Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
radtool(1)		    General Commands Manual		    radtool(1)

NAME
       radtool -- Realtime Anomaly Detector (RAD) tool

SYNOPSIS
       [-dhINV]	[-c cfile] [-n config] [-E ciphers] [-F	fields]	[commands]

DESCRIPTION
       radtool connects	and sends Advanced Exchange Access (AXA) protocol mes-
       sages  to  Realtime Anomaly Detector (RAD) servers and displays the re-
       sponses.	 It can	also tunnel SIE	data like radtunnel(1).

       radtool is a programming	example	for the	Advanced Exchange Access (AXA)
       applications programming	interface to RAD servers,  the	AXA  protocol.
       It also demonstrates the	use of the AXA helper library, libaxa.a.

       Start  using radtool with the connect command described below.  Use one
       or more anomaly commands	to specify interesting patterns	 of  SIE  mes-
       sages or	IP packets.  Limit the number of packets or messages transmit-
       ted from	the SRA	server or displayed with the rate limit	and count com-
       mands.

       Unless  more  output is enabled with the	verbose	command, most messages
       or packets are displayed	in two lines.  The  first  line	 includes  the
       channel	number on which	it was received, the SIE message vendor	of the
       message,	the name of the	field that caused the message to be  selected,
       and  the	 contents  of  the field.  The second line is a	summary	of the
       message or packet.

       When more verbose output	is enabled or when radtool does	not understand
       the message, IP packets are printed  in	ASCII  and  SIE	 messages  are
       printed	in  the	 standard  nmsg	 presentation  format  also  seen from
       nmsgtool(1).

   OPTIONS
       The following arguments are available:

       -c cfile
	    reads commands from	cfile as if the	first command  string  on  the
	    command line were "source cfile".

       -d   turns  on  tracing	and  debugging reports.	 Additional -d turn on
	    more messages.

       -E ciphers
	    specifies the TLS encryption ciphers to use	 with  apikey  connec-
	    tions.

       -I   enables  insecure  mode  for  apikey authentication. When enabled,
	    client connections will not	be performed via TLS.

       -n config
	    overrides the default location of the config  file	that  contains
	    AXA	 client	configuration data. Details are	below.	The default is
	    ~/.axa/config.

       -F fields
	    overrides the default location of the fields file that defines re-
	    lationships	among and semantics among SIE message fields.  The de-
	    fault      is	$AXACONF/fields,       ~/.axa/fields,	    or
	    /usr/local/etc/axa/fields.

       -h   display options summary.

       -N   instructs radtool to not display a command line prompt.

       -V   displays  the  version of radtool and its preferred	version	of the
	    AXA	protocol.

       commands
	    are	optional commands strings that	are  executed  before  radtool
	    starts  accepting  commands	 from the use.	There can be more than
	    one	string of commands.  Multiple commands	within	a  string  are
	    separated by semicolons.

   COMMANDS
       radtool	executes  commands read	from the standard input.  Command his-
       tory is available if the	standard input is a terminal.	Multiple  com-
       mands can be specified at once by separating them with semicolons.  The
       following commands are available:

       accounting
	    Tell  the  server  to report counts	of packets seen, missed, sent,
	    and	lost.

       alias
	    List the available connection aliases (culled from the axa	client
	    config file).

       buffer
	    Toggle  NMSG  output buffering. By default,	this is	enabled, which
	    buffers network writes until the container is full.	 If  disabled,
	    NMSG payloads are emitted as quickly as possible.

       ciphers [cipher-list]
	    set	 the  list  of ciphers for the next TLS	connection or show the
	    current contents of	the list.

       connect [alias |	 apikey:<apikey>@host,port  |  tcp:[user@]host,port  |
	    unix:[user@]/ud/socket]
	    By itself connect shows the	current	connection.  Otherwise connect
	    to the specified RAD server.

	    alias:  use	 a  connection	alias specified	in the AXA config file
	    (see FILES).

	    apikey: identify and authenticate the user via a Farsight Security
	    provided apikey.

	    tcp: identify the user for clear text communication	via the	TCP/IP
	    host,port pair.

	    unix: identify the user for	communication over a local UNIX	domain
	    socket.

       count [N	| off]
	    sets terminal output to stop displaying packets after a number  of
	    packets  (including	immediately with a number of 0), show the cur-
	    rently remaining count, or turn off	the packet count limit.

       debug [on | off | quiet | N]
	    increases, decreases or shows the level of debugging  and  tracing
	    messages that is also controlled by	-d.  Debug quiet turns off re-
	    ports of successful	AXA commands.

       disconnect
	    disconnects	from the RAD server.

       error mode [disconnect |	off]
	    disconnects	 from the RAD server and exits when the	server reports
	    an error or	the connection breaks.	In the default mode error mode
	    off, errors	are only reported.

       exit
	    Ends the program.

       go   Tell the RAD server	to resume sending data.	 radtool.

       help [command]
	    lists all commands or describes a single command.

       mode [SRA | RAD]
	    Show the current command mode or expect to connect to  an  SRA  or
	    RAD	 server.   The	default	command	mode is	set by the name	of the
	    program.

       nop  sends a command to the server that does nothing but	test the  con-
	    nection.

       forward
	    Start,  stop or show the state of forwarding packets received from
	    the	server.	 Received NMSG messages	and IP	packets	 can  be  for-
	    warded as NMSG messages to a TCP or	UDP port.  Received IP packets
	    can	 be  forwarded	as  a pcap stream to a file, to	a FIFO created
	    with separately with mkfifo(1), or in Ethernet frames on  a	 named
	    network interface to a 48-bit address.

	    nmsg:[tcp:|udp:]host,port [count]
		  sends	nmsg messages to the UDP or optional TCP host name and
		  port	number host,port.  UDP is the default.	IP packets are
		  converted to NMSG messages.

	    nmsg:file:path [count]
		  sends	binary nmsg messages to	the file named path.  IP pack-
		  ets are converted to nmsg messages.

	    nmsg:file_json:path	[count]
		  sends	nmsg newline-delimited json blobs to  the  file	 named
		  path.	  Note that newline-delimited json outputs can incur a
		  slight performance penalty versus binary  nmsg  outputs  for
		  "high-velocity" outputs. This	is because the underlying nmsg
		  json	output	object	is unbuffered and results a filesystem
		  write	for every forwarded nmsg.

	    pcap[-fifo]:path [count]
		  sends	IP packets to a	file or	FIFO named path	 for  examina-
		  tion with tcpdump(1) or another packet tracing tool.	An or-
		  dinary  file	is  the	default.  Only IP packets but not nmsg
		  messages are sent.

	    pcap-if:[dst/]ifname [count]
		  transmits IP packets on the network interface	 named	ifname
		  for  examination  with  tcpdump(1) or	another	packet tracing
		  tool.	 dst optionally	specifies a destination	48-bit	Ether-
		  net address other than all 0:0:0:0:0:0 default.  This	output
		  usually requires that	radtool	be run by root.	 Only IP pack-
		  ets but not nmsg messages are	sent.

	    If count is	present, forwarding stops after	that many packets.

       pause
	    Tell the RAD server	to stop	sending	data.

       rate limit [[-|MAX|per-sec] [-|NEVER|report-secs]]
	    Tell  the RAD server to report its per-second packet rate limit or
	    set	the rate limit and the minimum interval	between	rate limit re-
	    ports.  Hits in excess of the rate	limit  are  discarded  by  the
	    server.

       radd
	    Change to RAD mode.

       sample [X%]
	    Get	and optionally set the percentage of hits that the RAD servers
	    sends.

       sleep x.y
	    Do nothing for x.y seconds.

       source filename
	    reads and executes commands	from a file.

       srad
	    Change to SRA mode.

       status
	    Show information about the current connection state	including time
	    connected.

       trace N
	    Set	the server trace level to N.

       user name
	    sends a username to	the server.

       verbose [on | off | N]
	    controls  the  length  of  SIE message and IP packet descriptions.
	    The	default, verbose off, generally	displays one line summaries.

       version
	    displays the version of radtool and	its version of the AXA	proto-
	    col.

       window [bufsize]
	    Get	 and optionally	set the	TCP output buffer size or maximum send
	    window used	by the server.

       zlib
	    Toggle NMSG	zlib container compression.

       [tag] delete [anomaly [all]]
	    With a tag (numeric	label),	stop or	delete the specified  anomaly.
	    Without a tag (or with the keyword "all"), delete all anomalies.

       [tag] stop [anomaly [all]]
	    Synonym for	the delete command.

       tag watch {ip=IP[/N][(shared) | dns=[*.]dom[(shared)]}
	    Specify  IP	 addresses or domain names relevant to the anomaly de-
	    tection modules specified by subsequent anomaly commands with  the
	    same  tag.	 The  optional [(shared)] suffix marks IP addresses or
	    domains that are not exclusively used by the RAD client.

	    ip=IP[/n]	 The IPv4 or IPv6 address IP specifies a host  address
			 unless	a prefix length	is specified.

	    dns=[*.]dom	 watches  for the domain anywhere in the IP packets or
			 SIE messages on the enabled channels.	 A  wild  card
			 watches for occurrences of the	domain and all sub-do-
			 mains.

       tag anomaly name	[parameters]
	    Start the named anomaly detector module.  The relevant domains and
	    IP	addresses  are	specified by preceding watch commands with the
	    same tag.  The parameters for each module are described it its man
	    page.  Tag is a number that	labels the  module  and	 the  relevant
	    watches as well as other modules using the same watches.

       [tag] list
	    If a tag is	present, list the set of watches and anomaly detection
	    modules  with that tag.  Without a tag, list all active as well as
	    available anomaly detection	modules.

       [tag] get
	    Synonym for	the list command.

       runits
	    Ask	the server to report user's current RAD	Units balances.

FILES
       fields  defines relationships among and meanings	of SIE message fields.
	       Its contents should rarely if ever need to be changed.

       ~/.axa/config
	       contains	AXA client configuration data. Currently supported are
	       connection aliases that provide the user	 with  a  facility  to
	       create  shortcut	mnemonics to specify the RAD server connection
	       string. For example:

		   $ cat ~/.axa/config
		   # RAD
		   alias:rad-apikey=apikey:<elided>@example.com,1012

	       If the user wanted to connect to	RAD, she would	only  have  to
	       remember	"rad-apikey" and could do:

		   $ radtool
		   sra>	connect	rad-apikey

	       This config file	is shared for radtool, sratool,	sratunnel, and
	       radtunnel.  Because this	file can contain sensitive information
	       such as apikeys,	it must	not be readable	or writeable  to  any-
	       body other than "owner" or sratool will not load.

       ~/.sratool_history
	       contains	 the  command  history	from  previous	radtool	and/or
	       sratool invocations

ENVIRONMENT VARIABLES
       If set, AXACONF specifies the AXA configuration directory  instead  of,
       ~/.axa or /usr/local/etc/axa.

SEE ALSO
       sratool(1), sratunnel(1), radtunnel(1), mkfifo(1), and nmsgtool(1).

				April 12, 2025			    radtool(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=radtool&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help