Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
radtunnel(1)		    General Commands Manual		  radtunnel(1)

NAME
       radtunnel -- Realtime Anomaly Detection (RAD) Tunnel

SYNOPSIS
       radtunnel [-dhIOptVz] -a	anomaly	-o out-addr -s RAD-server -w watch
		 [-A   interval]   [-C	 count]	  [-E  ciphers]	 [-k  cmd]  -m
		 sampling-rate [-n config-file]	[-P pidfile]  [-r  rate-limit]
		 [-T secs] [-Z size]

DESCRIPTION
       radtunnel  transfers  selected Security Information Exchange (SIE) data
       from Real-time Anomaly Detector (RAD) servers  to  the  local  network.
       The  connection	to  the	 server	is created and restored	after problems
       with binary exponential delays between retries.

       radtunnel is a tool for tunneling SIE data using	the Advanced  Exchange
       Access  (AXA)  protocol.	It also	demonstrates the use of	the AXA	helper
       library,	libaxa.a.

   OPTIONS
       The following arguments are available:

       -A interval
	    specifies the accounting interval. Every interval seconds  an  ac-
	    counting  request  will  be	made to	server and the results will be
	    emitted to stdout. When specifying this mode,  you	also  need  to
	    specify -d at the command line.

       -a anomaly [parameters]
	    specifies  RAD anomaly detection module and	its parameters.	 There
	    must be at least one -a in RAD mode.

       -C count
	    stop radtunnel or (with -k specified) close	the current output and
	    reopen a new output	after count payloads have been processed.

       -d   enable debugging reports or	increase them after the	first -d.

       -E ciphers
	    specifies a	list ciphers for apikey	connections.

       -h   display options summary.

       -I   enables insecure mode for  apikey  authentication.	When  enabled,
	    client connections will not	be performed via TLS.

       -k cmd
	    enables  kicker  mode  and makes -C	, -T or	-Z continuous. In this
	    mode output	file names are suffixed	with a timestamp and radtunnel
	    runs continuously, rotating	output files as	payload	counts or  the
	    output  file  size	exceeds	 a threshold or	time intervals expire.
	    cmd	specifies the command to run on	output files  after  rotation.
	    If	cmd is set to the empty	string '', then	no command is executed
	    and	only file rotation is performed.

	    This option	must be	combined with either -C	, -T or	-Z.  Only nmsg
	    file-based outputs are supported.

       -m sampling-rate
	    specifies the sampling rate. Sets the percentage (between 0.1  and
	    100.0) that	the RAD	server will send.

       -n config-file
	    specify location for AXA client configuration file.

       -O   enable a spinning bar output indicator on stdout.

       -p   append  output  to	specified file (only valid for nmsg file-based
	    outputs).

       -o out-addr
	    specifies the destination of the SIE data.	It can be forwarded as
	    nmsg messages to a UDP or TCP port or as raw IP packets to a file,
	    FIFO, or network interface.

	    nmsg:[tcp:|udp:]host,port
		  sends	nmsg messages to the UDP or optional TCP host name and
		  port number host,port.  UDP is the default.  IP packets  are
		  converted to NMSG messages.

	    nmsg:file:path
		  sends	binary nmsg messages to	the file named path.  IP pack-
		  ets are converted to nmsg messages.

	    nmsg:file_json:path
		  sends	 nmsg  newline-delimited  json blobs to	the file named
		  path.	 Note that newline-delimited json outputs can incur  a
		  slight  performance  penalty	versus binary nmsg outputs for
		  "high-velocity" outputs. This	is because the underlying nmsg
		  json output object is	unbuffered and	results	 a  filesystem
		  write	for every forwarded nmsg.

	    pcap[-fifo]:path
		  sends	 IP  packets to	a file or FIFO named path for examina-
		  tion with tcpdump(1) or another packet tracing tool.	An or-
		  dinary file is the default.  Only IP packets	but  not  nmsg
		  messages are sent.

	    pcap-if:[dst/]ifname
		  transmits  IP	 packets on the	network	interface named	ifname
		  for examination with tcpdump(1) or  another  packet  tracing
		  tool.	  dst optionally specifies a destination 48-bit	Ether-
		  net address other than all 0:0:0:0:0:0 default.  This	output
		  usually requires that	radtunnel be run  by  root.   Only  IP
		  packets but not nmsg messages	are sent.

       -P pidfile
	    will  result  in  the  current PID	being written to pidfile.  The
	    file will be deleted upon program exit.

       -r rate-limit
	    tells the server to	send at	most rate-limit	SIE messages  and  raw
	    IP packets per second.

       -s server
	    specifies  the  server  that  is  the source of the	SIE data.  The
	    server can be specified with any of	the following:

	    alias
		  Connect to a server using an alias  shortcut	mnemonic  (see
		  FILES	section	for more information).

	    apikey:<users_apikey>@host,port
		  Identify  and	 authenticate the user via a Farsight Security
		  provided apikey. The connection will be encrypted using  the
		  TLS protocol.

	    tcp:user@host,port
		  The connection will be made with the host name or IP address
		  and port number using	clear text over	TCP/IP.

	    unix:user@/ud/socket
		  This connection uses a UNIX domain socket connected to a lo-
		  cal server.

       -T secs
	    stop radtunnel or (with -k specified) close	the current output and
	    reopen  a new output on a time interval modulo the secs parameter.
	    For	example, -t 3600 means an hour after started or	reopened.

       -t   enable tracing reports on the server or increase  them  after  the
	    first -t.

       -V   displays the version of radtunnel and its preferred	version	of the
	    AXA	protocol.

       -w watch
	    There  must	be at least one	-w with	a RAD watch to specify the in-
	    teresting SIE messages or dark channel IP packets.	 The  optional
	    [(shared)]	suffix	marks IP addresses or domains that are not ex-
	    clusively used by the RAD client.

	    ip=IP[/n]	 The IPv4 or IPv6 address IP specifies a host  address
			 unless	a prefix length	is specified.

	    dns=[*.]dom	 watches  for the domain anywhere in the IP packets or
			 SIE messages on the enabled channels.	 A  wild  card
			 watches for occurrences of the	domain and all sub-do-
			 mains.

	    In	addition,  (shared)  can  be  appended	to IP and file ... dns
	    watches to indicate	addresses or domains that are not used	exclu-
	    sively.

       -z   enable nmsg	zlib container compression.

       -Z size
	    stop radtunnel or (with -k specified) close	the current output and
	    reopen  a  new output after	the output file	meets or exceeds size.
	    This mode may only be used with file-based outputs.	 Additionally,
	    because  nmsg-based	 file  outputs	are by default buffered, it is
	    recommended	when writing to	one that this option be	 used  in  un-
	    buffered mode ( -u ).

EXAMPLES
       The  following connects to a RAD	server at example.com, loads the Brand
       module looking for the brand "farsight",	 and  sends  all  anomaly  hit
       nmsgs to	the local UDP port 8000	on 127.0.0.1:

	   radtunnel -s	apikey:<yourapikey>@example.com,1012 -o	nmsg:127.1,8000	\
		   -w dns=*. -a	brand brand=farsight

FILES
       ~/.axa/config
	       contains	AXA client configuration data. Currently supported are
	       connection  aliases  that  provide  the user with a facility to
	       create shortcut mnemonics to specify the	RAD server  connection
	       string. For example:

		   $ cat ~/.axa/config
		   # RAD
		   alias:rad-apikey=apikey:<yourapikey>@example.com,1012

	       If  the	user  wanted to	connect	to RAD,	she would only have to
	       remember	"rad-apikey" and could do:

		   $ radtunnel -s rad-apikey ...

	       This config file	is shared for radtunnel,  sratunnel,  radtool,
	       and  sratool.  Because this file	can contain sensitive informa-
	       tion such as apikeys, it	must not be readable or	 writeable  to
	       anybody other than "owner" or radtunnel will not	load.

ENVIRONMENT VARIABLES
       If  set,	 AXACONF  specifies the	AXA configuration directory instead of
       the default, ~/.axa or /usr/local/etc/axa.

SIGNALS
       On operating systems that support  SIGINFO  (including  BSDish  systems
       like FreeBSD and	macOS),	the user can type "ctrl-t" at the command line
       during  a  running radtunnel process and	get information	about the ses-
       sion. For example:

	   ^Trad connected, sent 4 messages, received 176 messages, 176	hits

       Note that by default, an	additional line	of information is  printed  by
       the kernel (system load and process information):

	   ^Tload: 1.39	 cmd: radtunnel	7060 running 0.06u 0.00s
	   rad connected, sent 4 messages, received 304	messages, 304 hits

       This can	be disabled via: stty nokerninfo. Example:

	   $ radtunnel -A 10 -d	-s rad-apikey...
	   connecting to rad-apikey...
	   ^Tload: 1.39	 cmd: radtunnel	7060 running 0.06u 0.00s
	   rad connected, sent 4 messages, received 304	messages, 304 hits
	   ^C
	   $ stty nokerninfo
	   $ radtunnel -A 10 -d	-s rad-apikey...
	   connecting to rad-apikey...
	   ^Trad connected, sent 4 messages, received 176 messages, 176	hits
	   ^Trad connected, sent 4 messages, received 416 messages, 416	hits

SEE ALSO
       sratunnel(1), sratool(1), radtool(1), mkfifo(1),	and nmsgtool(1).

				April 12, 2025			  radtunnel(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=radtunnel&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help