GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
radtunnel(1) FreeBSD General Commands Manual (axa) radtunnel(1)

radtunnel
Realtime Anomaly Detection (RAD) Tunnel

radtunnel [-dhOptVz] -a anomaly -o out-addr -s RAD-server -w watch
[-A interval] [-C count] [-E ciphers] [-i interval] -m sampling-rate [-n config-file] [-P pidfile] [-r rate-limit] [-S certs]

Radtunnel transfers selected Security Information Exchange (SIE) data from Real-time Anomaly Detector (RAD) servers to the local network. The connection to the server is created and restored after problems with binary exponential delays between retries.

Radtunnel is a tool for tunneling SIE data using the Advanced Exchange Access (AXA) protocol. It also demonstrates the use of the AXA helper library, libaxa.a.

The following arguments are available:
interval
specifies the accounting interval. Every interval seconds an accounting request will be made to server and the results will be emitted to stdout. When specifying this mode, you also need to specify -d at the command line.
anomaly [parameters]
specifies RAD anomaly detection module and its parameters. There must be at least one -a in RAD mode.
count
stops radtunnel after count SIE messages and raw IP packets.
enable debugging reports or increase them after the first -d.
ciphers
specifies a list ciphers for TLS connections.
display options summary.
interval
enables timestamp indexing every interval nmsgs. This mode writes to a pre-existing (or creates an) lmdb-backed key-value store of nmsg timestamp/file offset pairs. The keys are the epoch portion of the nmsg timestamp for which the offsets refer back to. It is intended to be used as a hints file to speed subsequent cherry-picking of nmsgs from the nmsg data file it backs. It is most useful when the corresponding nmsg data file is anticipated to grow large.

This mode may only be used with nmsg file-based outputs and, because radtunnel needs to know when filesystem writes have occurred, it must be run in unbuffered mode ( -u ). If you specify the append option ( -p ), it is assumed you are continuing a previous session so you must also specify a previously created nmsg file which must also have a corresponding previously created timestamp index mdb file.

It will always write an index for the first nmsg and every interval nmsgs thereafter.

sampling-rate
specifies the sampling rate. Sets the percentage (between 0.1 and 100.0) that the RAD server will send.
config-file
specify location for AXA client configuration file.
enable a spinning bar output indicator on stdout.
append output to specified file (only valid for nmsg file-based outputs).
out-addr
specifies the destination of the SIE data. It can be forwarded as NMSG messages to a UDP or TCP port or as raw IP packets to a file, FIFO, or network interface.
nmsg:[tcp:|udp:]host,port
sends NMSG messages to the UDP or optional TCP host name and port number host,port. UDP is the default. IP packets are converted to NMSG messages.
nmsg:file:path
sends NMSG messages to the file named path. IP packets are converted to NMSG messages.
nmsg:file_json:path
sends NMSG json blobs to the file named path.
pcap[-fifo]:path
sends IP packets to a file or FIFO named path for examination with tcpdump(1) or another packet tracing tool. An ordinary file is the default. Only IP packets but not NMSG messages are sent.
pcap-if:[dst/]ifname
transmits IP packets on the network interface named ifname for examination with tcpdump(1) or another packet tracing tool. dst optionally specifies a destination 48-bit Ethernet address other than all 0:0:0:0:0:0 default. This output usually requires that radtunnel be run by root. Only IP packets but not NMSG messages are sent.
pidfile
will result in the current PID being written to pidfile. The file will be deleted upon program exit.
rate-limit
tells the server to send at most rate-limit SIE messages and raw IP packets per second.
certs
overrides the default directory containing SSL certificates and keys. Its default is /usr/local/etc/axa/certs.
server
specifies the server that is the source of the SIE data. The server can be specified with any of the following:
Sm off alias Sm on
Connect to a server using an alias shortcut mnemonic (see FILES section for more information).
Sm off apikey: <users_apikey>@ host,port Sm on
Identify and authenticate the user via a Farsight Security provided apikey. The connection will be encrypted using the same TLS semantics as the tls transport below.
Sm off ssh: [user@] host Sm on
The server will be contacted using the ssh protocol. These connections usually use default ssh ssh_config(1) files to specify the required public keys and optionally the fully qualified host name and user names associated with the public key. Use -dddd to diagnose ssh connection problems.
Sm off tcp: user@ host,port Sm on
The connection will be made with the host name or IP address and port number using clear text over TCP/IP.
Sm off unix: user@ /ud/socket Sm on
This connection uses a UNIX domain socket connected to a local server.
tls:cert,key@host,port
Use the TLS protocol with the certificate in the cert file and the private key in the key file. If not absolute, the files are in the -S certs directory.
enable tracing reports on the server or increase them after the first -t.
displays the version of radtunnel and its preferred version of the AXA protocol.
watch
There must be at least one -w with a RAD watch to specify the interesting SIE messages or dark channel IP packets. The optional [(shared)] suffix marks IP addresses or domains that are not exclusively used by the RAD client.
 
ip=IP[/n]
The IPv4 or IPv6 address IP specifies a host address unless a prefix length is specified.
 
dns=[*.]dom
watches for the domain anywhere in the IP packets or SIE messages on the channels selected with -c. A wild card watches for occurrences of the domain and all sub-domains.

In addition, (shared) can be appended to IP and file ... dns watches to indicate addresses or domains that are not used exclusively.

enable NMSG zlib container compression.

The following connects to a RAD server at example.com, loads the Brand Sentry module looking for the brand "farsight", and sends all anomaly hit NMSGs to the local UDP port 8000 on 127.0.0.1:
radtunnel -s apikey:<yourapikey>@example.com,1012 -o nmsg:127.1,8000 \
	-w dns=*. -a brand_sentry brand=farsight

certs
is the directory set with -S that contains TLS certificate and key files.
~/.axa/config
is a required file that contains AXA client configuration data. Currently supported are connection aliases that provide the user with a facility to create shortcut mnemonics to specify the RAD server connection string. For example:
$ cat ~/.axa/config
# RAD
alias:rad-apikey=apikey:<yourapikey>@example.com,1012

    
If the user wanted to connect to RAD, she would only have to remember "rad-apikey" and could do:
$ radtunnel -s rad-apikey ...
    

This config file is shared for radtunnel, sratunnel, radtool, and sratool. Because this file can contain sensitive information such as apikeys, it must not be readable or writeable to anybody other than "owner" or radtunnel will not load.

~/.ssh/config
is the ssh_config(5) configuration file used with connect ssh:... connections. "Host" stanzas in the file can simplify connections to AXA servers.
foo.mdb
is an lmdb key-value store containing nmsg timestamp/file offset pairs (a "tsindex" file). See the -i option for details.

If set, AXACONF specifies the AXA configuration directory instead of the default, ~/.axa or /usr/local/etc/axa.

On operating systems that support SIGINFO (including BSDish systems like FreeBSD and macOS), the user can type "ctrl-t" at the command line during a running radtunnel process and get information about the session. For example:
^Trad connected, sent 4 messages, received 176 messages, 176 hits

Note that by default, an additional line of information is printed by the kernel (system load and process information):
^Tload: 1.39  cmd: radtunnel 7060 running 0.06u 0.00s
rad connected, sent 4 messages, received 304 messages, 304 hits

This can be disabled via: stty nokerninfo. Example:
$ radtunnel -A 10 -d -s rad-apikey...
connecting to rad-apikey...
^Tload: 1.39  cmd: radtunnel 7060 running 0.06u 0.00s
rad connected, sent 4 messages, received 304 messages, 304 hits
^C
$ stty nokerninfo
$ radtunnel -A 10 -d -s rad-apikey...
connecting to rad-apikey...
^Trad connected, sent 4 messages, received 176 messages, 176 hits
^Trad connected, sent 4 messages, received 416 messages, 416 hits

sratunnel(1), sratool(1), radtool(1), mkfifo(1), and nmsgtool(1).
May 14, 2022 FreeBSD 13.1-RELEASE

Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.