
103 # action.
104 #
105 # if RA_POLICY_LABEL_LOG is set to "yes" labels will be added to flows matching ACL
106 # entries that have a log qualifier.
107
108 RA_POLICY_LABEL_LOG="no"
109
110 # If RA_POLICY_LABEL_ALL is set to "yes" regardless of the value of RA_POLICY_LABEL_LOG,
111 # any flow that matches an ACL entry will be labeled
112
113 RA_POLICY_LABEL_ALL="no"
114
115 # Every Cisos IOS ACL has an implicit deny as its last entry. Flows that do not match any
116 # ACL entry are usually dropped silently. RA_POLICY_LABEL_IMPLICIT will label flows that
117 # are dropped by the implicit deny rule. Under normal circumstances, these flows are not
118 # labeled. The values of RA_POLICY_LABEL_ALL and RA_POLICY_LABEL_LOG do not govern the
119 # labeling of these flows.
120
121 RA_POLICY_LABEL_IMPLICIT="no"
122
123 # The ACL is contained in a standard ASCII text file which is identified by the value of
124 # RA_POLICY_ACL_FILE Since rapolicy is not designed to be a syntax checker, it is a
125 # good idea to create the ACL on a Cisco device and take the output of show running
126 # (or the appropriate equivalent command) as the input ACL for rapolicy()
127 # The policy file should be defined as the last item in the rapolicy.conf file
128 # or there may be unexpected side effects
129
130 RA_POLICY_ACL_FILE="/tmp/ACL03.txt"
131
132
133
135 Copyright (c) 2000-2016 QoSient. All rights reserved.
136
138 Carter Bullard (carter@qosient.com).
139 David Edelman (dwedelman@acm.org)
140
142 ra(1), rarc(5), argus(8)
143
144
145
146rapolicy 3.0.8 09 July 2013 RAPOLICY(1)