The command line clients will be implemented as expect scripts. Initially, Bro will use these scripts. Ultimately, Bro will use the C library interface and keep a connection open to the ACL blocker to save time.
Commands include a cookie (32-bit unsigned value). This cookie is included in response messages from the ACL blocker to allow clients to match return status with requests. The value zero (0) may be used if this feature is not needed.
Commands may be streamed without waiting for status.
Each command issued (eventually) results in a response and may be sent out of order. Responses consist of a raw unix timestamp (seconds and microseconds midnight, January 1, 1970), the cookie value and a status word. Responses can return multi-line text containing error messages, informational messages, comments or other text.
Response timestamps document when the requested action was taken. Note that some routers accept and commit an ACL change to configuration memory but must perform additional processing before the change actually takes effect.
Command and response lines that need to submit or return multi-line text end with a trailing dash ("-") character. Text is then read, stripping leading periods ("."), until a period on a line by itself is read.
When the ACL blocker first receives a connection from a client, it sends an initial message to let the client know it's ready for work. For example:
1024631441.934568 0 acld -
ready for action
.
As with response to a regular client command, a timestamp is displayed. Since there is no cookie value to give back, zero is used.
Unknown commands (and other garbage) may not have comments and their cookies are ignored. Responses will always use a cookie value of zero and may include a comment indicating what the problem was. For example:
junk 554
1078353422.923969 0 unknown-failed -
unknown command "junk"
.
Command Arguments drop
restore
query
cookie addr
cookie addr/netwidth
cookie addr netmask
blockhosthost
restorehosthost
cookie addr1 addr2
querywhitelist cookie addr
cookie addr/netwidth
cookie addr netmask
droptcpport
dropudpport
restoretcpport
restoreudpport
cookie port droptcpdsthostport
dropudpdsthostport
permittcpdsthostport
permitudpdsthostport
restoretcpdsthostport
restoreudpdsthostport
unpermittcpdsthostport
unpermitudpdsthostport
cookie addr port addwhitelist
remwhitelist
cookie addr
cookie addr/netwidth
cookie addr netmask
nullzero
nonullzero
querynullzero
cookie addr
cookie addr/netwidth
cookie addr netmask
filter
nofilter
queryfilter
cookie addr
compact
listacl
cookie acl prefix
noprefix
cookie addr name listprefix
cookie name help
listroute
reload
state
cookie
This command is used to add a whitelist address or network.
The command accepts a comment allowing a client to document why the entry is being added.
The implementation will refuse to whitelist a network with a netmask width wider than /24.
The implementation will refuse to accept a netmask that is not contiguous and left justified.
Possible responses:
This command is used to block access by address pair.
The command accepts a comment allowing a client to document why the block is being applied.
Possible responses:
Here's an example blockhosthost command:
blockhosthost 409 198.137.240.92 128.3.91.113
The response might be:
1273687184.824553 409 blockhosthost -
11598 deny ip from 198.137.240.92 to 128.3.91.113 via em1 in
.
This command requests that the specified acl be compacted.
Note that compaction is only scheduled and completes at some future time.
Response:
This command is used to block access by address.
The command accepts a comment allowing a client to document why the block is being applied.
The implementation will refuse to block an address width smaller than /16.
The implementation will refuse to accept a netmask that is not contiguous and left justified.
It's unlikely daemon clients (e.g. Bro) will use the network netwidth capability.
Possible responses:
Here's an example drop command:
drop 123 198.137.240.92
The response might be:
1273273238.702409 123 drop
or:
1273273238.702409 123 drop -
sequence too large (65536 > 65535)"
.
This command is used to block access by destination address and port.
The command accepts a comment allowing a client to document why the block is being applied.
Possible responses:
Here's an example droptcpdsthostport command:
droptcpdsthostport 1102 128.203.111.2 443 -
Rod disabling https until this server can be patched
.
The response might be:
1143084820.839264 1102 droptcpdsthostport
This command is used to block access by port.
The command accepts a comment allowing a client to document why the block is being applied.
Possible responses:
Here's an example droptcpport command:
droptcpport 4042322056 80 -
Rod disabling http until web servers can be patched
.
The response might be:
1143084820.839264 4042322056 droptcpport
This command returns a command summary.
Response:
This command is used to list the contents of the ACL.
Possible responses:
Here's an example listacl report:
1024631592.946718 107775 listacl -
1000 56 blockhost 194.117.194.120
1001 0 blockhost 207.45.69.69
1004 2 blockhost 202.96.113.20
1005 89 blocknet 64.154.61.0/24
1010 58 blockhost 210.233.49.116
1031 0 blockhost 212.139.3.131
1042 0 blockhost 212.139.3.132
1045 0 blockhost 209.61.194.83
1046 341 blockhost 192.102.234.119
1051 174 blockhost 128.218.182.205
1052 829 blockhost 193.251.23.218
.
The first number is the sequence number (or 0 if the router does not use sequence numbers). The second number is the count of how many times the ACL has matched a packet (or 0 if the router does not know).
If it blocked address is a network, its mask is displayed as a width (for example 64.154.61.0/24).
This command is used to add an address to the prefix list.
Possible responses:
Here's an example prefix command:
prefix 1612 212.139.7.141 WAF -
New webserver
.
The response might be:
1542590308.111427 1612 prefix
or:
1542590308.111427 1612 prefix -
212.139.7.141 is already a member of WAF
.
This command is used to remove an address from the prefix list.
Possible responses:
Here's an example noprefix command:
noprefix 1612 212.139.7.141 WAF -
Retire webserver
.
The response might be:
1542590308.111427 1612 noprefix
or:
1542590308.111427 1612 noprefix -
212.139.7.141 is not a member of WAF
.
This command is used to list the contents of a prefix list.
Possible responses:
Here's an example listprefix report:
1024631592.946718 107775 listprefix -
1031 0 blockhost 212.139.3.131
1042 0 blockhost 212.139.3.132
1045 0 blockhost 212.139.7.80
1045 0 blockhost 212.139.7.19
1045 0 blockhost 212.139.7.140
.
This command is used to list the routes.
Possible responses:
Here's an example listroute report:
1147222080.950994 903041 listroute - D 0.0.0.0 172.16.100.1
D 172.16.111.0/24 172.16.100.2
D 172.16.112.0/24 172.16.100.2
D 172.16.113.0/24 172.16.100.2
I 172.16.114.0/24
I 172.16.115.0/24
I 172.16.116.0/24
S 172.16.116.128/23 172.16.116.90
N 172.16.116.54
N 172.16.116.54
D 172.16.117.0/24 172.16.100.4
D 172.16.118.0/24 172.16.100.4
D 172.16.119.0/24 172.16.100.4
.
First is a character that describes the route type:
Static
Dynamic
Interface
Null zero
Next is the destination address or network. Last is the optional gateway address or network.
This command is used to remove a null zero route for a host.
The command accepts a comment allowing a client to document why the null zero route is being removed.
Possible responses:
This command is used to filter block access by address.
The command accepts a comment allowing a client to document why the filter is being removed.
Possible responses:
Here's an example nofilter command:
nofilter 123 198.137.240.92
The response might be:
1273273238.702409 123 nofilter
or:
1273273238.702409 123 nofilter -
198.137.240.92 not found
.
This command is used to isolate a host by installing a null zero route for it.
The command accepts a comment allowing a client to document why the null zero route is being installed.
Possible responses:
Here's an example nullzero command:
nullzero 16711728 212.139.15.101 -
Infected with a virus
.
The response might be:
1143685680.182807 16711728 nullzero
or:
1143685680.182807 16711728 nullzero -
Note: There is already a null zero route for 212.139.15.101
.
This command is used to install an exception for a specific host and tcp port.
The command accepts a comment allowing a client to document why the acl is being installed.
Possible responses:
This command is used to filter block access by address.
The command accepts a comment allowing a client to document why the filter is being applied.
Possible responses:
Here's an example filter command:
filter 123 198.137.240.92 -
block port scanner
.
The response might be:
1273273238.702409 123 filter
or:
1273273238.702409 123 filter -
Note: 198.137.240.92 is already filtered
.
This command is used to determine if an address is blocked or not.
Possible responses:
Here's an example query report:
1024632280.869878 123401 query -
acl OUTSIDE
1002 45 blockhost 64.111.222.33
.
The first line documents which ACL the rule is in. The second line is the same as the listacl report would show.
This command is used to check for filter block memmbership by address.
Possible responses:
Here's an example queryfilter command:
queryfilter 198.137.240.98
The response might be:
1273273238.702409 123 queryfilter -
198.137.240.98
.
or:
1273273238.702409 123 queryfilter-failed -
131.243.2.202 not found
.
This command is used to check an address for memmbership on the null zero list.
Possible responses:
Here's an example querynullzero command:
querynullzero 198.137.240.98
The response might be:
1273273238.702409 123 querynullzero
or:
1273273238.702409 123 querynullzero -
Note: 198.137.240.98 is already nullzero routed
.
This command is used to determine if an address or network is on the whitelist.
Possible responses:
Here's an example querywhitelist report:
1208125354.869878 66580 querywhitelist -
172.16.192.177
.
This shows that the requested address is on the whitelist. If the specified address was whitelisted by a network rule, the network and mask would have been displayed.
This command requests that the daemon kill expect child process, reload the daemon configuration file and restart the child process.
Note that as a side effect, all client connections are terminated.
Response:
This command is used to remove a whitelist address or network.
The command accepts a comment allowing a client to document why the entry is being removed.
Possible responses:
This command is used to unblock access by address.
The command accepts a comment allowing a client to document why the block is being lifted.
Possible responses:
This command is used to remove a address pair block.
The command accepts a comment allowing a client to document why the block is being lifted.
Possible responses:
This command is used to unblock access by port.
The command accepts a comment allowing a client to document why the block is being lifted.
Possible responses:
This command is used to unblock access by port.
The command accepts a comment allowing a client to document why the block is being lifted.
Possible responses:
This command requests the ACL blocker to report on its current state.
Possible responses:
Here's an example state report:
1024631592.946718 107774 state -
# state loggedin
# version 0.2
# config "/usr/local/etc/acld.conf"
router "10.0.0.2"
expect "/usr/local/bin/expect"
script "cisco8500.expect"
whitelist "whitelist.txt"
port 1776
netsfac local1
sync_secs 86400
incrseq 1
seqrange 5000 65000
maxseq 7600
# lastseq for ACL LOCAL is 5495
# lastseq for ACL OUTSIDE is 46490
# acllen for ACL LOCAL is 56
# acllen for ACL OUTSIDE is 1973
# whitelistlen 369
acl LOCAL 128.3.0.0/16
acl OUTSIDE default
interface gigabitethernet 0/0 OUTSIDE
interface gigabitethernet 0/2 LOCAL
nullzeronet 128.3.0.0/16
nullzeronet 192.16.0.0/16
nullzeromax 8000
# nullzerolen is 15
.
The ACL blocker is using the expect script "cisco8500.expect" and ip address 10.0.0.2 to communicate with the router.
This command is used to remove an exception for a specific host and tcp port.
The command accepts a comment allowing a client to document why the acl is being removed. why the block is being lifted.
Possible responses:
Command Arguments drop
restore
addr acl seq
addr/netwidth acl seq
blockhosthost
restorehosthost
addr1 addr2
droptcpport
dropudpport
restoretcpport
restoreudpportport acl seq droptcpdsthostport
dropudpdsthostport
permittcpdsthostport
permitudpdsthostport
restoretcpdsthostport
restoreudpdsthostport
unpermittcpdsthostport
unpermitudpdsthostport
addr port acl seq nonullzero
nullzero
addr
addr/netwidthlogin addr cuser cpass1 cpass2 euser epass1 epass2 listacl acl interface ayt
listroute
logout
sync
The following expect procedures must be defined before the ACL blocker can support a router:
This procedure is used check if the router still responds to commands.
Possible return statuses:
This procedure is used to add a block for an ip address on an ACL.
This is implemented by these steps:
Possible return statuses:
This procedure is used to add a block on an ACL for an ip address pair.
This is implemented by these steps:
Possible return statuses:
This procedure is used to block a destination host port pair.
This is implemented by these steps:
Possible return statuses:
This procedure is used to add a block for a tcp or udp port on an ACL.
This is implemented by these steps:
Possible return statuses:
This procedure is used to list the contents of the ACL.
Possible return statuses:
Here's an example listacl report:
1542589369.384214 998 listacl - listacl -
10 12 blockhost 194.117.194.120
15 0 blockhost 207.45.69.69
20 2 blockhost 202.96.113.20
25 0 blocknet 64.154.61.0/24
30 58 blockhost 210.233.49.116
35 0 blockhost 212.139.3.131
40 0 blockhost 212.139.3.132
45 0 blockhost 209.61.194.83
50 341 blockhost 192.102.234.119
55 174 blockhost 128.218.182.205
60 829 blockhost 193.251.23.218
65535 0 permitany
.
The first number is the sequence number (or 0 if the router does not use sequence numbers). The second number is the count of how many times the ACL has matched a packet.
This procedure is used to list routes.
Possible return statuses:
Here's an example listroute report:
1542589401.194341 16 listroute -
D 0.0.0.0 172.16.100.1
D 172.16.111.0/24 172.16.100.2
D 172.16.112.0/24 172.16.100.2
D 172.16.113.0/24 172.16.100.2
I 172.16.114.0/24
I 172.16.115.0/24
I 172.16.116.0/24
S 172.16.116.128/23 172.16.116.90
N 172.16.116.54
N 172.16.116.54
D 172.16.117.0/24 172.16.100.4
D 172.16.118.0/24 172.16.100.4
D 172.16.119.0/24 172.16.100.4
.
See the listroute command for a description of the output format.
This procedure is used to login to the router. If the ACL blocker is not currently logged in, it will attempt to login. If it is already is logged in, it will logout and then login again.
The login procedure uses two connect and two enable passwords. If the primary password fails, the backup password is tried. This allows router passwords to be changed without a window of vulnerability.
Note that using more than two passwords can make the expect scripts more complicated (e.g. Ciscos terminate the telnet connection after three connect password failures).
Possible return statuses:
This procedure is used to logout of the router.
The child process is killed and cleaned up after.
Possible return statuses:
This procedure is used to remove a null zero route for a host.
This is implemented by these steps:
Possible return statuses:
This procedure is used to isolate a host by installing a null zero route for it.
This is implemented by these steps:
Possible return statuses:
This procedure is used to install an exception for a specific host and tcp port in an ACL.
This is implemented by these steps:
Possible return statuses:
This procedure is used to remove a block for an ip address on an ACL.
This is implemented by these steps:
Possible return statuses:
This procedure is used to remove a block on an ACL for an ip address pair.
This is implemented by these steps:
Possible return statuses:
This procedure is used to remove a destination host port pair block.
This is implemented by these steps:
Possible return statuses:
This procedure is used to remove a block for a tcp or udp port in an ACL.
This is implemented by these steps:
Possible return statuses:
This procedure does whatever is necessary to save recent changes made to the router.
This is implemented by these steps:
Possible return statuses:
This procedure is used to remove an exception for a specific host and tcp port in an ACL.
This is implemented by these steps:
Possible return statuses: